Yesterday found Websocket front-end protocol used when measuring an item (hereinafter referred to as WS) mass participation, because my brother just a day * line group also Websocket application protocol that uses network measurement, so he comes to understand for a moment, after research found that SQL injection testing, when asked whether sqlmap cousin who support the injection, the answer is no, but cousin gives a solution, we talk later.
What Websocket that?
WebSocket is a protocol H5 began offering a full-duplex communication over a single TCP connection, which enables data exchange between the client and the server easier, in websocketAPI the browser and the server only need to do a handshake, two data transfer can be carried out by each other.
Simulation environment to build
Because sensitive test target, I will use PHP simulate the presence of the injected and test environment.
PHP uses Websocket can use third-party extensions to achieve, such as:
workerman,swoole
Because workerman build up is relatively simple and supports Linux and Windows environments so use Workerman to build.
Workerman official website to download to your kernel package
Check out the official demo code in a PHP project after download at
use Workerman\Worker;
require_once'./Workerman/Autoloader.php';
//创建一个Worker监听2346端口,使用websocket协议通
$ws_worker= new Worker("websocket://0.0.0.0:2346");
//启动4个进程对外提供服务
$ws_worker->count= 4;
//当收到客户端发来的数据后返回hello$data给客户端
$ws_worker->onMessage= function($connection,$data)
{
//向客户端发送hello$data
$connection->send('hello'. $data);
};
//运行
Worker::runAll();
Because Workerman only supports running under phpcli mode and official documents prompted to run on Windows only a single process so $ ws_worker-> count = 4;
This line of code can be deleted
Create a php file fills the test code
At the command line, type php -f server.php test
This shows that our WS server has built a good
I downloaded Websocket use client tools test
A successful interaction
According write a demo interacts with the database and there is a SQL Inject code
ws library table structure info
use Workerman\Worker;
require_once'./Workerman/Autoloader.php';
//数据库连接字符串
$username="root";
$password="root";
$add= "mysql:host=localhost;dbname=ws";
$cdb= new PDO($add,$username,$password);//实例化PDO
//创建一个Worker监听6666端口,使用websocket协议通讯
$ws_worker= new Worker("websocket://0.0.0.0:6666");
$ws_worker->onMessage= function($connection,$data){
global $cdb;//设置$cdb为全局变量
$res= '';
$result=$cdb->query("SELECT email FROM info WHERE user = '$data'");
while($row=$result->fetch()){
$res= $row['email'];
}
$connection->send('YourSQL is: SELECT email FROM info WHERE user ='.$data);
$connection->send('Recevieddata:'.$res);
};
Worker::runAll();
When faced with applications that use Websocket protocol parameter passing, you can use ws client test tool
Fuzz test performed according to the parameters in the transmission front-end code, Burp Websocket can fetch data.
Code test run up and connected client test tool ws
Success can be seen from the database query and returns the data
Discovery and Exploitation injection
通过上面的代码我们不难判断出是有注入的
这里利用的话 我们有两种方法:
1.手工注入
即 利用 websocket客户端 与 服务端 进行交互的方法
在参数中 闭合插入SQL代码 从而执行恶意的sql语句
查看当前数据库
查看当前数据库用户
2.使用sqlmap
开头说到 sqlmap不能跑 websocket协议的注入
但是表哥给出了解决方法,即中转注入
这里我说一下原理 即通过 websocket 客户端包装sqlmap
注入的流量 然后通过客户端 与 服务端交互进行注入
这里 我画一张图来表示
这里需要自己编写中转的工具,比较 麻烦 本人又是脚本小子
所以感到苦恼想到万能的Gayhub 于是去搜索一番
发现了 rr 师傅的 WebSocket中转注入工具
同时也支持 手工注入
在python 执行python main.py --port 服务端口
然后访问 就可以进行手工 注入
如果是手工注入的话直接下载 Websocket 客户端工具测试就可以了 没必要使用该功能
python web 搭建起来对小白真的不太友好。。
后 话
对于Websocket这一块还有太多的技术没有完善,包括WAF对一些WS的流量并没有检测 导致以上安全问题没有得到很好的解决.
希望此篇文章能给大家一些思路,同时也感谢大家肯花时间耐心的看完整篇文章,文笔较水,如果文中有什么地方说得不对还望表哥们斧正,也欢迎各位一起交流技术共同进步。
·END·