202109_鹤城杯_SQL注入

Tags:流量分析,SQL注入,pyshark,正则匹配

0x00. 题目

附件路径：https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称：202109_鹤城杯_SQL注入.zip

0x01. WP1

浏览了所有http请求发现为最常规的SQL注入流量，即逐个爆破字符串，爆破成功后再爆破下一个

1. 筛选所有爆破请求

http.request.uri contains "/ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t)" && ip.src == 192.168.246.23

2. 使用python脚本对每一行数据进行正则匹配

exp1.py

import re

a=[]
with open("sqli","rb") as f:
    for i in f.readlines():
        if b"flag" in i:
            a.append(i.strip())
lastIndex=0
flag=""

for i in a:
    strIndex=re.findall(r"\),.+,1\)\)",i.decode())[0][2:-4]
    strASC=re.findall(r"\)\)=.+\-\-\+",i.decode())[0][3:-3]
    # print(strIndex,strASC)
    if strIndex != lastIndex:
        flag=flag+chr(int(strASC))
        lastIndex=strIndex
    else:
        flag = flag[:-1] + chr(int(strASC))

print(flag)
# flag{w1reshARK_ez_1sntit}~~~~<

0x02. WP2

直接使用pyshark库遍历并正则匹配，直接得出结果

exp2.py

import pyshark
import re
import urllib.parse

strTsharkPath = "C:\\Program Files\\Wireshark"
strCapPath = "sqli_normal.pcapng"
strFomula="http.request.method==GET"
# 经分析有效响应包的tcp长度均为912，因此以此为筛选条件找到对应response_for_uri即可
strFomula="tcp.len==912"

cap= pyshark.FileCapture(strCapPath, display_filter=strFomula,tshark_path=strTsharkPath)

# 协议结构分析开始
print("协议结构分析开始...")
i=0
for layer in cap[1].layers:
    print("第",i+1,"层:",layer.layer_name)
    print(layer.field_names)
    i+=1
print("协议结构分析完成。")
print("=" * 16)

strURI=""
lstRequest=[]
flag=""
# 从流量包中提取有效请求列表
for pkt in cap:
    strURI=pkt.layers[3].get_field_value("response_for_uri")
    lstRequest.append(strURI)

# 正则匹配并解码
for strRequest in lstRequest:
    matchObj = re.search(r'''ascii\(substr\(\(select flag from t\),(.*?),1\)\)=(.*?)--+''', urllib.parse.unquote(strRequest))
    # print(matchObj[1],matchObj[2])
    flag+=chr(int(matchObj[2]))

print(flag)

# flag{w1reshARK_ez_1sntit}~~~~<

0x03. WP3

在导出对象菜单下直接查看http请求，并按大小进行排列，直接用alt+数字打出flag