出题思路分享:

为了防止 sqlmap 注入,该题目采用了文件上传,读取文件中的 sql 语句来进行注入。
同时为了防止多人上传文件名相同时的文件冲突,系统采用自动重命名的方法,同时避免了做题者上传和使用木马。

核心代码:

上传文件:

<form action="read_sql.php" method="post" enctype="multipart/form-data">
	请选择文件:<input type="file" name="file" /><input type="submit" value="上传" />
</form>

限制连接次数,防止上传爆破

$sql_time = "select time from connect where ip='".$ip."'";

$result = mysqli_query($conn, $sql_time);
// echo $result;
echo 'get succ ' . '<br>';
    // 输出数据
$row = mysqli_fetch_assoc($result);
echo "连接次数:" . $row["time"]."   "."<br>";
$time = $row["time"];
if ($time==0) {
  $sql_insert = "INSERT INTO connect (time,ip)VALUES(1,'".$ip."')";
}else{
  $time =$time+1;
  $sql_insert = "UPDATE connect SET time=$time WHERE ip='".$ip."'";
}

if (mysqli_query($conn, $sql_insert)) {
    echo "you have connect me ".$time." times"."<br/>";
} else {
    echo "Error: " . $sql_insert . "<br>" . mysqli_error($conn);
}
// echo $ip."<br/>";
mysqli_close($conn);
if($time<50)
{

$ip = $_SERVER['REMOTE_ADDR'];
echo $ip."<br/>";

处理上传的文件:

$arr = $_FILES["file"];
if(($arr["type"]=="text/plain") && $arr["size"]<10241000 )
{
$arr["tmp_name"];
$filename = $arr["name"];
  if(file_exists($filename))
  {
    echo "该文件已存在".$filename."<br/>";
  }
  else
  {
  $filename = iconv("UTF-8","gb2312",$filename);
  move_uploaded_file($arr["tmp_name"],$filename);
  $myfile = fopen($filename,"r");
  // echo fread($myfile,filesize($filename));
  $line_num = count(file('data.txt')); 
  echo "数据总量:".$line_num."行"."<br/>"; 
  fclose($myfile);
  $file = file($filename);
  for ($i=0; $i < $line_num; $i++) { 
    $line=$file[$i];
    $sql_input = $line;
  }
  }
}
else
{
  echo "上传的文件大小或类型不符";
}

根据时间戳重命名文件:

$now_time = date("ymdhisa");
$next_name = "/var/www/html/ctf/".$now_time.".txt";
// echo $next_name;
if (file_exists($filename)||!file_exists($filename)) {
  copy($filename,$next_name);
} else {
  // echo "请先导入文件";
}
if (file_exists($filename)) {
  unlink($filename);

数据库查询:

$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
    die("连接失败: " . mysqli_connect_error());
}
$sql = "SELECT * FROM error where num=$sql_input "; //将上传的文件逐行读取,并将语句插入到查询语句中进行注入
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
  echo 'get succ ' . '<br>';
    // 输出数据
    while($row = mysqli_fetch_assoc($result)) {
        echo "TCP连接次数:" . $row["flag"]."   "."<br>";
        // echo $result;
    }
} else {
    echo "0 结果";
    die(mysqli_error($conn)); //回显sql注入的错误
}
mysqli_close($conn);
}

数据库配置:

比赛结束后分享

全部源代码分享:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>啄木鸟txt注入分析系统</title>
</head>
<style>
    .bg{
        /*background: url("woodpecker.png");*/
        background-size: 100%,100%
        /*background-repeat: no-repeat;*/
    }
    input{
        border: 1px solid #ccc;/*边框加颜色*/
        padding: 7px 0px;
        border-radius: 3px;/*设置圆角边框*/
        padding-left:5px;
    }
    input:focus{/*当边框被选中*/
        border-color: #00CC66;
        outline: 0;
        -webkit-box-shadow: inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);
        box-shadow: inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)
    }
    p{
        color: #5dafd1;
        height: 0%;
    }
    .login_btn{
        width:15%;
        height: auto;
        margin:40px auto 0 auto;
    }
</style>
<body class="bg" onkeydown="_key()" style="text-align: center;">
    <div style="padding-top: 10%;">
        <h1>啄木鸟txt注入分析系统</h1>
            <form action="super_read_sql.php" method="post" enctype="multipart/form-data">
            请选择文件:<input type="file" name="file" /><input type="submit" value="上传" />
        <!-- <input type="text" name="test"><input type="submit" value="test"> -->
            </form>
    </div>
</body>
<!-- By: co0ontty-->
</html>
<?php 
$ip = $_SERVER['REMOTE_ADDR'];
$servername = "localhost";
$username = "root";
$password = "123456";
$dbname = "ctf";
// 创建连接
$conn = mysqli_connect($servername, $username, $password, $dbname);
if (!$conn) {
    die("连接失败: " . mysqli_connect_error());
}
// $sql_input = $_POST["test"]; 
$sql_time = "select time from connect where ip='".$ip."'";

$result = mysqli_query($conn, $sql_time);
// echo $result;
echo 'get succ ' . '<br>';
    // 输出数据
$row = mysqli_fetch_assoc($result);
echo "连接次数:" . $row["time"]."   "."<br>";
$time = $row["time"];
if ($time==0) {
  $sql_insert = "INSERT INTO connect (time,ip)VALUES(1,'".$ip."')";
}else{
  $time =$time+1;
  $sql_insert = "UPDATE connect SET time=$time WHERE ip='".$ip."'";
}

if (mysqli_query($conn, $sql_insert)) {
    echo "you have connect me ".$time." times"."<br/>";
} else {
    echo "Error: " . $sql_insert . "<br>" . mysqli_error($conn);
}
// echo $ip."<br/>";
mysqli_close($conn);
if($time<50)
{

$ip = $_SERVER['REMOTE_ADDR'];
echo $ip."<br/>";

error_reporting(0);

$arr = $_FILES["file"];

if(($arr["type"]=="text/plain") && $arr["size"]<10241000 )
{

$arr["tmp_name"];

$filename = $arr["name"];


  if(file_exists($filename))
  {
    echo "该文件已存在".$filename."<br/>";
  }
  else
  {
  $filename = iconv("UTF-8","gb2312",$filename);
  move_uploaded_file($arr["tmp_name"],$filename);
  $myfile = fopen($filename,"r");
  // echo fread($myfile,filesize($filename));
  $line_num = count(file('data.txt')); 
  fclose($myfile);
  $file = file($filename);
  for ($i=0; $i < $line_num; $i++) { 
    $line=$file[$i];
    $sql_input = $line;
  }
  }
}
else
{
  echo "上传的文件大小或类型不符";
}

$now_time = date("ymdhisa");
$next_name = "/var/www/html/ctf/".$now_time.".txt";
// echo $next_name;
if (file_exists($filename)||!file_exists($filename)) {
  copy($filename,$next_name);
} else {
  // echo "请先导入文件";
}
if (file_exists($filename)) {
  unlink($filename);


$servername = "localhost";
$username = "root";
$password = "123456";
$dbname = "ctf";
 
// 创建连接
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
    die("连接失败: " . mysqli_connect_error());
}
// $sql_input = $_POST["test"]; 
$sqlu = "SELECT * FROM error where num= $sql_input ";
$resultu = mysqli_query($conn, $sqlu);

if (mysqli_num_rows($resultu) > 0) {
    // 输出数据
    while($row = mysqli_fetch_assoc($resultu)) {
        echo "flag:" . $row["flag"]."   "."<br>";
        // echo $result;
    }
} else {
    echo "0 结果";
    die(mysqli_error($conn));
}
 
mysqli_close($conn);

}
}
else{
  echo "you have no time Please connect Administretor";
}
?>