ctf one question log audit question

Language 2023-09-11 19:02:23 views: null

 

Open the log and take a look. You can’t see anything at the front, but it’s obvious at the end. After decoding the url, it’s sq blind injection.

This is to follow the general process to blindly find out the database, tables, fields and their lengths.

So just skip it

until around here,

Just open a decoder

3' OR NOT ORD(MID((SELECT IFNULL(CAST(COUNT(*) AS CHAR),0x20) FROM flag.flag),1,1))>48#

 

This is to determine the ascii value of each character of the flag. It should be judged by the response status code to determine whether it is successful, but all status codes are 200, but

You can roughly judge that the number around 4,000 is correct, and the number around 5,000 is wrong.

 

Since I am not familiar with Python, I first extracted the responses of all blind flags directly from the text, and then implemented it through a script.

!/usr/bin/env python3
# -*- coding: utf-8 -*-
import re
import urllib

# 将access.log中的id参数值url解码,以及状态放入log.txt中
f = open("log.txt", "w+")
fa = open("access.log", "r+")

datapat = re.compile('id=(.+?)&Submit')

line = fa.readline()
# print line
list = [];
while line:
    # print datapat.findall(line)
    data = datapat.findall(line)
    if line.find('200 5') == -1:
        list.append([data[0], '200'])
    print data[0]
    line = fa.readline()

for i in list:
    decode = urllib.unquote(i[0])
    f.writelines(decode+'    '+i[1]+'\n')

f.close()
fa.close()

 

Obtain log.txt, which is to extract the successful response packet in access.log, and then use a script to calculate, such as the first character, 4 pieces of data, find the largest one, which is 101 plus 1 to get the character , you can see my other blog for details, they are actually similar 2333.

https://blog.csdn.net/qq_40519543/article/details/107135902

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import re



f = open('log.txt','r+')
line = f.readline()
flag = ''
for i in range(1,40):
    d = re.compile(str(i)+',1\)\)>(.+?)#')
    tmp = 0
    while line:
        data = d.findall(line)
        if data:
            # print data
            if int(data[0]) >= tmp:
                tmp = int(data[0])+1
            line = f.readline()
        else:
            break
    flag = flag + chr(tmp)
print flag

 

Guess you like

Origin blog.csdn.net/qq_40519543/article/details/107396659
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com