Infiltration Diary 20180125--Daily drip--url the difference between # and # (about SSRF) and the secure-file-priv of MySQL

0, Introduction

20180125 days, Busy! The blind man summed up, to satisfy this is a diary of the appearance.

1, today is not talking about technology "of course, there is no technology (all very basic)" but the blind few pull.

First, about a kind of ssrf detection bypass:

1. Background:

There is a situation in the centralized Login authentication Web page after the general URL will be followed by a next=https://aaa.bbcc.com/index/xxx/index.html this location is easy to happen ssrf. But careful observation of the test, found that this place to detect the URL, only allow the URL to the picture class file extension masterpiece as the end. For example. Jpg,.png and so on, in order to circumvent this detection, think of using # and? , but here we find the difference.

2, the difference between the #:

(1)? Numbers are part of the URL, and are generally used in get requests as symbols that differentiate between the trunk and parameters. For example, a request is: Https://www.asdf.com/getinfo.php?name=test. The following should be the case in the request message:

Get/getinfo.php?name=test http/1.1Host:www.asdf.com ...

When? The latter section has no effect on the entire access when it is not processed in the processing function in the background.

(2) #号其实不是URL的一部分, or to be accurate, is not part of the background, so # and its later parts will not appear in the request message. A HTTPS://WWW.ASDF.COM/GETINFO.PHP#PRINT request message should read as follows:

get/getinfo.php http/1.1Host:www.asdf.com ...

So the # number has the following characteristics:

@1 #号不触发网页的重载;

@2 #号不影响请求报文的路径;

But the # number also has an impact on browsing:

@1 #会改变历史记录, for Ajax class requests, it is helpful to record some state values at the time of the request.

@2 Window.location.hash will read the value after the # number, and there is a change in the back that will trigger the Onhashchange event in HTML5.

In summary, I want to bypass SSRF's check, I need to let the URL in. jpg and other picture format extension suffix end (in the request path), and do not make it effective. So you can use it? To load the last part in the parameters, so as to meet the background check, but also trigger ssrf.

Second, the Secure-file-priv check on MySQL

1. Background:

When I got the highest MySQL permission, I wanted to write a sentence in SQL, but I found out that I had an error, and the SQL statement did not conform to the SECURE-FILE-PRIV setting.

2. What is Secure-file-priv

Secure-file-priv is a new feature of MySQL, which determines the legitimate path of MySQL data import and export after this configuration point. Otherwise, you can neither write the file nor read the file, for example, into outfile error, return NULL when Load_file, and so on. The value of this configuration is null by default in the My.ini or mysqld.cnf file, which results in a complete inability to enter the write-down and read-in. How to query the other's legal path, but use:

1  like ' %secure% ';

 1  mysql> show variables like  " %secure%   "  2  +--------------------------+-------+3  | variable_name | Value | 4  +--------------------------+-------+5  | Require_secure_transport | OFF | 6  | Secure_auth | On | 7  | Secure_file_priv | NULL | 8  +--------------------------+-------+9  3  rows in  Set ( 0.00  sec) 

Similar to this can not play, and this can only be modified by the configuration file, not directly through the MYSQL-CLI to modify, so can only think of another way.

Infiltration Diary 20180125--Daily drip--url the difference between # and # (about SSRF) and the secure-file-priv of MySQL