table of Contents
0x001 topic
0x002 View injection statement
Importing the traffic packet Wireshark
looks messy. Enter url
the protocol used by the browser request http
, so we directly filter out the http
protocol data packets.
Filter out the http
requested data packet. The
injection statement is as follows:
http://localhost:81/?id=1' and ascii(substring((select keyid from flag limit 0,1),1,1))=32#
This shows that the attacker uses Boolean blind injection for SQL injection.
About Boolean blind note check: https://blog.csdn.net/weixin_44032232/article/details/109358571
0x003 Observe the response packet
Here we think that the data packets returned by the injection statement must be different for success and failure.
Observe the sql
injected response packet.
Inject failure response content:
Inject successful response content:
From this we can think of whether it is possible to filter out the injected successful response packet first? ? ? So what rules should we use for filtering, or which characteristics of response packets should be used for filtering? ? ?
The filter conditions I think of:
- SUMMARY filtered response has
文章内容
all the response packets - Filter according to the length of the response packet
Length of response packet for failed injection: Length
of response packet for successful injection:
For the Wireshark
syntax is not very familiar with, not how to find content filtering syntax, so I am here for the length of the response packet filtering.
Wireshark http filtering rules:
http.host==magentonotes.com
http.host contains magentonotes.com
//过滤经过指定域名的http数据包,这里的host值不一定是请求中的域名
http.response.code==302
//过滤http响应状态码为302的数据包
http.response==1
//过滤所有的http响应包
http.request==1
//过滤所有的http请求,貌似也可以使用http.request
http.request.method==POST
//wireshark过滤所有请求方式为POST的http请求包,注意POST为大写
http.cookie contains guid
//过滤含有指定cookie的http数据包
http.request.uri==”/online/setpoint”
//过滤请求的uri,取值是域名后的部分
http.request.full_uri==” http://task.browser.360.cn/online/setpoint”
//过滤含域名的整个url则需要使用http.request.full_uri
http.server contains “nginx”
//过滤http头中server字段含有nginx字符的数据包
http.content_type == “text/html”
//过滤content_type是text/html的http响应、post包,即根据文件类型过滤http数据包
http.content_encoding == “gzip”
//过滤content_encoding是gzip的http包
http.transfer_encoding == “chunked”
//根据transfer_encoding过滤
http.content_length == 279
http.content_length_header == “279″
//根据content_length的数值过滤
http.server
//过滤所有含有http头中含有server字段的数据包
http.request.version == “HTTP/1.1″
//过滤HTTP/1.1版本的http包,包括请求和响应
http.response.phrase == “OK”
//过滤http响应中的phrase
content-Length
Filter by length. The filter syntax is http.content_length == 366
All successfully injected statements can also be viewed from the response packet.
http://localhost:81/?id=1' and ascii(substring((select keyid from flag limit 0,1),1,1))=102#
The meaning of this sql statement: the ASCII code of the first character is102
>>> print(chr(102)) # 将ASCII码转换为字符
>>> f
How can I check the ASCII value of the character when the injection is successful one by one.
0x004 script writing
Export
the filtered results above and use regular filtering to filter out the ASCII codes corresponding to the injected sentences and characters
import re
number = []
with open("aa.txt","r",encoding="utf-8") as f:
for i in f.readlines():
flag_number = re.findall(r"\[Request URI: .*?=(\d+)%23\]",i,re.S) # 字符对应的ASCII码
url_list = re.findall(r"\[Request URI: (.*?)\]",i,re.S) # 注入的url
if flag_number:
print(url_list)
number.append(flag_number[0])
Here pay attention to the sequence of successful injection statements, that is, the places circled in the above figure are sorted in order (from the first character to 38 characters), which is the execution flow of successful injection.
Know the ASCII code corresponding to the character, and then get the corresponding character through the ASCII code.
Finally ran outflag
import re
number = []
with open("aa.txt","r",encoding="utf-8") as f:
for i in f.readlines():
flag_number = re.findall(r"\[Request URI: .*?=(\d+)%23\]",i,re.S)
url_list = re.findall(r"\[Request URI: (.*?)\]",i,re.S)
if flag_number:
print(url_list)
number.append(flag_number[0])
print(number)
flag = ''
for i in number:
flag +=chr(int(i))
print(flag)