ღ Miranda

实验吧三道注入题WriteUp

实验吧who are you?,因缺思汀的绕过,登陆一下好吗??这三道题的Writeup,参考了别人的解法。

因缺思汀的绕过

题目地址: http://ctf5.shiyanbar.com/web/pcat/index.php

题目是一个登录界面,查看页面源代码可以得到源码文件为source.txt,得到代码:

可以知道需要post参数为unamepwd,并且过滤了很多sql语句的关键字和,(),并且对数组做了处理,mysql_num_rows($query)函数返回查询得到的条数,这里要求只有一条,可以用limit绕过,payloaduname=' or 1=1 limit 1#&pwd=。接下来第二层过滤,这里可以猜到是弱类型比较,但$key['pwd']这里为字符串,不好绕过。

这里需要用with rollup来获得NULL值,with rollupgroup by一起使用,可以获得额外的行,提供了更高一层的求和结果,看官网上的示例:

看到又多了一行为上面两行的和,如果有错误就能得到NULL字段:

再通过offset:

通过uname=' or 1=1 group by pwd with rollup limit 1 offset 2就可以把$key['pwd']的值置为NULLpwd设为空就可以得到flagCTF{with_rollup_interesting}

who are you?

题目地址: http://ctf5.shiyanbar.com/web/wonderkun/index.php

这里根据页面输出可以猜测是HTTP头中的X-Forwarded-For字段的注入,经过简单的测试发现是盲注,用substring测试通过回显发现过滤了,,我们可以用substring(str, from for)这样的语句绕过,测试的头字段为:

通过响应事件确认了注入漏洞,然后就可以写一个脚本爆破得到库名,表名和字段了,脚本如下:

运行结果:

登陆一下好吗??

题目地址: http://ctf5.shiyanbar.com/web/wonderkun/web/index.html

在用户名表单里提交一系列字段可以发现题目过滤了几乎所有查询语句,注释,但是没有过滤',这里的绕过比较巧妙,由于=是从右到左运算的,所以可以人为构造0=0的结果,payloadusername=1'='&password=1'=',拼接后的语句为:

username='1'=''这句,先有username='1'返回0,然后再和''比较,mysql中的弱类型比较0和空字符串是相等的,所以能返回1,后面半句同理,所以整句能够返回1flagctf{51d1bf8fb65a8c2406513ee8f52283e7}

  1. I like the valuable info you provide on your articles.
    I will bookmark your weblog and check once more right here frequently.
    I am somewhat certain I will be told many
    new stuff proper right here! Good luck for the next!

  2. Hmm is anyone else having problems with the pictures on this blog
    loading? I’m trying to determine if its a problem on my end or if it’s the blog.
    Any feed-back would be greatly appreciated.

  3. Canes & Crutches说道:

    I really like your blog.. very nice colors & theme.
    Did you create this website yourself or did you hire someone to
    do it for you? Plz answer back as I’m looking to create my own blog and would like to find out where u got this
    from. cheers

    1. sevie说道:

      I use theme called Kratos!

发表评论

电子邮件地址不会被公开。