出题思路分享:
为了防止 sqlmap 注入,该题目采用了文件上传,读取文件中的 sql 语句来进行注入。
同时为了防止多人上传文件名相同时的文件冲突,系统采用自动重命名的方法,同时避免了做题者上传和使用木马。
核心代码:
上传文件:
<form action="read_sql.php" method="post" enctype="multipart/form-data">
请选择文件:<input type="file" name="file" /><input type="submit" value="上传" />
</form>
限制连接次数,防止上传爆破
$sql_time = "select time from connect where ip='".$ip."'";
$result = mysqli_query($conn, $sql_time);
// echo $result;
echo 'get succ ' . '<br>';
// 输出数据
$row = mysqli_fetch_assoc($result);
echo "连接次数:" . $row["time"]." "."<br>";
$time = $row["time"];
if ($time==0) {
$sql_insert = "INSERT INTO connect (time,ip)VALUES(1,'".$ip."')";
}else{
$time =$time+1;
$sql_insert = "UPDATE connect SET time=$time WHERE ip='".$ip."'";
}
if (mysqli_query($conn, $sql_insert)) {
echo "you have connect me ".$time." times"."<br/>";
} else {
echo "Error: " . $sql_insert . "<br>" . mysqli_error($conn);
}
// echo $ip."<br/>";
mysqli_close($conn);
if($time<50)
{
$ip = $_SERVER['REMOTE_ADDR'];
echo $ip."<br/>";
处理上传的文件:
$arr = $_FILES["file"];
if(($arr["type"]=="text/plain") && $arr["size"]<10241000 )
{
$arr["tmp_name"];
$filename = $arr["name"];
if(file_exists($filename))
{
echo "该文件已存在".$filename."<br/>";
}
else
{
$filename = iconv("UTF-8","gb2312",$filename);
move_uploaded_file($arr["tmp_name"],$filename);
$myfile = fopen($filename,"r");
// echo fread($myfile,filesize($filename));
$line_num = count(file('data.txt'));
echo "数据总量:".$line_num."行"."<br/>";
fclose($myfile);
$file = file($filename);
for ($i=0; $i < $line_num; $i++) {
$line=$file[$i];
$sql_input = $line;
}
}
}
else
{
echo "上传的文件大小或类型不符";
}
根据时间戳重命名文件:
$now_time = date("ymdhisa");
$next_name = "/var/www/html/ctf/".$now_time.".txt";
// echo $next_name;
if (file_exists($filename)||!file_exists($filename)) {
copy($filename,$next_name);
} else {
// echo "请先导入文件";
}
if (file_exists($filename)) {
unlink($filename);
数据库查询:
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("连接失败: " . mysqli_connect_error());
}
$sql = "SELECT * FROM error where num=$sql_input "; //将上传的文件逐行读取,并将语句插入到查询语句中进行注入
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
echo 'get succ ' . '<br>';
// 输出数据
while($row = mysqli_fetch_assoc($result)) {
echo "TCP连接次数:" . $row["flag"]." "."<br>";
// echo $result;
}
} else {
echo "0 结果";
die(mysqli_error($conn)); //回显sql注入的错误
}
mysqli_close($conn);
}
数据库配置:
比赛结束后分享
全部源代码分享:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>啄木鸟txt注入分析系统</title>
</head>
<style>
.bg{
/*background: url("woodpecker.png");*/
background-size: 100%,100%
/*background-repeat: no-repeat;*/
}
input{
border: 1px solid #ccc;/*边框加颜色*/
padding: 7px 0px;
border-radius: 3px;/*设置圆角边框*/
padding-left:5px;
}
input:focus{/*当边框被选中*/
border-color: #00CC66;
outline: 0;
-webkit-box-shadow: inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6);
box-shadow: inset 0 1px 1px rgba(0,0,0,.075),0 0 8px rgba(102,175,233,.6)
}
p{
color: #5dafd1;
height: 0%;
}
.login_btn{
width:15%;
height: auto;
margin:40px auto 0 auto;
}
</style>
<body class="bg" onkeydown="_key()" style="text-align: center;">
<div style="padding-top: 10%;">
<h1>啄木鸟txt注入分析系统</h1>
<form action="super_read_sql.php" method="post" enctype="multipart/form-data">
请选择文件:<input type="file" name="file" /><input type="submit" value="上传" />
<!-- <input type="text" name="test"><input type="submit" value="test"> -->
</form>
</div>
</body>
<!-- By: co0ontty-->
</html>
<?php
$ip = $_SERVER['REMOTE_ADDR'];
$servername = "localhost";
$username = "root";
$password = "123456";
$dbname = "ctf";
// 创建连接
$conn = mysqli_connect($servername, $username, $password, $dbname);
if (!$conn) {
die("连接失败: " . mysqli_connect_error());
}
// $sql_input = $_POST["test"];
$sql_time = "select time from connect where ip='".$ip."'";
$result = mysqli_query($conn, $sql_time);
// echo $result;
echo 'get succ ' . '<br>';
// 输出数据
$row = mysqli_fetch_assoc($result);
echo "连接次数:" . $row["time"]." "."<br>";
$time = $row["time"];
if ($time==0) {
$sql_insert = "INSERT INTO connect (time,ip)VALUES(1,'".$ip."')";
}else{
$time =$time+1;
$sql_insert = "UPDATE connect SET time=$time WHERE ip='".$ip."'";
}
if (mysqli_query($conn, $sql_insert)) {
echo "you have connect me ".$time." times"."<br/>";
} else {
echo "Error: " . $sql_insert . "<br>" . mysqli_error($conn);
}
// echo $ip."<br/>";
mysqli_close($conn);
if($time<50)
{
$ip = $_SERVER['REMOTE_ADDR'];
echo $ip."<br/>";
error_reporting(0);
$arr = $_FILES["file"];
if(($arr["type"]=="text/plain") && $arr["size"]<10241000 )
{
$arr["tmp_name"];
$filename = $arr["name"];
if(file_exists($filename))
{
echo "该文件已存在".$filename."<br/>";
}
else
{
$filename = iconv("UTF-8","gb2312",$filename);
move_uploaded_file($arr["tmp_name"],$filename);
$myfile = fopen($filename,"r");
// echo fread($myfile,filesize($filename));
$line_num = count(file('data.txt'));
fclose($myfile);
$file = file($filename);
for ($i=0; $i < $line_num; $i++) {
$line=$file[$i];
$sql_input = $line;
}
}
}
else
{
echo "上传的文件大小或类型不符";
}
$now_time = date("ymdhisa");
$next_name = "/var/www/html/ctf/".$now_time.".txt";
// echo $next_name;
if (file_exists($filename)||!file_exists($filename)) {
copy($filename,$next_name);
} else {
// echo "请先导入文件";
}
if (file_exists($filename)) {
unlink($filename);
$servername = "localhost";
$username = "root";
$password = "123456";
$dbname = "ctf";
// 创建连接
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("连接失败: " . mysqli_connect_error());
}
// $sql_input = $_POST["test"];
$sqlu = "SELECT * FROM error where num= $sql_input ";
$resultu = mysqli_query($conn, $sqlu);
if (mysqli_num_rows($resultu) > 0) {
// 输出数据
while($row = mysqli_fetch_assoc($resultu)) {
echo "flag:" . $row["flag"]." "."<br>";
// echo $result;
}
} else {
echo "0 结果";
die(mysqli_error($conn));
}
mysqli_close($conn);
}
}
else{
echo "you have no time Please connect Administretor";
}
?>
